doc/book/src/java-broker/Java-Broker-Security-Authentication-Providers.xml - qpid - Git at Google

 <?xml version="1.0" encoding="utf-8"?>

 <!--

  Licensed to the Apache Software Foundation (ASF) under one
  or more contributor license agreements.  See the NOTICE file
  distributed with this work for additional information
  regarding copyright ownership.  The ASF licenses this file
  to you under the Apache License, Version 2.0 (the
  "License"); you may not use this file except in compliance
  with the License.  You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing,
  software distributed under the License is distributed on an
  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  KIND, either express or implied.  See the License for the
  specific language governing permissions and limitations
  under the License.

 -->

 <section id="Java-Broker-Security-Authentication-Providers">
   <title>Authentication Providers</title>
   <para>
     In order to successfully establish a connection to the Java Broker, the connection must be
     authenticated. The Java Broker supports a number of different authentication schemes, each
     with its own "authentication manager". Each of these are outlined below, along with details
     of <link linkend="MultipleAuthProviders"> using more than one at a time</link>.
   </para>

   <section>
     <title>Password File</title>
     <para>
       TODO
     </para>

   </section>

   <section id="LDAPAuthManager">
   <title>LDAP</title>

   <para>
     LDAP authentication can be configured using the &lt;simple-ldap-auth-manager&gt; element
     within the &lt;security&gt; section. An example of how to configure this is shown below.
     Please note this example also configures an unused &lt;pd-auth-manager&gt; to use an empty
     password file, this is a workaround for an issue relating to registration of security providers.
   </para>

   <para>
     <emphasis>NOTE: When using LDAP authentication, you must also use SSL on the brokers AMQP messaging and
     JMX/HTTP management ports in order to protect passwords during transmission to the broker.</emphasis>
   </para>
   <example>
     <title>Configuring LDAP authentication</title>
     <programlisting><![CDATA[
 <security>
   <default-auth-manager>SimpleLDAPAuthenticationManager</default-auth-manager>
   <simple-ldap-auth-manager>
     <provider-url>ldaps://example.com:636/</provider-url>
     <search-context>dc=example\,dc=com</search-context>
     <search-filter>(uid={0})</search-filter>
   </simple-ldap-auth-manager>

   <!-- Unused pd-auth-manager, a workaround to register the necessary security providers -->
   <pd-auth-manager>
     <principal-database>
       <class>org.apache.qpid.server.security.auth.database.PlainPasswordFilePrincipalDatabase</class>
       <attributes>
         <attribute>
           <name>passwordFile</name>
           <value>${conf}/emptyPasswdFile</value>
         </attribute>
       </attributes>
     </principal-database>
   <pd-auth-manager>
   ...
 </security>]]></programlisting>
   </example>

   <para>
     The authentication manager first connects to the ldap server anonymously and searches for the
     ldap entity which is identified by the username provided over SASL. Essentially the
     authentication manager calls
     DirContext.search(Name name, String filterExpr, Object[] filterArgs, SearchControls cons)
     with the values of search-context and search-filter as the first two arguments, and the username
     as the only element in the array which is the third argument.
   </para>

   <para>
     If the search returns a name from the LDAP server, the AuthenticationManager then attempts to
     login to the ldap server with the given name and the password.
   </para>

   <para>
     If the URL to open for authentication is different to that for the search, then the
     authentication url can be overridden using &lt;provider-auth-url&gt; in addition to providing a
     &lt;provider-url&gt;. Note that the URL used for authentication should use ldaps:// since
     passwords will be being sent over it.
   </para>

   <para>
     By default com.sun.jndi.ldap.LdapCtxFactory is used to create the context, however this can be
     overridden by specifying &lt;ldap-context-factory&gt; in the configuration.
   </para>
   </section>

   <section>
   <title>Kerberos</title>

   <para>
     Kereberos Authentication is configured using the &lt;kerberos-auth-manager&gt; element within
     the &lt;security&gt; section. When referencing from the default-auth-manager or port-mapping
     sections, its name is KerberosAuthenticationManager.
   </para>

   <para>
     Since Kerberos support only works where SASL authentication is available (e.g. not for JMX
     authentication) you may wish to also include an alternative Authentication Manager
     configuration, and use this for other ports:
   </para>

