6.3 Building a custom security plug-in

So far this chapter has focused on the built-in security features in ActiveMQ. Thoughthese features should provide enough functionality for the majority of users, an evenmore powerful feature is available. As stated previously, the ActiveMQ plug-in API isextremely flexible and the possibilities are endless. The flexibility in this functionalitycomes from the BrokerFilter class. This class provides the ability to intercept manyof the available broker-level operations. Broker operations include such items as addingconsumers and producers to the broker, committing transactions in the broker,and adding and removing connections to the broker, to name a few. Custom functionalitycan be added by extending the BrokerFilter class and overriding a method for agiven operation.

6.3 創(chuàng)建自定義安全插件

 到目前為止,本章討論的內(nèi)容都是ActiveMQ自帶的安全功能.盡管這些自帶的功能已足夠絕大多數(shù)用戶使用,但是ActiveMQ還提供了一種更加強(qiáng)大的功能.前面已經(jīng)提到,ActiveMQ的插件API具有強(qiáng)大的靈活性,其支持的功能是無(wú)窮無(wú)盡的.ActiveMQ的靈活性來(lái)自于BrokerFilter類的功能.該類提供了一種攔截大多數(shù)可用代理的各種操作功能.代理的操作包擴(kuò):為代理增加消息生產(chǎn)者和消費(fèi)者,提交代理的事務(wù),增加/移除到代理的連接,等等.可以通過(guò)擴(kuò)展BrokerFilter類并且為特定的操作覆蓋相關(guān)的方法來(lái)實(shí)現(xiàn)自定義功能.

 Though the ActiveMQ plug-in API isn’t concerned solely with security, implementinga class whose main purpose is to handle a custom security feature is achievable. Soif you have security requirements that can’t be met using the previous security features,you may want to consider developing a custom solution for your needs. Dependingon your needs, two choices are available:

 盡管ActiveMQ的插件API不僅僅關(guān)注安全機(jī)制,但是實(shí)現(xiàn)一個(gè)主要用于處理自定義安全的類是可行的.因此,如果你有安全方面的需求且該需求不能使用前面介紹的ActiveMQ自帶的安全機(jī)制來(lái)解決,你可以考慮使用自定義功能來(lái)實(shí)現(xiàn)自己的需求.基于你的需求,有兩種方式可供選擇:

 Implement a JAAS login module—There’s a good chance that you’re already usingJAAS in your Java applications. In this case, it’s only natural that you’ll try toreuse all that work for securing the ActiveMQ broker, too. Since JAAS isn’t themain topic of this book, we won’t dive any deeper into this topic than wealready have.

 方式一:實(shí)現(xiàn)一個(gè)JAAS登陸模塊 — 如果你已經(jīng)在你的應(yīng)用程序中使用JAAS的話,這是一個(gè)不錯(cuò)的選擇.這種情況下,你可以很自然的想到在ActiveMQ代理中重用已實(shí)現(xiàn)的JASS登陸模塊.因?yàn)镴AAS不是本書(shū)討論的主題,我們不打算更深入的介紹JAAS.

 Implement a custom plug-in for handling security—ActiveMQ provides a flexiblegeneric plug-in mechanism. You can create your own custom plug-ins for justabout anything, including custom security plug-ins. So if you have requirementsthat can’t be met by implementing a JAAS module, writing a custom plug-in isthe way to go.

 方式二:實(shí)現(xiàn)自定義的插件為處理ActiveMQ安全提供了一個(gè)靈活的機(jī)制.你可以創(chuàng)建自定義的插件來(lái)處理任何事情,當(dāng)包含自定義的安全插件.因此假如你有一個(gè)不能通過(guò)實(shí)現(xiàn)JAAS登陸模塊來(lái)完成需求,你可以寫一個(gè)自定義插件來(lái)完成.

 In this section we’ll describe how to write a simple security plug-in that authorizes brokerconnections only from a certain set of IP addresses. The concept isn’t complex butis good enough to give you a taste of the BrokerFilter with an angle toward security.

