Activemq 安全机制以及稳定性研究
1) 安全接入机制:activemq启动时加载配置文件$ACTIVEMQ_HOME/conf/activemq.xml, 在activemq.xml的<broker>节点中添加以下元素以提供对建立连接时的用户名/密码的支持:
<plugins>
<simpleAuthenticationPlugin>
<users>
<authenticationUser username="system" password="manager"
groups="users,admins"/>
<authenticationUser username="user" password="password"
groups="users"/>
<authenticationUser username="guest" password="password" groups="guests"/>
</users>
</simpleAuthenticationPlugin>
<!--lets configure a destination based authorization mechanism -->
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry queue=">" read="admins" write="admins" admin="admins" />
<authorizationEntry queue="USERS.>" read="users" write="users" admin="users" />
<authorizationEntry queue="GUEST.>" read="guests" write="guests,users" admin="guests,users" />
<authorizationEntry topic=">" read="admins" write="admins" admin="admins" />
<authorizationEntry topic="USERS.>" read="users" write="users" admin="users" />
<authorizationEntry topic="GUEST.>" read="guests" write="guests,users" admin="guests,users" />
<authorizationEntry topic="ActiveMQ.Advisory.>" read="guests,users" write="guests,users" admin="guests,users"/>
</authorizationEntries>
<!-- let's assign roles to temporary destinations. comment this entry if we don't want any roles assigned to temp destinations-->
<tempDestinationAuthorizationEntry>
<tempDestinationAuthorizationEntry read="tempDestinationAdmins" write="tempDestinationAdmins" admin="tempDestinationAdmins"/>
</tempDestinationAuthorizationEntry>
</authorizationMap>
</map>
</authorizationPlugin>
</plugins>
其中对哪种用户能够访问哪些类型的队列做了限制。
在客户端java连接activemq的配置如下:
<bean id="connectionFactory" class="org.apache.activemq.ActiveMQConnectionFactory">
<property name="brokerURL">
<value>tcp://10.100.8.5:61616?wireFormat.maxInactivityDuration=0&jms.useAsyncSend=true</value>
</property>
<property name="userName" value="system"/>
<property name="password" value="manager"/>
</bean>
2)限定只能从本地连接activemq:
<transportConnectors>
<transportConnector name="openwire" uri="tcp://0.0.0.0:61616" />
</transportConnectors>
将上面的0.0.0.0改为localhost或127.0.0.1即可限定只能从本机连接。
3) 主备机机制:
将连接的url设置为:
failover:(tcp://primary:61616,tcp://secondary:61616)?randomize=false
当primary断开后,会自动地连接secondary.
例如:
<bean id="connectionFactory" class="org.apache.activemq.ActiveMQConnectionFactory">
<!-- mq's URL -->
<!-- wireFormat.maxInactivityDuration=0 means never close the inactive connection -->
<property name="brokerURL">
<value>failover:(tcp://localhost:61616?wireFormat.maxInactivityDuration=0,tcp://10.100.8.5:61616?wireFormat.maxInactivityDuration=0)?randomize=false&jms.useAsyncSend=true</value>
</property>
</bean>
注意当使用failover:时,jms.*类型的参数写在括号外面才对,否则activemq不能正确解析。
4)在同一个机器上启动多个MQ Broker:
Master的配置文件为conf/activemq.xml, 将其复制一份,保存为activemq2.xml,然后做如下的修改:
1. 修改broker的name属性,如:brokerName=”slaveBroker”, 添加broker的属性 masterConnectorURI="tcp://masterhost:62001"
2. 修改data directory位置,使其不与master的data directory重复:
<persistenceAdapter>
<kahaDB directory=”${activemq.base}/data/kahaDB2” />
</persistenceAdapter>
3. 修改WEB控制台配置:
web控制台的配置在jetty.xml中,复制这个文件保存为jetty2.xml,然后将jetty2.xml作为web控制台的配置文件:
<import resource=”jetty2.xml”/>
然后在jetty2.xml中修改web服务的端口以避免冲突:
<bean id=”Connector” …>
<property name=”port” value=”8102” />
</bean>
启动slave broker:
cd${activemq-base}/bin
./activemq xbean:activemq2.xml&
页:
[1]