<ssl>
<broker-ssl-port>3390</broker-ssl-port>
<keystore-location>/path/to/my/mykeystore.jks</keystore-location>
<keystore-password>password</keystore-password>
<key-password>mypassword</key-password>
</ssl>
To support your custom Authentication you must implement pt.com.broker.auth.AuthInfoValidator .
Example:
package pt.com.broker.examples;
import pt.com.broker.auth.AuthInfo;
import pt.com.broker.auth.AuthInfoValidator;
import pt.com.broker.auth.AuthValidationResult;
import pt.com.broker.auth.ProviderInfo;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
public class CustomAuthenticationProvider implements AuthInfoValidator {
ProviderInfo providerInfo;
@Override
public AuthValidationResult validate(final AuthInfo clientAuthInfo) throws Exception {
AuthValidationResult result = new AuthValidationResult() {
@Override
public boolean areCredentialsValid() {
String secret = "My super secret password";
return Arrays.equals(clientAuthInfo.getToken() , secret );
}
@Override
public String getReasonForFailure() {
return "Invalid Secret";
}
@Override
public List<String> getRoles() {
List<String> roles = new ArrayList<>(2);
roles.add("SUPER-USER");
return roles;
}
};
return result;
}
@Override
public boolean init(ProviderInfo info) {
providerInfo = info;
return false;
}
}
Global Config file example:
<global-config>
....
<credential-validators>
<credential-validator provider-name="MyCustomValidator">
<class>pt.com.broker.examples.CustomAuthenticationProvider</class>
</credential-validator>
</credential-validators>
</global-config>
It’s possible to define policies to grant access to consumers/producers that meet a specific condition.
<!-- This condition applies the acl to everyone -->
<condition condition-type="ALWAYS"/>
<!-- This condition is only applicable to connections coming from the localhost -->
<condition condition-type="ADDRESS">
<address mask="32">127.0.0.1</address>
</condition>
<!-- This condition is only applicable to authenticated users who was granted a specific role-->
<condition condition-type="ROLE">
<role>SUPER-USER</role>
</condition>
<!--
If you specify more than one condition they will be evaluated with like an disjunction (OR logic gate).
To change this behavior and force all conditions to be evaluated you must use an AND condition.
This acl is only applicable to users that have both roles.
-->
<condition condition-type="AND">
<condition condition-type="ROLE">
<role>SUPER-USER</role>
</condition>
<condition condition-type="ROLE">
<role>brk_reader_role</role>
</condition>
</condition>
Deny access to everyone that try to READ or WRITE to “/system/.*”
<global-config>
<!-- ........ -->
<security-policies>
<policies>
<!-- ........ -->
<policy policy-name="default">
<acl>
<entry action="DENY" destination-type="TOPIC QUEUE VIRTUAL_QUEUE" destination="/system/.*" privilege="READ WRITE">
<condition condition-type="ALWAYS"/>
</entry>
</acl>
</policy>
<!-- ........ -->
</policies>
</security-policies>
</global-config>