The simple authentication plug-in provides the quickest way to enable authentication in a broker. With this approach, all of the user data is embedded in the broker configuration file. It is useful for testing purposes and for small-scale systems with relatively few users, but it does not scale well for large systems.
Example 3.1 shows how to configure simple
authentication by adding a simpleAuthenticationPlugin
element to the list of
plug-ins in the broker configuration.
Example 3.1. Simple Authentication Configuration
<beans> <broker ...> ... <plugins> <simpleAuthenticationPlugin> <users> <authenticationUser username="system" password="manager" groups="users,admins"/> <authenticationUser username="user" password="password" groups="users"/> <authenticationUser username="guest" password="password" groups="guests"/> </users> </simpleAuthenticationPlugin> </plugins> ... </broker> </beans>
For each user, add an authenticationUser
element as shown, setting the
username
, password
, and groups
attributes. In order
to authenticate a user successfully, the username/password credentials received from a
client must match the corresponding attributes in one of the authenticationUser
elements. The groups
attribute assigns a user to one or more groups (formatted
as a comma-separated list). If authorization is enabled, the assigned groups are used to
check whether a user has permission to invoke certain operations. If authorization is not
enabled, the groups are ignored.
By default, if a client does not provide any JMS username/password credentials, access
to the broker is denied. It is possible, however, to enable anonymous access by setting the
anonymousAccessAllowed
attribute to true
on the
simpleAuthenticationPlugin
element, as shown in Example 3.2.
Example 3.2. Enabling Anonymous Access
<simpleAuthenticationPlugin anonymousAccessAllowed="true">
<users>
<authenticationUser username="system"
password="manager"
groups="users,admins"/>
...
</users>
</simpleAuthenticationPlugin>
Now, with anonymous access enabled, when a client without credentials connects to the
broker, it is automatically assigned the username, anonymous
, and the group ID,
anonymous
. When used in combination with the authorization plug-in, you can
assign strictly limited privileges to the anonymous
group in order to protect
your system.
You can optionally change the username and group ID that gets assigned to anonymous
users by setting the anonymousUser
and anonymousGroup
attributes—for example:
<simpleAuthenticationPlugin
anonymousAccessAllowed="true"
anonymousUser="JohnDoe"
anonymousGroup="unauthenticated">
<users>
...
</users>
</simpleAuthenticationPlugin>
![]() | Note |
---|---|
If you enable anonymous access, it is highly recommended that you also enable authorization, otherwise your broker would be completely exposed to all users. |