complex-single-broker-configuration-stomp-only.html - activemq-web - Git at Google

 <div class="wiki-content maincontent"><p>Example of an ActiveMQ configuration with predefined queues, simple destination security (could easily update it to JAAS), complex Web Console security with Jetty JAAS, and JMX security too.</p>

 <p>While this is a fairly detailed configuration, it locks down every ActiveMQ service.  It would be ideal if ActiveMQ shipped with a default closed configuration like this.</p>

 <p>ActiveMQ is assumed to be installed in /usr/local/activemq/ in this example.</p>
 <div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
 &lt;!--
   ActiveMQ activemq.xml configuration file (/usr/local/activemq/conf/activemq.xml)

   * ActiveMQ JVM Startup options are in /etc/activemq.conf

   * Uses the Sun JMX connector for remote management.  Point jconsole at:
      service:jmx:rmi:///jndi/rmi://myserver.domain.net:61616/jmxrmi

   * Uses Kaha persistence storage, stored in the "activemq-data" directory.
     "activemq-data" and "logs" sub-directories must be writable by the
     ActiveMQ user.

   * Also see conf/log4j.properties for logging configuration
 --&gt;

 &lt;beans&gt;
     &lt;!-- Enables system properties as variables in this configuration file --&gt;
     &lt;bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/&gt;

     &lt;broker xmlns="http://activemq.org/config/1.0" brokerName="SERVER1"
         populateJMSXUserID="true" useJmx="true" persistent="true"&gt;

     &lt;!-- Queue setup.  Queues can be created on the fly by any user with
          admin rights, but it is not good to give every user admin rights.  --&gt;
     &lt;destinations&gt;
         &lt;queue physicalName="widgets" /&gt;
         &lt;queue physicalName="spacecontrol" /&gt;
         &lt;queue physicalName="displays" /&gt;
     &lt;/destinations&gt;

     &lt;!-- We only allow Stomp clients --&gt;
     &lt;transportConnectors&gt;
         &lt;transportConnector name="stomp" uri="stomp://localhost:61613"/&gt;
     &lt;/transportConnectors&gt;

     &lt;!-- We don't have any other brokers to connect to --&gt;
     &lt;networkConnectors&gt;
     &lt;/networkConnectors&gt;

     &lt;!-- Do not create an ActiveMQ JMX connector.  Use the Sun JMX connector
          instead, and hook ActiveMQ to it. --&gt;
     &lt;managementContext&gt;
         &lt;managementContext createConnector="false" /&gt;
     &lt;/managementContext&gt;

     &lt;plugins&gt;
         &lt;simpleAuthenticationPlugin&gt;
             &lt;users&gt;
                 &lt;authenticationUser username="sa" password="manager" groups="producers,consumers,admins" /&gt;
                 &lt;authenticationUser username="frontend" password="manager" groups="producers,consumers" /&gt;
                 &lt;authenticationUser username="backend" password="manager" groups="consumers" /&gt;
             &lt;/users&gt;
         &lt;/simpleAuthenticationPlugin&gt;
         &lt;authorizationPlugin&gt;
             &lt;map&gt;
                 &lt;authorizationMap&gt;
                     &lt;authorizationEntries&gt;
                         &lt;authorizationEntry queue="&gt;" write="producers" read="consumers" admin="admins" /&gt;
                     &lt;/authorizationEntries&gt;
                 &lt;/authorizationMap&gt;
             &lt;/map&gt;
         &lt;/authorizationPlugin&gt;
     &lt;/plugins&gt;

     &lt;/broker&gt;

     &lt;!-- Do not create ActiveMQ.Agent topic, as it does not work if
          destination security is enabled --&gt;
     &lt;!-- &lt;commandAgent xmlns="http://activemq.org/config/1.0"/&gt; --&gt;

     &lt;!-- Web Console.  Auth is via JAAS.  Beware: jetty-plus-6.1.4.jar contains the
          JAAS classes, and is not included with ActiveMQ.  You need to download
          separately.  Web Console queue browser will fail, as it tries to use JMS
          to browse the queue, and that requires a password.
     --&gt;

     &lt;jetty xmlns="http://mortbay.com/schemas/jetty/1.0"&gt;
         &lt;connectors&gt;
             &lt;nioConnector port="8161" /&gt;
         &lt;/connectors&gt;

         &lt;userRealms&gt;
             &lt;!-- "name" must match the realm in web.xml, and "loginModuleName" must be defined in login.conf --&gt;
             &lt;jaasUserRealm name="ActiveMQ" loginModuleName="ActiveMQ"
                     callbackHandlerClass="org.mortbay.jetty.plus.jaas.callback.DefaultCallbackHandler" /&gt;
         &lt;/userRealms&gt;

         &lt;handlers&gt;
             &lt;webAppContext contextPath="/admin" resourceBase="${activemq.base}/webapps/admin" logUrlOnStart="true" /&gt;
         &lt;/handlers&gt;
     &lt;/jetty&gt;
 &lt;/beans&gt;
 </pre>
 </div></div>
 <p>Add this XML snippet to the web.xml for the /admin/ app, in order to enable HTTP Authentication to match the activemq.xml configuration above.</p>
 <div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
 &lt;security-constraint&gt;
     &lt;web-resource-collection&gt;
         &lt;web-resource-name&gt;Web Console&lt;/web-resource-name&gt;
         &lt;url-pattern&gt;/*&lt;/url-pattern&gt;
     &lt;/web-resource-collection&gt;
     &lt;auth-constraint&gt;
         &lt;role-name&gt;admins&lt;/role-name&gt;
     &lt;/auth-constraint&gt;
 &lt;/security-constraint&gt;

