Google Git
Sign in
apache / activemq-web / c5128cb54cc0a025a473f516ad75d7df4e31c35f / . / shiro.html
blob: bf59fd22a9d5750f5a50235bfc0277dcdc268640 [file] [log] [blame]
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<html>
<head>
<link href="http://activemq.apache.org/styles/site.css" rel="stylesheet" type="text/css"/>
<link href="http://activemq.apache.org/styles/type-settings.css" rel="stylesheet" type="text/css"/>
<script src="http://activemq.apache.org/styles/prototype.js" type="text/javascript"></script>
<script src="http://activemq.apache.org/styles/rico.js" type="text/javascript"></script>
<script src="http://activemq.apache.org/styles/site.js" type="text/javascript"></script>
<style type="text/css">
.maincontent { overflow:hidden; }
</style>
<!--[if IE]>
<style type="text/css">
.maincontent { width:100%; }
</style>
<![endif]-->
<link href='http://activemq.apache.org/styles/highlighter/styles/shCore.css' rel='stylesheet' type='text/css' />
<link href='http://activemq.apache.org/styles/highlighter/styles/shThemeEclipse.css' rel='stylesheet' type='text/css' />
<script src='http://activemq.apache.org/styles/highlighter/scripts/shCore.js' type='text/javascript'></script>
<script src='http://activemq.apache.org/styles/highlighter/scripts/shBrushJava.js' type='text/javascript'></script>
<script type="text/javascript">
SyntaxHighlighter.defaults['toolbar'] = false;
SyntaxHighlighter.all();
</script>
<title>
Apache ActiveMQ &#8482; -- Shiro
</title>
</head>
<body>
<div class="white_box">
<div class="header">
<div class="header_l">
<div class="header_r">
</div>
</div>
</div>
<div class="content">
<div class="content_l">
<div class="content_r">
<div>
<!-- Banner -->
<div id="asf_logo">
<div id="activemq_logo">
<a shape="rect" style="float:left; width:280px;display:block;text-indent:-5000px;text-decoration:none;line-height:60px; margin-top:10px; margin-left:100px;" href="http://activemq.apache.org" title="The most popular and powerful open source Message Broker">ActiveMQ</a>
<a shape="rect" style="float:right; width:210px;display:block;text-indent:-5000px;text-decoration:none;line-height:60px; margin-top:15px; margin-right:10px;" href="http://www.apache.org" title="The Apache Software Foundation">ASF</a>
</div>
</div>
<div class="top_red_bar">
<div id="site-breadcrumbs">
<a href="features.html">Features</a>&nbsp;&gt;&nbsp;<a href="security.html">Security</a>&nbsp;&gt;&nbsp;<a href="shiro.html">Shiro</a>
</div>
<div id="site-quicklinks">
<p><a shape="rect" href="download.html">Download</a> | <a shape="rect" class="external-link" href="http://activemq.apache.org/maven/apidocs/index.html">JavaDocs</a> <a shape="rect" href="javadocs.html">More...</a> | <a shape="rect" href="source.html">Source</a> | <a shape="rect" href="discussion-forums.html">Forums</a> | <a shape="rect" href="support.html">Support</a></p>
</div>
</div>
<table border="0">
<tbody>
<tr>
<td valign="top" width="100%">
<div class="wiki-content maincontent"><p>&#160;</p><p>ActiveMQ 5.10 and later provides a fully customizable security experience using <a shape="rect" class="external-link" href="http://shiro.apache.org">Apache Shiro</a>.</p><p>The ActiveMQ Shiro plugin can secure the ActiveMQ broker, from authenticating transport connections to authorizing behavior with topics and queues and everything in between.</p><h2 id="Shiro-Quickstart">Quickstart</h2><p>The fastest/simplest way to enable the ShiroPlugin is to define it as a Spring bean in the <code>broker</code> <code>plugins</code> section and embed <a shape="rect" class="external-link" href="http://shiro.apache.org/configuration.html">Shiro ini configuration</a>:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">&lt;beans xmlns="http://www.springframework.org/schema/beans"
xmlns:amq="http://activemq.apache.org/schema/core"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://activemq.apache.org/schema/core http://activemq.apache.org/schema/core/activemq-core.xsd"&gt;
&lt;broker xmlns="http://activemq.apache.org/schema/core" ... other attributes here ...&gt;
&lt;plugins&gt;
&lt;bean id="shiroPlugin" class="org.apache.activemq.shiro.ShiroPlugin" xmlns="http://www.springframework.org/schema/beans"&gt;
&lt;property name="iniConfig"&gt;&lt;value&gt;
[main]
# Shiro object graph configuration here if desired/necessary
[users]
