This tutorial shows you how to enable JAAS authentication on a broker installed in the OSGi container. Instead of creating a local instance of a JAAS realm (as you would for a standalone broker), the broker exploits Fuse ESB's support for container-wide JAAS realms, as shown in Figure 1.1.

After the broker is secured by JAAS authentication, you can test it using the sample JMS clients from the standalone Fuse Message Broker distribution. The JMS clients must first be modified, however, to provide the requisite username/password JMS credentials.

This tutorial part builds on Tutorial I: SSL/TLS Security. All of the prerequisites from Prerequisites apply here and you must complete the previous tutorial part before proceeding.

To configure JAAS security for a broker deployed in the OSGi container, perform the following steps:

Configure the broker to authenticate JMS username/password credentials by checking them against the karaf JAAS realm. In the Maven project, edit the broker-spring.xml file, adding the plugins element, as highlighted in the following XML sample:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="
       http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
       http://activemq.apache.org/schema/core http://activemq.apache.org/schema/core/activemq-core-5.4.0.xsd">

    <broker xmlns="http://activemq.apache.org/schema/core" brokerName="simple-spring">
        <plugins>
            <jaasAuthenticationPlugin configuration="karaf"/>
        </plugins>
        <sslContext>
            <sslContext
                keyStore="classpath:conf/broker.ks"
                keyStorePassword="password"
                trustStore="classpath:conf/broker.ts"
                trustStorePassword="password"
                />
        </sslContext>
        <transportConnectors>
            <transportConnector name="openwire" uri="ssl://localhost:61001"/>
        </transportConnectors>
    </broker>

</beans>

The karaf JAAS realm can be administered by editing the InstallDir/etc/users.properties file, where the file contains entries in the following format:

Username=Password,Role1,Role2,...

For example, the default users.properties file defines a single user, smx, with password, smx, as follows:

smx=smx,admin

You can customize this file by adding as many users and roles as you like (each user entry on its own line).

Use Maven to build the broker bundle. Open a command prompt, switch the current directory to ProjectDir/esb-security, and then enter the following command:

mvn clean install

If you have not already done so, start up the Apache ServiceMix console (and container instance) by entering the following command in a new command prompt:

servicemix

To deploy and activate the broker bundle, enter the following console command:

karaf@root> osgi:install -s mvn:org.fusesource.example/esb-security

To test the broker configured in the OSGi container, you are going to use the example consumer tool and producer tool supplied with the standalone version of Fuse Message Broker.

You must modify the source code for the consumer and the producer clients in order to specify their JMS credentials.

To specify the JMS credentials for the consumer tool, edit the ActiveMQInstallDir/example/src/ConsumerTool.java file with your favorite text editor, setting the user and password strings, as shown. These strings are ultimately passed as arguments to the ActiveMQConnectionFactory.createConnection() method.

// Java
// ConsumerTool
...
public void run() {
  ...
  try {
    user = "smx";
    password = "smx";
    ActiveMQConnectionFactory connectionFactory = new ActiveMQConnectionFactory(user, password, url);
    ...
}

To specify the JMS credentials for the producer tool, edit the ActiveMQInstallDir/example/src/ProducerTool.java file with your favorite text editor, setting the user and password strings, as shown.

// Java
// ProducerTool
...
public void run() {
  ...
  try {
    user = "smx";
    password = "smx";
    ActiveMQConnectionFactory connectionFactory = new ActiveMQConnectionFactory(user, password, url);
    ...
}

To connect the consumer tool to the ssl://localhost:61001 endpoint, change directory to ActiveMQInstallDir/example and enter the following command:

ant consumer -Durl=ssl://localhost:61001 -Dmax=100

You should see some output like the following:

Buildfile: build.xml
init:
compile:
consumer:
     [echo] Running consumer against server at $url = ssl://localhost:61001 for subject $subject = TEST.FOO
     [java] Connecting to URL: ssl://localhost:61001
     [java] Consuming queue: TEST.FOO
     [java] Using a non-durable subscription
     [java] We are about to wait until we consume: 100 message(s) then we will shutdown

To connect the producer tool to the ssl://localhost:61001 endpoint, open a new command prompt, change directory to example and enter the following command:

ant producer -Durl=ssl://localhost:61001 -Dmax=100

In the window where the consumer tool is running, you should see some output like the following:

     [java] Received: Message: 0 sent at: Thu Feb 05 09:27:43 GMT 2009  ...
     [java] Received: Message: 1 sent at: Thu Feb 05 09:27:43 GMT 2009  ...
     [java] Received: Message: 2 sent at: Thu Feb 05 09:27:43 GMT 2009  ...
     [java] Received: Message: 3 sent at: Thu Feb 05 09:27:43 GMT 2009  ...

To uninstall the broker bundle, you need to know its bundle ID, BundleID, in which case you can uninstall it by entering the following console command:

karaf@root> osgi:uninstall BundleID