 &lt;login-config&gt;
     &lt;auth-method&gt;BASIC&lt;/auth-method&gt;
     &lt;realm-name&gt;ActiveMQ&lt;/realm-name&gt;
 &lt;/login-config&gt;
 </pre>
 </div></div></div>
	<div class="wiki-content maincontent"><p>Example of an ActiveMQ configuration with predefined queues, simple destination security (could easily update it to JAAS), complex Web Console security with Jetty JAAS, and JMX security too.</p>

	<p>While this is a fairly detailed configuration, it locks down every ActiveMQ service. It would be ideal if ActiveMQ shipped with a default closed configuration like this.</p>

	<p>ActiveMQ is assumed to be installed in /usr/local/activemq/ in this example.</p>
	<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
	<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
	<!--
	ActiveMQ activemq.xml configuration file (/usr/local/activemq/conf/activemq.xml)

	* ActiveMQ JVM Startup options are in /etc/activemq.conf

	* Uses the Sun JMX connector for remote management. Point jconsole at:
	service:jmx:rmi:///jndi/rmi://myserver.domain.net:61616/jmxrmi

	* Uses Kaha persistence storage, stored in the "activemq-data" directory.
	"activemq-data" and "logs" sub-directories must be writable by the
	ActiveMQ user.

	* Also see conf/log4j.properties for logging configuration
	-->

	<beans>
	<!-- Enables system properties as variables in this configuration file -->
	<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>

	<broker xmlns="http://activemq.org/config/1.0" brokerName="SERVER1"
	populateJMSXUserID="true" useJmx="true" persistent="true">

	<!-- Queue setup. Queues can be created on the fly by any user with
	admin rights, but it is not good to give every user admin rights. -->
	<destinations>
	<queue physicalName="widgets" />
	<queue physicalName="spacecontrol" />
	<queue physicalName="displays" />
	</destinations>

	<!-- We only allow Stomp clients -->
	<transportConnectors>
	<transportConnector name="stomp" uri="stomp://localhost:61613"/>
	</transportConnectors>

	<!-- We don't have any other brokers to connect to -->
	<networkConnectors>
	</networkConnectors>

	<!-- Do not create an ActiveMQ JMX connector. Use the Sun JMX connector
	instead, and hook ActiveMQ to it. -->
	<managementContext>
	<managementContext createConnector="false" />
	</managementContext>

	<plugins>
	<simpleAuthenticationPlugin>
	<users>
	<authenticationUser username="sa" password="manager" groups="producers,consumers,admins" />
	<authenticationUser username="frontend" password="manager" groups="producers,consumers" />
	<authenticationUser username="backend" password="manager" groups="consumers" />
	</users>
	</simpleAuthenticationPlugin>
	<authorizationPlugin>
	<map>
	<authorizationMap>
	<authorizationEntries>
	<authorizationEntry queue=">" write="producers" read="consumers" admin="admins" />
	</authorizationEntries>
	</authorizationMap>
	</map>
	</authorizationPlugin>
	</plugins>

	</broker>

	<!-- Do not create ActiveMQ.Agent topic, as it does not work if
	destination security is enabled -->
	<!-- <commandAgent xmlns="http://activemq.org/config/1.0"/> -->

	<!-- Web Console. Auth is via JAAS. Beware: jetty-plus-6.1.4.jar contains the
	JAAS classes, and is not included with ActiveMQ. You need to download
	separately. Web Console queue browser will fail, as it tries to use JMS
	to browse the queue, and that requires a password.
	-->

	<jetty xmlns="http://mortbay.com/schemas/jetty/1.0">
	<connectors>
	<nioConnector port="8161" />
	</connectors>

	<userRealms>
	<!-- "name" must match the realm in web.xml, and "loginModuleName" must be defined in login.conf -->
	<jaasUserRealm name="ActiveMQ" loginModuleName="ActiveMQ"
	callbackHandlerClass="org.mortbay.jetty.plus.jaas.callback.DefaultCallbackHandler" />
	</userRealms>

	<handlers>
	<webAppContext contextPath="/admin" resourceBase="${activemq.base}/webapps/admin" logUrlOnStart="true" />
	</handlers>
	</jetty>
	</beans>
	</pre>
	</div></div>
	<p>Add this XML snippet to the web.xml for the /admin/ app, in order to enable HTTP Authentication to match the activemq.xml configuration above.</p>
	<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
	<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
	<security-constraint>
	<web-resource-collection>
	<web-resource-name>Web Console</web-resource-name>
	<url-pattern>/*</url-pattern>
	</web-resource-collection>
	<auth-constraint>
	<role-name>admins</role-name>
	</auth-constraint>
	</security-constraint>

	<login-config>
	<auth-method>BASIC</auth-method>
	<realm-name>ActiveMQ</realm-name>
	</login-config>
	</pre>
	</div></div></div>