The easiest way to secure the broker is through the use of authentication credentials placed directly in the broker’s XML configuration file. Such functionality is provided by the simple authentication plug-in that’s part of ActiveMQ. The following listing provides an example of using this plug-in.
<plugins> <simpleAuthenticationPlugin> <users> <authenticationUser username="admin" password="admin" groups="admins,producers,consumers"/> <authenticationUser username="producer" password="producer" groups="producers,consumers"/> <authenticationUser username="consumer" password="consumer" groups="consumers"/> <authenticationUser username="guest" password="guest" groups="guests"/> </users> </simpleAuthenticationPlugin> </plugins>
By using this simple configuration snippet, four users can now access ActiveMQ. Obviously, for authentication purposes, each user must have a username and a password. Additionally, the groups attribute provides a comma-separated list of groups to which the user belongs. This information is used for authorization purposes, as will be seen shortly.
The preceding exception is expected because a security plug-in is activated but the authentication credentials haven’t yet been defined in the producer client. To fix this exception, modify the producer to add a username and password. The following snippet provides an example of this:
private String username = "producer"; private String password = "producer"; public Producer() throws JMSException { factory = new ActiveMQConnectionFactory(brokerURL); connection = factory.createConnection(username, password); connection.start(); session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE); producer = session.createProducer(null); }
As the preceding snippet shows, the only necessary change is to define a username and a password that are then used as parameters to the call to the createConnection() method.
Unfortunately, with the simple authentication plug-in, passwords are stored (and transferred) as clear text, which impacts the security of the broker. But even plain-text passwords prevent unauthorized clients from interacting with the broker, and in some
environments this is all that’s needed. Additionally, you can consider using the simple authentication plug-in in combination with the SSL transport, which will at least solve the problem of sending plain passwords over the network.