# users section format:
#
# username = password [, assignedRole1, assignedRole2, ..., assignedRoleN]
#
# for example:
#
# scott = tiger, advisory, users, administrators
#
# Roles and permissions assigned to roles are defined in the [roles] section
# below. By transitive association, any user assigned a role is granted the
# role's permissions.
# ActiveMQ System User
# needed for in-VM/local connections when authentication is enabled:
system = manager, system
# Other users here. You should almost always add the `advisory` role for each
# user to make your life easy! See the [roles] comments below for more info.
# jsmith = jsmithsPassword, advisory
# djones = djonesPassword, advisory, ...
# etc.
[roles]
# roles section format:
#
# roleName = wildcardPermission1, wildcardPermission2, ..., wildcardPermissionN
#
# The 'system' role is assigned all permissions (*). Be careful when assigning
# this to actual users other than then system user:
system = *
# Full access rights should generally be given to the ActiveMQ.Advisory.*
# destinations because by default an ActiveMQConnection uses advisory topics to
# get early knowledge of temp destination creation and deletion. For more info:
#
# http://activemq.apache.org/security.html
#
# So we create an 'advisory' role here with a wildcard/catch-all permissions
# for all advisory topics. To make your life easy, ensure you assign this to
# any/all users in the [users] section above, e.g.
#
# jsmith = jsmithsPassword, advisory, ...
advisory = topic:ActiveMQ.Advisory*
&lt;/value&gt;&lt;/property&gt;
&lt;/bean&gt;
&lt;/plugins&gt;
&lt;/broker&gt;
&lt;/beans&gt;
</pre>
</div></div><p>This config assumes you have a simple/small set of static users that access your ActiveMQ broker. We'll cover enabling more advanced user repositories later.</p><h4 id="Shiro-EncryptedPasswords">Encrypted Passwords</h4><p>The above example uses plaintext passwords, which is simple to set up and easy to use for testing, but not really secure. Most production deployments will likely want to use encrypted passwords. For example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">&lt;bean id="shiroPlugin" class="org.apache.activemq.shiro.ShiroPlugin" xmlns="http://www.springframework.org/schema/beans"&gt;
&lt;!-- enabled by default. To disable, uncomment:
&lt;property name="iniConfig"&gt;&lt;value&gt;
[main]
# Shiro object graph configuration here
passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
iniRealm.credentialsMatcher = $passwordMatcher
[users]
scott = $shiro1$SHA-256$500000$eWpVX2tGX7WCP2J+jMCNqw==$it/NRclMOHrfOvhAEFZ0mxIZRdbcfqIBdwdwdDXW2dM=, advisory
system = $shiro1$SHA-256$500000$eUyGwMGr9GYzB/gg/MoNgw==$WGc0yWFWv8+hLqjzVLgW7Hat2FQTywDXBl5izpqaLSY=, system
[roles]
system = *
advisory = topic:ActiveMQ.Advisory*
&lt;/value&gt;&lt;/property&gt;
&lt;/bean&gt;
</pre>
</div></div><p>As you can see, two things are different than the simpler/default configuration:</p><ol><li>The <code>[main]</code> section configured a <code>PasswordMatcher</code> on the implicit <code>iniRealm</code>. This indicates that all <code>.ini</code>-configured users are expected to have proper hashed/secure passwords.</li><li>The <code>[users]</code> lines now have hash values in the <code>password</code> location instead of plaintext values.</li></ol><p>To get the hashed password text values, you will want to <a shape="rect" class="external-link" href="http://search.maven.org/remotecontent?filepath=org/apache/shiro/tools/shiro-tools-hasher/1.2.2/shiro-tools-hasher-1.2.2-cli.jar" rel="nofollow">Download Shiro's Command Line Hasher</a> from Maven Central. Once downloaded, you can use it to create secure password hashes that you can safely copy-and-paste in to the <code>[users]</code> section:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">$ java -jar shiro-tools-hasher-X.X.X-cli.jar -p
</pre>
</div></div><p>It will then ask you to enter the password and then confirm it:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">Password to hash:
Password to hash (confirm):
</pre>
</div></div><p>When this command executes, it will print out the securely-salted-iterated-and-hashed password. For example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">$shiro1$SHA-256$500000$eWpVX2tGX7WCP2J+jMCNqw==$it/NRclMOHrfOvhAEFZ0mxIZRdbcfqIBdwdwdDXW2dM=
</pre>
</div></div><p>Take this value and place it as the password in the user definition line (followed by any desired roles, such as the <code>advisory</code> role). For example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">[users]
scott = $shiro1$SHA-256$500000$eWpVX2tGX7WCP2J+jMCNqw==$it/NRclMOHrfOvhAEFZ0mxIZRdbcfqIBdwdwdDXW2dM=, advisory
system = $shiro1$SHA-256$500000$eUyGwMGr9GYzB/gg/MoNgw==$WGc0yWFWv8+hLqjzVLgW7Hat2FQTywDXBl5izpqaLSY=, system
</pre>
</div></div><h2 id="Shiro-Configuration">Configuration</h2><p>The ActiveMQ Shiro plugin can be configured in a number of ways. For example, with Java:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">BrokerService brokerService = new BrokerService();
ShiroPlugin shiroPlugin = new ShiroPlugin();
//configure shiroPlugin via getters/setters here
broker.setPlugins(new BrokerPlugin[]{shiroPlugin});
//continue configuring the brokerService as necessary ...