   <example>
     <title>Configuring Kerberos authentication</title>
     <programlisting><![CDATA[
 <security>
   <pd-auth-manager>
     <principal-database>
       <class>org.apache.qpid.server.security.auth.database.PlainPasswordFilePrincipalDatabase</class>
       <attributes>
         <attribute>
           <name>passwordFile</name>
           <value>${conf}/passwd</value>
         </attribute>
       </attributes>
     </principal-database>
   </pd-auth-manager>
   <kerberos-auth-manager/>
   <default-auth-manager>PrincipalDatabaseAuthenticationManager</default-auth-manager>
   <port-mappings>
     <port-mapping>
       <port>5672</port>
       <auth-manager>KerberosAuthenticationManager</auth-manager>
     </port-mapping>
   </port-mappings>
   ...
 </security>]]></programlisting>
   </example>

   <para>
     Configuration of kerberos is done through system properties (there doesn't seem to be a way
     around this unfortunately).
   </para>

   <programlisting>
     export QPID_OPTS=-Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.auth.login.config=qpid.conf
     ${QPID_HOME}/bin/qpid-server
   </programlisting>

   <para>Where qpid.conf would look something like this:</para>

   <programlisting><![CDATA[
 com.sun.security.jgss.accept {
     com.sun.security.auth.module.Krb5LoginModule required
     useKeyTab=true
     storeKey=true
     doNotPrompt=true
     realm="EXAMPLE.COM"
     useSubjectCredsOnly=false
     kdc="kerberos.example.com"
     keyTab="/path/to/keytab-file"
     principal="<name>/<host>";
 };]]></programlisting>

   <para>
     Where realm, kdc, keyTab and principal should obviously be set correctly for the environment
     where you are running (see the existing documentation for the C++ broker about creating a keytab
     file).
   </para>

   <para>
     Note: You may need to install the "Java Cryptography Extension (JCE) Unlimited Strength
     Jurisdiction Policy Files" appropriate for your JDK in order to get Kerberos support working.
   </para>
   </section>

   <section id="ExternalAuthManager">
     <title>External (SSL Client Certificates)</title>

     <para>
       When <link linkend="SSL-Truststore-ClientCertificate"> requiring SSL Client Certificates</link> be
       presented the ExternalAuthenticationManager can be used, such that the user is authenticated based on
       trust of their certificate alone, and the X500Principal from the SSL session is then used as the username
       for the connection, instead of also requiring the user to present a valid username and password.
     </para>

     <para>
       The ExternalAuthenticationManager may be enabled by adding an empty &lt;external-auth-manager&gt; element to
       the &lt;security&gt; section, as shown below. When referencing it from the default-auth-manager or port-mapping
       sections, its name is ExternalAuthenticationManager.
     </para>

     <para>
       <emphasis role="bold">Note:</emphasis> The ExternalAuthenticationManager should typically only be used on the
       AMQP ports, in conjunction with <link linkend="SSL-Truststore-ClientCertificate">SSL client certificate
       authentication</link>. It is not intended for other uses such as the JMX management port and will treat any
       non-sasl authentication processes on these ports as successfull with the given username. As such you should
       <link linkend="MultipleAuthProviders">include another Authentication Manager for use on non-AMQP ports</link>,
       as is done in the example below. Perhaps the only exception to this would be where the broker is embedded in a
       container that is itself externally protecting the HTTP interface and then providing the remote users name.
     </para>

     <example>
       <title>Configuring external authentication (SSL client auth)</title>
       <programlisting><![CDATA[
 <security>
   <pd-auth-manager>
     <principal-database>
       <class>org.apache.qpid.server.security.auth.database.PlainPasswordFilePrincipalDatabase</class>
       <attributes>
         <attribute>
           <name>passwordFile</name>
           <value>${conf}/passwd</value>
         </attribute>
       </attributes>
     </principal-database>
   </pd-auth-manager>
   <external-auth-manager/>
   <default-auth-manager>PrincipalDatabaseAuthenticationManager</default-auth-manager>
   <port-mappings>
     <port-mapping>
       <port>5672</port>
       <auth-manager>ExternalAuthenticationManager</auth-manager>
     </port-mapping>
   </port-mappings>
   ...
 </security>]]></programlisting>
     </example>

   </section>

   <section id="AnonymousAuthManager">
     <title>Anonymous</title>

     <para>
       The AnonymousAuthenticationManager will allow users to connect with or without credentials and result
       in their identification on the broker as the user ANONYMOUS. It may be enabled by adding an empty
       anonymous-auth-manager element to the security configuration section, as shown below.
     </para>

