The JAAS dual authentication plug-in behaves effectively like a hybrid of the username/password authentication plug-in and the certificate authentication plug-in. It enables you to specify one JAAS realm to use when a client connection uses SSL, and another JAAS realm to use when the client connection is non-SSL.
For example, this makes it possible to use certificate authentication for SSL connections and JMS username/password authentication for non-SSL connections, where the selection is made dynamically at run time.
Example 3.6 shows the definitions of
two sample JAAS realms: a realm for non-SSL connections, activemq-domain
; and
a realm for SSL connections, activemq-ssl-domain
.
Example 3.6. JAAS Login Entries for Secure and Insecure Connections
activemq-domain { org.apache.activemq.jaas.PropertiesLoginModule sufficient debug=true org.apache.activemq.jaas.properties.user="users.properties" org.apache.activemq.jaas.properties.group="groups.properties"; org.apache.activemq.jaas.GuestLoginModule sufficient debug=true org.apache.activemq.jaas.guest.user="guest" org.apache.activemq.jaas.guest.group="guests"; }; activemq-ssl-domain { org.apache.activemq.jaas.TextFileCertificateLoginModule required debug=true org.apache.activemq.jaas.textfiledn.user="dns.properties" org.apache.activemq.jaas.textfiledn.group="groups.properties"; };
The activemq-domain
login entry illustrates how to use multiple login
modules in a single realm. With this configuration, JAAS tries first of all to
authenticate a client using the PropertiesLoginModule
login module. If that
authentication step fails, JAAS then attempts to authenticate the client using the next
login module, GuestLoginModule
. The guest login module assigns a default
username and group ID to the client and it always succeeds at authenticating—for
more details, see JAAS Guest Login Module.
To enable the JAAS dual authentication plug-in, add the
jaasDualAuthenticationPlugin
element to the list of plug-ins in the broker
configuration file and initialize both the configuration
attribute (to
specify the JAAS realm used for non-SSL connections) and the sslConfiguration
attribute (to specify the JAAS realm used for SSL connections).
<beans>
<broker ...>
...
<plugins>
<jaasDualAuthenticationPlugin
configuration="activemq-domain"
sslConfiguration="activemq-ssl-domain" />
</plugins>
...
</broker>
</beans>