</pre>
</div></div><p>Or, if using traditional ActiveMQ xml, as a Spring bean in the <code>broker</code> <code>plugins</code> section. For example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">&lt;beans xmlns="http://www.springframework.org/schema/beans"
xmlns:amq="http://activemq.apache.org/schema/core"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://activemq.apache.org/schema/core http://activemq.apache.org/schema/core/activemq-core.xsd"&gt;
&lt;broker xmlns="http://activemq.apache.org/schema/core" ... other attributes here ...&gt;
&lt;plugins&gt;
&lt;bean id="shiroPlugin" class="org.apache.activemq.shiro.ShiroPlugin" xmlns="http://www.springframework.org/schema/beans"&gt;
&lt;!-- Config properties via getters/setters as necessary: --&gt;
&lt;/bean&gt;
&lt;/plugins&gt;
&lt;/broker&gt;
&lt;/beans&gt;
</pre>
</div></div><p>The remaining configuration examples on this page will be shown as bean XML, but know that the same configuration can be done in Java as standard JavaBeans-compatible getter and setter methods.</p><h3 id="Shiro-Enabling/Disabling">Enabling/Disabling</h3><p>You can enable or disable the ShiroPlugin entirely without having to remove it from your configuration. This is convenient when testing, or when you want to enable or disable it based on a configuration parameter at startup.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">&lt;bean id="shiroPlugin" class="org.apache.activemq.shiro.ShiroPlugin" xmlns="http://www.springframework.org/schema/beans"&gt;
&lt;!-- enabled by default. To disable, uncomment:
&lt;property name="enabled" value="false"/&gt; --&gt;
&lt;/bean&gt;
</pre>
</div></div><p>A nice technique is to use Spring's <a shape="rect" class="external-link" href="http://static.springsource.org/spring/docs/3.2.x/javadoc-api/org/springframework/context/support/PropertySourcesPlaceholderConfigurer.html" rel="nofollow">PropertySourcesPlaceholderConfigurer</a> and placeholder tokens (set <code>shiro.enabled = true</code> in one of your placeholder property files):</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">&lt;beans ...&gt;
&lt;bean class="org.springframework.context.support.PropertySourcesPlaceholderConfigurer"&gt;
...