     <example>
       <title>Configuring anonymous authentication</title>

       <programlisting><![CDATA[
 <security>
   <anonymous-auth-manager/>
   ...
 </security>]]></programlisting>
     </example>

     <para>
       When referencing it from the default-auth-manager or port-mapping sections, its name is
       AnonymousAuthenticationManager.
     </para>
   </section>

   <section id="MultipleAuthProviders">
     <title>Configuring multiple Authentication Providers</title>
     <para>
       Different managers may be used on different ports. Each manager has its own configuration element,
       the presence of which within the &lt;security&gt; section denotes the use of that authentication
       provider. Where only one such manager is configured, it will be used on all ports (including JMX
       and HTTP). Where more than one authentication manager is configured the configuration must define
       which is the "default", and (if required) the mapping of non-default authentication managers to
       other ports.
     </para>
     <para>
       The following configuration sets up three authentication managers, using a password file as the
       default (e.g. for the JMX and HTTP ports), Kerberos on port 5672 (the regular AMQP port) and Anonymous
       on port 5673 (e.g a second AMQP port the broker could have been configured with).
     </para>

     <example>
       <title>Configuring multiple (per-port) authentication schemes</title>
       <programlisting><![CDATA[
 <security>
   <pd-auth-manager>
     <principal-database>
       <class>org.apache.qpid.server.security.auth.database.PlainPasswordFilePrincipalDatabase</class>
       <attributes>
         <attribute>
           <name>passwordFile</name>
           <value>${conf}/passwd</value>
         </attribute>
       </attributes>
     </principal-database>
   </pd-auth-manager>
   <kerberos-auth-manager>
     <auth-name>sib</auth-name>
   </kerberos-auth-manager>
   <anonymous-auth-manager/>
   <default-auth-manager>PrincipalDatabaseAuthenticationManager</default-auth-manager>
   <port-mappings>
     <port-mapping>
       <port>5672</port>
         <auth-manager>KerberosAuthenticationManager</auth-manager>
       </port-mapping>
     <port-mapping>
       <port>5673</port>
         <auth-manager>AnonymousAuthenticationManager</auth-manager>
     </port-mapping>
   </port-mappings>
   ...
 </security>]]></programlisting>
     </example>
   </section>

 </section>
	<?xml version="1.0" encoding="utf-8"?>

	<!--

	Licensed to the Apache Software Foundation (ASF) under one
	or more contributor license agreements. See the NOTICE file
	distributed with this work for additional information
	regarding copyright ownership. The ASF licenses this file
	to you under the Apache License, Version 2.0 (the
	"License"); you may not use this file except in compliance
	with the License. You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing,
	software distributed under the License is distributed on an
	"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	KIND, either express or implied. See the License for the
	specific language governing permissions and limitations
	under the License.

	-->

	<section id="Java-Broker-Security-Authentication-Providers">
	<title>Authentication Providers</title>
	<para>
	In order to successfully establish a connection to the Java Broker, the connection must be
	authenticated. The Java Broker supports a number of different authentication schemes, each
	with its own "authentication manager". Each of these are outlined below, along with details
	of <link linkend="MultipleAuthProviders"> using more than one at a time</link>.
	</para>

	<section>
	<title>Password File</title>
	<para>
	TODO
	</para>

	</section>

	<section id="LDAPAuthManager">
	<title>LDAP</title>

	<para>
	LDAP authentication can be configured using the <simple-ldap-auth-manager> element
	within the <security> section. An example of how to configure this is shown below.
	Please note this example also configures an unused <pd-auth-manager> to use an empty
	password file, this is a workaround for an issue relating to registration of security providers.
	</para>

	<para>
	<emphasis>NOTE: When using LDAP authentication, you must also use SSL on the brokers AMQP messaging and
	JMX/HTTP management ports in order to protect passwords during transmission to the broker.</emphasis>
	</para>
	<example>
	<title>Configuring LDAP authentication</title>
	<programlisting><![CDATA[
	<security>
	<default-auth-manager>SimpleLDAPAuthenticationManager</default-auth-manager>
	<simple-ldap-auth-manager>
	<provider-url>ldaps://example.com:636/</provider-url>
	<search-context>dc=example\,dc=com</search-context>
	<search-filter>(uid={0})</search-filter>
	</simple-ldap-auth-manager>

