ActiveMQ使用笔记（四）ActiveMQ配置安全性

监视ActiveMQ的方式有多种，在第一部分中已经说到了Web监视控制台，设置登录用户名和密码，这里再说一下JMX监控。运行了ActiveMQ之后，再运行jdk自带的jconsole即可以看到ActiveMQ的进程，如图：点击连接之后就可以看到ActiveMQ的运行情况。默认情况下是不需要用户名和口令的，修改activemq.bat，找到

Java

 

1 2 3

SUNJMX = - Dcom . sun . management . jmxremote . port = 1099 - Dcom . sun . management . jmxremote . authenticate = false - Dcom . sun . management . jmxremote . ssl = false

修改成

Java

 

1 2 3 4 5

SUNJMX = - Dcom . sun . management . jmxremote . port = 1616 - Dcom . sun . management . jmxremote . authenticate = true - Dcom . sun . management . jmxremote . ssl = false - Dcom . sun . management . jmxremote . password . file = % ACTIVEMQ_BASE % / conf / jmx . password - Dcom . sun . management . jmxremote . access . file = % ACTIVEMQ_BASE % / conf / jmx . access

Linux下的找到：

Java

 

1 2 3 4 5

# ACTIVEMQ_SUNJMX_START = "-Dcom.sun.management.jmxremote.port=11099 " # ACTIVEMQ_SUNJMX_START = "$ACTIVEMQ_SUNJMX_START -Dcom.sun.management.jmxremote.password.file=${ACTIVEMQ_CONFIG_DIR}/jmx.password" # ACTIVEMQ_SUNJMX_START = "$ACTIVEMQ_SUNJMX_START -Dcom.sun.management.jmxremote.access.file=${ACTIVEMQ_CONFIG_DIR}/jmx.access" # ACTIVEMQ_SUNJMX_START = "$ACTIVEMQ_SUNJMX_START -Dcom.sun.management.jmxremote.ssl=false" ACTIVEMQ_SUNJMX_START = "$ACTIVEMQ_SUNJMX_START -Dcom.sun.management.jmxremote"

去掉注释即可。
重启ActiveMQ之后，在用jconsole连接就需要输入用户名和密码，jmx.access文件配置用户的访问权限readonly和readwrite，admin readwrite表示用户admin具有读写权限。Jmx.password文件配置用户的密码，admin activemq 表示admin用户的密码是activemq。

除了监视台可以设置用户名和密码之后，ActiveMQ也可以对各个主题和队列设置用户名和密码，配置如下：

Java

 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34

<plugins>   < ! -- Configure authentication ; Username , passwords and groups -- >   <simpleAuthenticationPlugin>       <users>           < authenticationUser username = "system" password = "manager" groups = "users,admins" / >           < authenticationUser username = "user" password = "password" groups = "users" / >           < authenticationUser username = "guest" password = "password" groups = "guests" / >           < authenticationUser username = "testUser" password = "123456" groups = "testGroup" / >       < / users >   < / simpleAuthenticationPlugin >   < ! --   Lets configure a destination based authorization mechanism -- >   <authorizationPlugin>     <map>       <authorizationMap>         <authorizationEntries>           < authorizationEntry queue = "queue.group.uum" read = "users" write = "users" admin = "users" / >           < authorizationEntry queue = ">" read = "admins" write = "admins" admin = "admins" / >           < authorizationEntry queue = "USERS.>" read = "users" write = "users" admin = "users" / >           < authorizationEntry queue = "GUEST.>" read = "guests" write = "guests,users" admin = "guests,users" / >           < authorizationEntry queue = "TEST.Q" read = "guests" write = "guests" / >           < authorizationEntry queue = "test" read = " testGroup " write = " testGroup " / >           < authorizationEntry topic = ">" read = "admins" write = "admins" admin = "admins" / >           < authorizationEntry topic = "USERS.>" read = "users" write = "users" admin = "users" / >           < authorizationEntry topic = "GUEST.>" read = "guests" write = "guests,users" admin = "guests,users" / >           < authorizationEntry topic = "ActiveMQ.Advisory.>" read = "guests,users ,testGroup" write = "guests,users ,testGroup " admin = "guests,users ,testGroup " / >         < / authorizationEntries >       < / authorizationMap >     < / map >   < / authorizationPlugin > < / plugins >

simpleAuthenticationPlugin中设置用户名、密码和群组，authorizationPlugin设置主题和队列的访问群组，“>”表示所有的主题或者队列。上面的配置中添加了一个testUser，属于群组testGroup，同时设置test这个队列的访问读写权限为testGroup，当然admins也可以访问的，因为admins是对所有的队列都有访问权限。将第三部分代码中的设置用户名和密码改成刚刚添加的用户testUser，如果密码不正确，将会抛出User name or password is invalid.异常，如果testUser所属的群组不能访问test队列，那么会抛出User guest is not authorized to write to: queue://test异常。需要注意的是所有的群组都需要对以ActiveMQ.Advisory为前缀的主题具有访问权限。