&lt;/bean&gt;
&lt;broker ...&gt;
&lt;plugins ...&gt;
&lt;bean id="shiroPlugin" class="org.apache.activemq.shiro.ShiroPlugin" xmlns="http://www.springframework.org/schema/beans"&gt;
&lt;property name="enabled" value="${shiro.enabled}"/&gt;
&lt;/bean&gt;
&lt;/plugins&gt;
&lt;/broker&gt;
&lt;/beans&gt;
</pre>
</div></div><p>This allows you to enable or disable the Shiro plugin by simply setting a property in a <code>.properties</code> file without having to change your XML config.</p><h3 id="Shiro-ShiroEnvironment">Shiro Environment</h3><p>The <code>shiroPlugin</code> requires a Shiro <a shape="rect" class="external-link" href="http://shiro.apache.org/static/current/apidocs/org/apache/shiro/env/Environment.html">Environment</a> to function. You must either configure the plugin with:</p><ul><li>an <code>Environment</code> instance (or a Shiro <code>SecurityManager</code> instance) that you instantiate and configure elsewhere - e.g. in Java code or elsewhere in the Spring XML config, or</li><li>specify some Shiro <a shape="rect" class="external-link" href="http://shiro.apache.org/configuration.html">.ini configuration</a>, either as a direct String, an <a shape="rect" class="external-link" href="http://shiro.apache.org/static/current/apidocs/org/apache/shiro/config/Ini.html">Ini</a> instance, or a <a shape="rect" class="external-link" href="http://shiro.apache.org/static/current/apidocs/org/apache/shiro/io/ResourceUtils.html#getInputStreamForPath(java.lang.String)">resource path</a> where your <code>shiro.ini</code> file is located. The plugin will load the ini config and create an <code>Environment</code> automatically.</li></ul><h4 id="Shiro-CustomEnvironment">Custom Environment</h4><p>A Shiro <code>Environment</code> object contains everything that Shiro needs to operate, and this encapsulates the Shiro <code>SecurityManager</code> as well. If you want to construct and configure an Environment instance yourself:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">&lt;beans ...&gt;
&lt;broker ...&gt;
&lt;plugins&gt;
&lt;bean id="shiroPlugin" class="org.apache.activemq.shiro.ShiroPlugin" xmlns="http://www.springframework.org/schema/beans"&gt;
&lt;property name="environment" ref="shiroEnvironment"/&gt;
&lt;/bean&gt;
&lt;/plugins&gt;
&lt;/broker&gt;
&lt;bean id="shiroEnvironment" class=".."&gt;
... config here ...
&lt;/bean&gt;
&lt;bean class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/&gt;
&lt;/beans&gt;
</pre>
</div></div><h4 id="Shiro-CustomSecurityManager">Custom SecurityManager</h4><p>Instead of configuring an <code>Environment</code> instance, you can construct a <code>SecurityManager</code> instead:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">&lt;beans ...&gt;
&lt;broker ...&gt;
&lt;plugins&gt;
&lt;bean id="shiroPlugin" class="org.apache.activemq.shiro.ShiroPlugin" xmlns="http://www.springframework.org/schema/beans"&gt;
&lt;property name="securityManager" ref="shiroSecurityManager"/&gt;
&lt;/bean&gt;
&lt;/plugins&gt;
&lt;/broker&gt;
&lt;bean id="shiroSecurityManager" class="org.apache.shiro.mgt.DefaultSecurityManager"&gt;
&lt;property name="realms"&gt;
&lt;list&gt;
&lt;bean id="myRealm" class="..."&gt;
...
&lt;/bean&gt;
... maybe more Realm beans ...
&lt;/list&gt;
&lt;/property&gt;
&lt;/bean&gt;
&lt;bean class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/&gt;
&lt;/beans&gt;
</pre>
</div></div><p>If specifying a <code>SecurityManager</code> instead of the <code>Environment</code> property, an <code>Environment</code> will be created automatically that wraps the configured <code>SecurityManager</code>.</p><h4 id="Shiro-shiro.iniFile">shiro.ini File</h4><p>If you don't want to construct a <code>SecurityManager</code> or <code>Environment</code> in code or xml, you can easily specify a <a shape="rect" class="external-link" href="http://shiro.apache.org/configuration.html">shiro.ini</a> file instead and an Environment/SecurityManager will automatically be created based on that:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">&lt;beans ...&gt;
&lt;broker ...&gt;
&lt;plugins&gt;
&lt;bean id="shiroPlugin" class="org.apache.activemq.shiro.ShiroPlugin" xmlns="http://www.springframework.org/schema/beans"&gt;
&lt;property name="iniResourcePath" value="classpath:myshiro.ini"/&gt;
&lt;/bean&gt;
&lt;/plugins&gt;
&lt;/broker&gt;
&lt;/beans&gt;
</pre>
</div></div><p>This allows you to keep your Shiro config separate from your ActiveMQ broker configuration if you prefer.</p><h4 id="Shiro-shiro.iniEmbedded">shiro.ini Embedded</h4><p>If you want to use ini configuration and you would prefer to have all configuration in one place, you can embed the ini config instead:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">&lt;beans ...&gt;