	<!-- Unused pd-auth-manager, a workaround to register the necessary security providers -->
	<pd-auth-manager>
	<principal-database>
	<class>org.apache.qpid.server.security.auth.database.PlainPasswordFilePrincipalDatabase</class>
	<attributes>
	<attribute>
	<name>passwordFile</name>
	<value>${conf}/emptyPasswdFile</value>
	</attribute>
	</attributes>
	</principal-database>
	<pd-auth-manager>
	...
	</security>]]></programlisting>
	</example>

	<para>
	The authentication manager first connects to the ldap server anonymously and searches for the
	ldap entity which is identified by the username provided over SASL. Essentially the
	authentication manager calls
	DirContext.search(Name name, String filterExpr, Object[] filterArgs, SearchControls cons)
	with the values of search-context and search-filter as the first two arguments, and the username
	as the only element in the array which is the third argument.
	</para>

	<para>
	If the search returns a name from the LDAP server, the AuthenticationManager then attempts to
	login to the ldap server with the given name and the password.
	</para>

	<para>
	If the URL to open for authentication is different to that for the search, then the
	authentication url can be overridden using <provider-auth-url> in addition to providing a
	<provider-url>. Note that the URL used for authentication should use ldaps:// since
	passwords will be being sent over it.
	</para>

	<para>
	By default com.sun.jndi.ldap.LdapCtxFactory is used to create the context, however this can be
	overridden by specifying <ldap-context-factory> in the configuration.
	</para>
	</section>

	<section>
	<title>Kerberos</title>

	<para>
	Kereberos Authentication is configured using the <kerberos-auth-manager> element within
	the <security> section. When referencing from the default-auth-manager or port-mapping
	sections, its name is KerberosAuthenticationManager.
	</para>

	<para>
	Since Kerberos support only works where SASL authentication is available (e.g. not for JMX
	authentication) you may wish to also include an alternative Authentication Manager
	configuration, and use this for other ports:
	</para>

	<example>
	<title>Configuring Kerberos authentication</title>
	<programlisting><![CDATA[
	<security>
	<pd-auth-manager>
	<principal-database>
	<class>org.apache.qpid.server.security.auth.database.PlainPasswordFilePrincipalDatabase</class>
	<attributes>
	<attribute>
	<name>passwordFile</name>
	<value>${conf}/passwd</value>
	</attribute>
	</attributes>
	</principal-database>
	</pd-auth-manager>
	<kerberos-auth-manager/>
	<default-auth-manager>PrincipalDatabaseAuthenticationManager</default-auth-manager>
	<port-mappings>
	<port-mapping>
	<port>5672</port>
	<auth-manager>KerberosAuthenticationManager</auth-manager>
	</port-mapping>
	</port-mappings>
	...
	</security>]]></programlisting>
	</example>

	<para>
	Configuration of kerberos is done through system properties (there doesn't seem to be a way
	around this unfortunately).
	</para>

	<programlisting>
	export QPID_OPTS=-Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.auth.login.config=qpid.conf
	${QPID_HOME}/bin/qpid-server
	</programlisting>

	<para>Where qpid.conf would look something like this:</para>

	<programlisting><![CDATA[
	com.sun.security.jgss.accept {
	com.sun.security.auth.module.Krb5LoginModule required
	useKeyTab=true
	storeKey=true
	doNotPrompt=true
	realm="EXAMPLE.COM"
	useSubjectCredsOnly=false
	kdc="kerberos.example.com"
	keyTab="/path/to/keytab-file"
	principal="<name>/<host>";
	};]]></programlisting>

	<para>
	Where realm, kdc, keyTab and principal should obviously be set correctly for the environment
	where you are running (see the existing documentation for the C++ broker about creating a keytab
	file).
	</para>

	<para>
	Note: You may need to install the "Java Cryptography Extension (JCE) Unlimited Strength
	Jurisdiction Policy Files" appropriate for your JDK in order to get Kerberos support working.
	</para>
	</section>

	<section id="ExternalAuthManager">
	<title>External (SSL Client Certificates)</title>

	<para>
	When <link linkend="SSL-Truststore-ClientCertificate"> requiring SSL Client Certificates</link> be
	presented the ExternalAuthenticationManager can be used, such that the user is authenticated based on
	trust of their certificate alone, and the X500Principal from the SSL session is then used as the username
	for the connection, instead of also requiring the user to present a valid username and password.
	</para>

