Archiv für den Monat: Januar 2013

Securing the embedded ActiveMQ in ServiceMix

As soon as you investigate possibilities to let other software connect to the ActiveMQ that comes packaged with ServiceMix you might want to secure those connections. An important step is to authenticate and authorize the clients. This post is based on ServiceMix 4.4.2 and especially highlights the configuration that is required on the ServiceMix side to be able to connect flawlessly to ActiveMQ as it does without authentication.

The first step is to configure the ActiveMQ broker with authentication in $SMX_HOME/etc/activemq-broker.xml. Details can be found on the ActiveMQ homepage.

<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
 xmlns:cm="http://aries.apache.org/blueprint/xmlns/blueprint-cm/v1.0.0"
 xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0"
 xmlns:amq="http://activemq.apache.org/schema/core">
 
...
 <broker xmlns="http://activemq.apache.org/schema/core" brokerName="default" dataDirectory="${karaf.data}/activemq/default" useShutdownHook="false">
...
  <plugins>
   <simpleAuthenticationPlugin>
    <users>
     <authenticationUser username="user1" password="mypw" groups="group1" />
     <authenticationUser username="user2" password="mypw" groups="group2" />
    </users>
   </simpleAuthenticationPlugin>
   <authorizationPlugin>
    <map>
     <authorizationMap>
      <authorizationEntries>
       <!-- Basis permissions applicable to all queues and topics -->
       <authorizationEntry queue=">" read="group1" write="group1" admin="group1" />
       <authorizationEntry topic=">" read="group1" write="group1" admin="group1" />

       <!-- Especially important - everyone needs access here, otherwise clients cannot connect -->
       <authorizationEntry topic="ActiveMQ.Advisory.>" read="group1,group2" write="group1,group2" admin="group1,group2"/>

       <!-- Special access rule for queue "myqueue" -->
       <authorizationEntry queue="myqueue" read="group1,group2" write="group1,group2" admin="group1,group2" />
      </authorizationEntries>
     </authorizationMap>
    </map>
   </authorizationPlugin>
  </plugins>
...
 </broker>
 
 <!-- This configures a connection factory that can be used from your camel rules -->
 <bean id="activemqConnectionFactory" class="org.apache.activemq.ActiveMQConnectionFactory">
  <property name="brokerURL" value="vm://default?create=false&amp;waitForStart=10000" />
  <property name="userName" value="user1" />
  <property name="password" value="mypw" />
 </bean>
...
</blueprint>

But now – if you’re using the ActiveMQ webconsole, you will notice it can’t browse queues anymore. To reenable it to do this, just add the following to $SMX_HOME/etc/system.properties:

webconsole.jms.user=user1
webconsole.jms.password=mypw

The webconsole will use this data to connect to ActiveMQ. To enable all functionality I would recommend to create a „servicemix“ user with all privileges that you use for the webconsole as well as the default connection pool for your Camel routes.

Last but not least you can reference the default connection pool in your camel routes like this (using the Spring bean syntax). This avoids having to configure a separate connection pool for each route (along with username and password).

<beans xmlns="http://www.springframework.org/schema/beans"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xmlns:camel="http://camel.apache.org/schema/spring"
 xmlns:osgi="http://www.springframework.org/schema/osgi"
 xsi:schemaLocation="
  http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
  http://camel.apache.org/schema/spring http://camel.apache.org/schema/spring/camel-spring-2.8.5.xsd
  http://www.springframework.org/schema/osgi http://www.springframework.org/schema/osgi/spring-osgi.xsd">
 
 <osgi:reference id="pooledConnectionFactory" interface="javax.jms.ConnectionFactory" />
 
 <camelContext xmlns="http://camel.apache.org/schema/spring">
...
 </camelContext>
</beans>

That’s it. After you restart ServiceMix it will have a (very basically) secured ActiveMQ. For a more sophisticated security configuration of ActiveMQ, I once again point you to the ActiveMQ homepage.