&lt;broker ...&gt;
&lt;plugins ...&gt;
&lt;bean id="shiroPlugin" class="org.apache.activemq.shiro.ShiroPlugin" xmlns="http://www.springframework.org/schema/beans"&gt;
&lt;property name="iniConfig"&gt;
&lt;value&gt;
[main]
# Shiro object graph configuration here if desired/necessary
[users]
system = manager, system
[roles]
system = *
advisory = topic:ActiveMQ.Advisory*
&lt;/value&gt;
&lt;/property&gt;
&lt;/bean&gt;
&lt;/plugins&gt;
&lt;/broker&gt;
&lt;/beans&gt;
</pre>
</div></div><h2 id="Shiro-Design">Design</h2><p>The Shiro plugin is a <a shape="rect" class="external-link" href="http://activemq.apache.org/maven/apidocs/org/apache/activemq/broker/BrokerPlugin.html">BrokerPlugin</a> that inserts 3 <a shape="rect" class="external-link" href="http://activemq.apache.org/maven/apidocs/org/apache/activemq/broker/BrokerFilter.html">BrokerFilter</a>s in the broker filter chain: the <code>SubjectFilter</code>, the <code>AuthenticationFilter</code> and the <code>AuthorizationFilter</code></p><p><strong>SubjectFilter</strong></p><p>The <code>SubjectFilter</code> exists before all other Shiro-related broker filters in the broker filter chain. It constructs a Shiro <a shape="rect" class="external-link" href="http://shiro.apache.org/subject.html">Subject</a> instance reflecting the broker client and ensures the <code>Subject</code> instance is available for all downstream broker filters that may need to use the <code>Subject</code> to perform security operations.</p><p><strong>AuthenticationFilter</strong></p><p>The <code>AuthenticationFilter</code> exists immediately after the <code>SubjectFilter</code> in the broker filter chain. It ensures that the broker client <code>Subject</code> is authenticated if necessary before allowing the chain to continue. If authentication is required and the <code>Subject</code> is not authenticated, the broker filter chain will not be executed, ensuring only verified identities may perform further behavior.</p><p><strong>AuthorizationFilter</strong></p><p>The <code>AuthorizationFilter</code> exists immediately after the <code>AuthenticationFilter</code> in the broker filter chain. It ensures that the <code>Subject</code> associated with the filter chain is authorized (permitted) to perform the action being attempted before allowing the action to execute.</p><p>For example, it would ensure that the <code>Subject</code> is allowed to send a message to a particular topic before allowing the send operation to execute. If authorization is enabled and the <code>Subject</code> is not authorized to perform the desired action, the broker filter chain will not be executed.</p><h2 id="Shiro-SubjectFilter">SubjectFilter</h2><p>The ShiroPlugin installs and executes the <code>SubjectFilter</code> before all other Shiro-related broker filters in the broker filter chain. The <code>SubjectFilter</code> constructs a Shiro <a shape="rect" class="external-link" href="http://shiro.apache.org/subject.html">Subject</a> instance reflecting the broker client and ensures the <code>Subject</code> instance is available for all downstream broker filters that may need to use the <code>Subject</code> to perform security operations.</p><p>The <code>SubjectFilter</code> is mostly a 'behind the scenes' component of the SubjectFilter, but it does offer some customization for advanced use cases:</p><ul><li>the ability to customize exactly how broker clients' <code>Subject</code> instances are created via a <code>ConnectionSubjectFactory</code> and</li><li>the ability to customize how the ActiveMQ ConnectionContext's <a shape="rect" class="external-link" href="http://activemq.apache.org/maven/apidocs/org/apache/activemq/security/SecurityContext.html">SecurityContext</a> is constructed.</li></ul><p>Unless you're deeply familiar with ActiveMQ's security model, you can safely skip to <strong>Authentication</strong> below.</p><h3 id="Shiro-ConnectionSubjectFactory">ConnectionSubjectFactory</h3><p>A <code>ConnectionSubjectFactory</code> creates a <code>Subject</code> instance that represents the broker client's identity. The <code>SubjectFilter</code>'s default instance is a <code>DefaultConnectionSubjectFactory</code></p><p>Most <code>ConnectionSubjectFactory</code> implementations will simply use Shiro's <code>Subject.Builder</code> to create an anonymous Subject instance and let the downstream <code>AuthenticationFilter</code> authenticate the Subject based on any credentials associated with the connection. After authentication, the Subject will have an identity, and this is the expected flow for most connection clients.