LibraryToggle FramesPrintFeedback

JAAS Dual Authentication Plug-In


The JAAS dual authentication plug-in behaves effectively like a hybrid of the username/password authentication plug-in and the certificate authentication plug-in. It enables you to specify one JAAS realm to use when a client connection uses SSL, and another JAAS realm to use when the client connection is non-SSL.

For example, this makes it possible to use certificate authentication for SSL connections and JMS username/password authentication for non-SSL connections, where the selection is made dynamically at run time.

Sample JAAS realms

Example 15 shows the definitions of two sample JAAS realms: a realm for non-SSL connections, activemq-domain; and a realm for SSL connections, activemq-ssl-domain.

Example 15. JAAS Login Entries for Secure and Insecure Connections

activemq-domain {
  org.apache.activemq.jaas.PropertiesLoginModule sufficient
  org.apache.activemq.jaas.GuestLoginModule sufficient

activemq-ssl-domain {
  org.apache.activemq.jaas.TextFileCertificateLoginModule required

The activemq-domain login entry illustrates how to use multiple login modules in a single realm. With this configuration, JAAS tries first of all to authenticate a client using the PropertiesLoginModule login module. If that authentication step fails, JAAS then attempts to authenticate the client using the next login module, GuestLoginModule. The guest login module assigns a default username and group ID to the client and it always succeeds at authenticating—for more details, see JAAS Guest Login Module.

Enabling the JAAS dual authentication plug-in

To enable the JAAS dual authentication plug-in, add the jaasDualAuthenticationPlugin element to the list of plug-ins in the broker configuration file and initialize both the configuration attribute (to specify the JAAS realm used for non-SSL connections) and the sslConfiguration attribute (to specify the JAAS realm used for SSL connections).

  <broker ...>
              sslConfiguration="activemq-ssl-domain" />
Comments powered by Disqus