	<para>
	The ExternalAuthenticationManager may be enabled by adding an empty <external-auth-manager> element to
	the <security> section, as shown below. When referencing it from the default-auth-manager or port-mapping
	sections, its name is ExternalAuthenticationManager.
	</para>

	<para>
	<emphasis role="bold">Note:</emphasis> The ExternalAuthenticationManager should typically only be used on the
	AMQP ports, in conjunction with <link linkend="SSL-Truststore-ClientCertificate">SSL client certificate
	authentication</link>. It is not intended for other uses such as the JMX management port and will treat any
	non-sasl authentication processes on these ports as successfull with the given username. As such you should
	<link linkend="MultipleAuthProviders">include another Authentication Manager for use on non-AMQP ports</link>,
	as is done in the example below. Perhaps the only exception to this would be where the broker is embedded in a
	container that is itself externally protecting the HTTP interface and then providing the remote users name.
	</para>

	<example>
	<title>Configuring external authentication (SSL client auth)</title>
	<programlisting><![CDATA[
	<security>
	<pd-auth-manager>
	<principal-database>
	<class>org.apache.qpid.server.security.auth.database.PlainPasswordFilePrincipalDatabase</class>
	<attributes>
	<attribute>
	<name>passwordFile</name>
	<value>${conf}/passwd</value>
	</attribute>
	</attributes>
	</principal-database>
	</pd-auth-manager>
	<external-auth-manager/>
	<default-auth-manager>PrincipalDatabaseAuthenticationManager</default-auth-manager>
	<port-mappings>
	<port-mapping>
	<port>5672</port>
	<auth-manager>ExternalAuthenticationManager</auth-manager>
	</port-mapping>
	</port-mappings>
	...
	</security>]]></programlisting>
	</example>

	</section>

	<section id="AnonymousAuthManager">
	<title>Anonymous</title>

	<para>
	The AnonymousAuthenticationManager will allow users to connect with or without credentials and result
	in their identification on the broker as the user ANONYMOUS. It may be enabled by adding an empty
	anonymous-auth-manager element to the security configuration section, as shown below.
	</para>

	<example>
	<title>Configuring anonymous authentication</title>

	<programlisting><![CDATA[
	<security>
	<anonymous-auth-manager/>
	...
	</security>]]></programlisting>
	</example>

	<para>
	When referencing it from the default-auth-manager or port-mapping sections, its name is
	AnonymousAuthenticationManager.
	</para>
	</section>

	<section id="MultipleAuthProviders">
	<title>Configuring multiple Authentication Providers</title>
	<para>
	Different managers may be used on different ports. Each manager has its own configuration element,
	the presence of which within the <security> section denotes the use of that authentication
	provider. Where only one such manager is configured, it will be used on all ports (including JMX
	and HTTP). Where more than one authentication manager is configured the configuration must define
	which is the "default", and (if required) the mapping of non-default authentication managers to
	other ports.
	</para>
	<para>
	The following configuration sets up three authentication managers, using a password file as the
	default (e.g. for the JMX and HTTP ports), Kerberos on port 5672 (the regular AMQP port) and Anonymous
	on port 5673 (e.g a second AMQP port the broker could have been configured with).
	</para>

	<example>
	<title>Configuring multiple (per-port) authentication schemes</title>
	<programlisting><![CDATA[
	<security>
	<pd-auth-manager>
	<principal-database>
	<class>org.apache.qpid.server.security.auth.database.PlainPasswordFilePrincipalDatabase</class>
	<attributes>
	<attribute>
	<name>passwordFile</name>
	<value>${conf}/passwd</value>
	</attribute>
	</attributes>
	</principal-database>
	</pd-auth-manager>
	<kerberos-auth-manager>
	<auth-name>sib</auth-name>
	</kerberos-auth-manager>
	<anonymous-auth-manager/>
	<default-auth-manager>PrincipalDatabaseAuthenticationManager</default-auth-manager>
	<port-mappings>
	<port-mapping>
	<port>5672</port>
	<auth-manager>KerberosAuthenticationManager</auth-manager>
	</port-mapping>
	<port-mapping>
	<port>5673</port>
	<auth-manager>AnonymousAuthenticationManager</auth-manager>
	</port-mapping>
	</port-mappings>
	...
	</security>]]></programlisting>
	</example>
	</section>

	</section>