</p><p>However, if there is some other data associated with the connection that can be inspected to create a Subject instance beyond what the <code>DefaultConnectionSubjectFactory</code>, you can implement the <code>ConnectionSubjectFactory</code> interface and plug it in to the <code>SubjectFilter</code>:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">&lt;bean id="shiroPlugin" class="org.apache.activemq.shiro.ShiroPlugin" xmlns="http://www.springframework.org/schema/beans"&gt;
&lt;property name="subjectFilter.connectionSubjectFactory"&gt;
&lt;bean class="com.my.ConnectionSubjectFactory" .../&gt;
&lt;/property&gt;
&lt;/bean&gt;
</pre>
</div></div><h3 id="Shiro-SecurityContextFactory">SecurityContextFactory</h3><p>The ActiveMQ <code>ConnectionContext</code> associated with broker client connections utilizes a <code>SecurityContext</code> object. When the <code>SubjectFilter</code> executes, it needs to create a Shiro-specific <code>SecurityContext</code> and associate it with the <code>ConnectionContext</code> so the Subject may be accessed downstream for all subsequent security operations.</p><p>The <code>SubjectFilter</code> delegates <code>SecurityContext</code> creation to a <code>SecurityContextFactory</code> instance. The <code>DefaultSecurityContextFactory</code> implementation returns <code>SubjectSecurityContext</code> instances based on the connection's associated <code>Subject</code>. It should be an extremely rare thing to change, but if you must configure a custom <code>SecurityContextFactory</code>, you can do as follows:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">&lt;bean id="shiroPlugin" class="org.apache.activemq.shiro.ShiroPlugin" xmlns="http://www.springframework.org/schema/beans"&gt;
&lt;property name="subjectFilter.securityContextFactory"&gt;
&lt;bean class="com.my.SecurityContextFactory" .../&gt;
&lt;/property&gt;
&lt;/bean&gt;
</pre>
</div></div><p>Note however that much of the plugin's functionality and downstream filters expect created <code>SecurityContext</code> instances to be <code>SubjectSecurityContext</code> instances.</p><h2 id="Shiro-Authentication">Authentication</h2><p>The ShiroPlugin installs the <code>AuthenticationFilter</code> immediately after the <code>SubjectFilter</code> in the broker filter chain. The <code>AuthenticationFilter</code> ensures that the broker client <code>Subject</code> is authenticated if necessary before allowing the chain to continue. If authentication is required and the <code>Subject</code> is not authenticated, the broker filter chain will not be executed, ensuring only verified identities may perform further behavior.</p><p>WORK IN PROGRESS - STILL AUTHORING</p></div>
</td>
<td valign="top">
<div class="navigation">
<div class="navigation_top">
<div class="navigation_bottom">
<h3 id="Navigation-Overviewhttps://cwiki.apache.org/confluence/pages/viewpage.action?pageId=35985"><a shape="rect" href="overview.html">Overview</a></h3><ul class="alternate"><li><a shape="rect" href="index.html">Index</a></li><li><a shape="rect" href="news.html">News</a></li><li><a shape="rect" href="new-features.html">New Features</a></li><li><a shape="rect" href="getting-started.html">Getting Started</a></li><li><a shape="rect" href="faq.html">FAQ</a></li><li><a shape="rect" href="articles.html">Articles</a></li><li><a shape="rect" href="books.html">Books</a></li><li><a shape="rect" href="download.html">Download</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/licenses/">License</a></li></ul><h3 id="Navigation-Search">Search</h3><div>
<form enctype="application/x-www-form-urlencoded" method="get" action="http://www.google.com/search" style="font-size: 10px;">
<input type="hidden" name="ie" value="UTF-8">
<input type="hidden" name="oe" value="UTF-8">
<input maxlength="255" type="text" name="q" size="15" value="value"><br clear="none">
<input type="submit" name="btnG" value="Search">
<input type="hidden" name="domains" value="activemq.apache.org">
<input type="hidden" name="sitesearch" value="activemq.apache.org">
</form>
</div>