 本節(jié)中我們將介紹如何通過(guò)寫一個(gè)簡(jiǎn)單的安全插件來(lái)限制只有IP地址屬于指定IP地址集合的客戶端才能連接到代理.這個(gè)插件涉及到的概念不是很復(fù)雜,但是作為在安全角度嘗試BrokerFilter的應(yīng)用來(lái)說(shuō)已經(jīng)相當(dāng)好了.

 6.3.1 Implementing the plug-in

In order to limit connectivity to the broker based on IP address, we’ll create a classnamed IPAuthenticationBroker to override the BrokerFilter.addConnection()method. The implementation of this method will perform a simple check of the IPaddress using a regular expression to determine the ability to connect. The followinglisting shows the implementation of the IPAuthenticationBroker class.

Listing 6.4 IPAuthenticationBroker class—custom broker implementation

 6.3.1 實(shí)現(xiàn)插件

為了根據(jù)客戶端的IP地址來(lái)限制到代理的連接,我們創(chuàng)建一個(gè)名稱為IPAuthenticationBroker的方法以覆蓋BrokerFilter.addConnection()方法.該方法中將使用正則表達(dá)式簡(jiǎn)單的檢查客戶端的IP地址以便決定客戶端能否連接到代理.下面是IPAuthenticationBroker方法的代碼清單:

清單6.4 IPAuthenticationBroker類 — 實(shí)現(xiàn)自定義代理

 The BrokerFilter class defines methods that intercept broker operations such as addinga connection, removing a subscriber, and so forth. In the IPAuthenticationBrokerclass, the addConnection() method is overridden to create some logic that checkswhether the address of a connecting client falls within a list of IP addresses that areallowed to connect. If that IP address is allowed to connect, the call is delegated to theBrokerFilter. addConnection() method. If that IP address isn’t allowed to connect,an exception is thrown.

 BrokerFilter類定義了一些方法,這些方法可以攔截代理的一些操作,比如:增加一個(gè)連接,移除一個(gè)消息訂閱者,等等.在IPAuthenticationBroker類中,addConnection()方法被覆蓋了以便創(chuàng)建一些檢查客戶端IP地址是否在允許IP地址列表之內(nèi)的邏輯.如果當(dāng)前的IP地址可以連接到代理,對(duì)該方法的調(diào)用將轉(zhuǎn)移給BrokerFilter類的addConnection() 方法來(lái)處理.如果當(dāng)前的IP地址不允許連接,則會(huì)拋出一個(gè)異常.

 One additional item of note in the IPAuthenticationBroker class is that its constructorcalls the BrokerFilter’s constructor. This call serves to set up the chain ofinterceptors so that the proper cascading will take place through the chain. Don’t forgetto do this if you create your own BrokerFilter implementation.

 關(guān)于IPAuthenticationBroker類需要額外注意的是,該類的構(gòu)造函數(shù)調(diào)用了BrokerFilter類的構(gòu)造函數(shù).這樣調(diào)用設(shè)置了攔截鏈,以便建立正確的攔截鏈級(jí)聯(lián).在創(chuàng)建你自己的BrokerFilter實(shí)現(xiàn)時(shí),不要忘記在構(gòu)造函數(shù)中做這種處理.

 After the actual plug-in logic has been implemented, the plug-in must be configuredand installed. For this purpose, an implementation of the BrokerPlugin will becreated. The BrokerPlugin is used to expose the configuration of a plug-in and alsoto install the plug-in into the ActiveMQ broker. In order to configure and install theIPAuthenticationBroker, the IPAuthenticationPlugin class is created as shown inthe following listing.

Listing 6.5 IPAuthenticationPlugin class—custom plug-in implementation

 當(dāng)實(shí)現(xiàn)了插件的真正邏輯后,還必須要配置和安裝插件.為此,需要實(shí)現(xiàn)BrokerPlugin,該類用于將一個(gè)插件暴露給ActiveMQ代理,以便代理能夠安裝它.為了配置和安裝插件,創(chuàng)建IPAuthenticationPlugin類,其代碼如下所示:

清單6.5 IPAuthenticationPlugin類 — 自實(shí)現(xiàn)定義插件

 The IPAuthenticationBroker.installPlugin() method is used to instantiate theplug-in and return a new intercepted broker for the next plug-in in the chain. Notethat the IPAuthenticationPlugin class also contains getter and setter methods usedto configure the IPAuthenticationBroker. These setter and getter methods are thenavailable via a Spring beans–style XML configuration in the ActiveMQ XML configurationfile (as you’ll see in a moment).