<h3 id="Navigation-SubProjects">Sub Projects</h3><ul class="alternate"><li><a shape="rect" class="external-link" href="http://activemq.apache.org/artemis/">Artemis</a></li><li><a shape="rect" class="external-link" href="http://activemq.apache.org/apollo" title="ActiveMQ Apollo">Apollo</a></li><li><a shape="rect" class="external-link" href="http://activemq.apache.org/cms/">CMS</a></li><li><a shape="rect" class="external-link" href="http://activemq.apache.org/nms/" title="NMS is the .Net Messaging API">NMS</a></li></ul><h3 id="Navigation-Communityhttps://cwiki.apache.org/confluence/pages/viewpage.action?pageId=36130"><a shape="rect" href="community.html">Community</a></h3><ul class="alternate"><li><a shape="rect" href="support.html">Support</a></li><li><a shape="rect" href="contributing.html">Contributing</a></li><li><a shape="rect" href="discussion-forums.html">Discussion Forums</a></li><li><a shape="rect" href="mailing-lists.html">Mailing Lists</a></li><li><a shape="rect" href="irc.html">IRC</a></li><li><a shape="rect" class="external-link" href="http://javabot.evanchooly.com/logs/%23apache-activemq/today" rel="nofollow">IRC Log</a></li><li><a shape="rect" href="security-advisories.html">Security Advisories</a></li><li><a shape="rect" href="site.html">Site</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li><li><a shape="rect" href="projects-using-activemq.html">Projects Using ActiveMQ</a></li><li><a shape="rect" href="users.html">Users</a></li><li><a shape="rect" href="team.html">Team</a></li><li><a shape="rect" href="thanks.html">Thanks</a></li></ul><h3 id="Navigation-Featureshttps://cwiki.apache.org/confluence/pages/viewpage.action?pageId=35883"><a shape="rect" href="features.html">Features</a></h3><ul class="alternate"><li><a shape="rect" href="advisory-message.html">Advisory Message</a></li><li><a shape="rect" href="clustering.html">Clustering</a></li><li><a shape="rect" href="cross-language-clients.html">Cross Language Clients</a></li><li><a shape="rect" href="enterprise-integration-patterns.html">Enterprise Integration Patterns</a></li><li><a shape="rect" href="jmx.html">JMX</a></li><li><a shape="rect" href="jms-to-jms-bridge.html">JMS to JMS Bridge</a></li><li><a shape="rect" href="masterslave.html">MasterSlave</a></li><li><a shape="rect" href="message-groups.html">Message Groups</a></li><li><a shape="rect" href="networks-of-brokers.html">Networks of Brokers</a></li><li><a shape="rect" href="performance.html">Performance</a></li><li><a shape="rect" href="persistence.html">Persistence</a></li><li><a shape="rect" href="security.html">Security</a></li><li><a shape="rect" href="virtual-destinations.html">Virtual Destinations</a></li><li><a shape="rect" href="visualisation.html">Visualisation</a></li><li><a shape="rect" href="features.html">More ...</a></li></ul><h3 id="Navigation-Connectivityhttps://cwiki.apache.org/confluence/pages/viewpage.action?pageId=36167"><a shape="rect" href="connectivity.html">Connectivity</a></h3><ul class="alternate"><li><a shape="rect" href="ajax.html">Ajax</a></li><li><a shape="rect" href="amqp.html">AMQP</a></li><li><a shape="rect" href="axis-and-cxf-support.html">Axis and CXF Support</a></li><li><a shape="rect" href="c-integration.html">C Integration</a></li><li><a shape="rect" href="activemq-c-clients.html">C++</a></li><li><a shape="rect" class="external-link" href="http://activemq.apache.org/nms/">C# and .Net Integration</a></li><li><a shape="rect" class="external-link" href="http://activemq.apache.org/cms/">CMS</a></li><li><a shape="rect" href="j2ee.html">J2EE</a></li><li><a shape="rect" href="jboss-integration.html">JBoss Integration</a></li><li><a shape="rect" class="external-link" href="http://docs.codehaus.org/display/JETTY/Integrating+with+ActiveMQ" rel="nofollow">Jetty</a></li><li><a shape="rect" href="jndi-support.html">JNDI Support</a></li><li><a shape="rect" class="external-link" href="http://activemq.apache.org/nms/" title="NMS is the .Net Messaging API">NMS</a></li><li><a shape="rect" href="rest.html">REST</a></li><li><a shape="rect" href="rss-and-atom.html">RSS and Atom</a></li><li><a shape="rect" href="spring-support.html">Spring Support</a></li><li><a shape="rect" href="stomp.html">Stomp</a></li><li><a shape="rect" href="tomcat.html">Tomcat</a></li><li><a shape="rect" href="unix-service.html">Unix Service</a></li><li><a shape="rect" href="weblogic-integration.html">WebLogic Integration</a></li><li><a shape="rect" href="xmpp.html">XMPP</a></li><li><a shape="rect" href="connectivity.html">More ...</a></li></ul><h3 id="Navigation-UsingActiveMQ5https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=71176"><a shape="rect" href="using-activemq-5.html">Using ActiveMQ 5</a></h3><ul class="alternate"><li><a shape="rect" href="version-5-getting-started.html">Getting Started</a></li><li><a shape="rect" href="version-5-initial-configuration.html">Initial Configuration</a></li><li><a shape="rect" href="version-5-run-broker.html">Running a Broker</a></li><li><a shape="rect" href="how-do-i-embed-a-broker-inside-a-connection.html">Embedded Brokers</a></li><li><a shape="rect" href="activemq-command-line-tools-reference.html">Command Line Tools</a></li><li><a shape="rect" href="configuring-version-5-transports.html">Configuring Transports</a></li><li><a shape="rect" href="version-5-examples.html">Examples</a></li><li><a shape="rect" href="version-5-web-samples.html">Web Samples</a></li><li><a shape="rect" href="how-can-i-monitor-activemq.html">Monitoring the Broker</a></li><li><a shape="rect" href="version-5-xml-configuration.html">Xml Configuration</a></li><li><a shape="rect" href="xml-reference.html">Xml Reference</a></li><li><a shape="rect" href="using-activemq-5.html">More ...</a></li></ul><h3 id="Navigation-Toolshttps://cwiki.apache.org/confluence/pages/viewpage.action?pageId=35912"><a shape="rect" href="tools.html">Tools</a></h3><ul class="alternate"><li><a shape="rect" href="web-console.html">Web Console</a></li><li><a shape="rect" href="activemq-performance-module-users-manual.html">Maven2 Performance Plugin</a></li></ul><h3 id="Navigation-Supporthttps://cwiki.apache.org/confluence/pages/viewpage.action?pageId=35919"><a shape="rect" href="support.html">Support</a></h3><ul class="alternate"><li><a shape="rect" class="external-link" href="http://issues.apache.org/jira/browse/AMQ">Issues</a></li><li><a shape="rect" class="external-link" href="http://issues.apache.org/activemq/browse/AMQ?report=com.atlassian.jira.plugin.system.project:roadmap-panel">Roadmap</a></li><li><a shape="rect" class="external-link" href="http://issues.apache.org/activemq/browse/AMQ?report=com.atlassian.jira.plugin.system.project:changelog-panel">Change log</a></li></ul><h3 id="Navigation-Developershttps://cwiki.apache.org/confluence/pages/viewpage.action?pageId=35903"><a shape="rect" href="developers.html">Developers</a></h3><ul class="alternate"><li><a shape="rect" href="source.html">Source</a></li><li><a shape="rect" href="building.html">Building</a></li><li><a shape="rect" href="developer-guide.html">Developer Guide</a></li><li><a shape="rect" href="becoming-a-committer.html">Becoming a committer</a></li><li><a shape="rect" href="code-overview.html">Code Overview</a></li><li><a shape="rect" href="wire-protocol.html">Wire Protocol</a></li><li><a shape="rect" href="release-guide.html">Release Guide</a></li></ul><h3 id="Navigation-Tests">Tests</h3><ul class="alternate"><li><a shape="rect" href="activemq-performance-module-users-manual.html">Maven2 Performance Plugin</a></li><li><a shape="rect" href="benchmark-tests.html">Benchmark Tests</a></li><li><a shape="rect" href="jmeter-system-tests.html">JMeter System Tests</a></li><li><a shape="rect" href="jmeter-performance-tests.html">JMeter Performance Tests</a></li><li><a shape="rect" href="integration-tests.html">Integration Tests</a></li></ul><h3 id="Navigation-ProjectReports">Project Reports</h3><ul class="alternate"><li><a shape="rect" href="junit-reports.html">JUnit Reports</a></li><li><a shape="rect" href="source-xref.html">Source XRef</a></li><li><a shape="rect" href="test-source-xref.html">Test Source XRef</a></li><li><a shape="rect" href="xml-reference.html">Xml Reference</a></li></ul>
</div>
</div>
</div>
</td>
</tr>
</tbody>
</table>
<div class="bottom_red_bar"></div>
</div>
</div>
</div>
</div>
<div class="black_box">
<div class="footer">
<div class="footer_l">
<div class="footer_r">
<div>
<a href="http://activemq.apache.org/privacy-policy.html">Privacy Policy</a> -
(<a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=31824899">edit this page</a>)
</div>
</div>
</div>
</div>
</div>
</div>
<div class="design_attribution">
&copy; 2004-2011 The Apache Software Foundation.
<br/>
Apache ActiveMQ, ActiveMQ, Apache, the Apache feather logo, and the Apache ActiveMQ project logo are trademarks of The Apache Software Foundation. All other marks mentioned may be trademarks or registered trademarks of their respective owners.
<br/>
<a href="http://hiramchirino.com">Graphic Design By Hiram</a>
</div>
<!-- delay the loading of large javascript files to the end so that they don't interfere with the loading of page content -->
<span style="display: none">
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
var pageTracker = _gat._getTracker("UA-1347593-1");
pageTracker._initData();
pageTracker._trackPageview();
</script>
</span>
</body>
</html>