 IPAuthenticationBroker的installPlugin()方法用來(lái)初始化插件然后返回一個(gè)被攔截的代理,該代理用于攔截鏈中的下一個(gè)插件.需要注意的是,IPAuthenticationPlugin還包含getter和setter方法用于配置IPAuthenticationBroker類–setter和getter方法可用于ActiveMQ的Spring beans風(fēng)格的XML配置文件(稍后將看到).

 6.3.2 Configuring the plug-in

Now that we’ve implemented the plug-in, let’s see how we can configure it usingthe ActiveMQ XML configuration file. The following listing shows how theIPAuthenticationPlugin class is used in configuration.

Listing 6.6 Configuring the custom plug-in

 6.3.2 配置插件

實(shí)現(xiàn)了自定義插件后,讓我們?cè)倏纯慈绾问褂迷撟远x插件配置ActiveMQ的XML配置文件.下面的配置代碼清單中顯示了如何在配置文件中配置IPAuthenticationPlugin.

代碼清單6.6 自定義插件配置

 The <broker> element provides the plugins element for declaring plug-ins. Usingthe IPAuthenticationPlugin, only those clients connecting from the IP address127.0.0.1 (the localhost) can actually connect to the broker.

 <broker>元素的plugins子元素用于定義插件.使用IPAuthenticationPlugin插件后,連接到代理的客戶端中只有IP地址為127.0.0.1(localhost)的客戶端才能連到代理.

 6.3.3 Testing the plug-in

All that needs to be done now is to test the plug-in. Here’s the command to copy theexamples JAR file into place (because it contains the plug-in) and the command tostart up ActiveMQ using the IPAuthenticationPlugin and the IPAuthentication-Broker:

 6.3.3 測(cè)試插件

現(xiàn)在要做的就是測(cè)試常見(jiàn)了.下面的命令首先,復(fù)制示例中的jar包(因?yàn)樵搄ar包中含有插件類)到合適的位置,然后啟動(dòng)使用了IPAuthenticationPlugin和IPAuthentication的代理:

$ cp target/activemq-in-action-examples.jar ${ACTIVEMQ_HOME}/lib/

$ {ACTIVEMQ_HOME}/bin/activemq console xbean:src/main/resources/org/apache/activemq/book/ch6/activemq-custom.xml
(譯注:window中的命令 %ACTIVEMQ_HOME%/bin/activemq xbean:src/main/resources/org/apache/activemq/book/ch6/activemq-custom.xml)
(譯注:使用ActiveMQ5.8測(cè)試,原始源碼中的配置文件貌似有問(wèn)題,已改成下面這樣:

activemq-custom.xml

)

 Now run the client to connect to ActiveMQ from the localhost and everything shouldbe working fine. See the following output:

 接著,使用下面的命令,在localhost上運(yùn)行客戶端以連接到ActiveMQ,程序運(yùn)行應(yīng)該一切正常.命令后面面是程序輸出信息:

 If a connection attempt is made from any host other than the localhost, you canexpect to see the following output including the exception:

 如果有非localhost的客戶端嘗試連接到代理,你將看到下面的輸出中顯示的異常信息:

  Although this example was more complex, it serves as a good demonstration of thepower provided by the BrokerFilter class. Just imagine how flexible this plug-inmechanism is for integrating with existing custom security requirements. This examplewas focused on a security example, but many other operations can be customizedby using the pattern illustrated here.

 這個(gè)例子更加復(fù)雜一些,用它來(lái)示例BrokerFilter類提供的強(qiáng)大功能十分合適.可以設(shè)想一下使用這種插件機(jī)制來(lái)集成各種自定義的安全需求是多么的靈活.這個(gè)例子僅僅關(guān)注安全方面的內(nèi)容,然而使用這種插件模式可以進(jìn)行更多的自定義操作.