This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.
Security in WSO2 Message Broker/Apache Qpid
- Former user (Deleted)
Given below is an overview of how some common security concepts are implemented in WSO2 Message Broker.
| Security Concept | How it is Implemented in WSO2 MB |
|---|---|
| Authentication | Andes Authenticator connected entities to authenticate. |
| Authorization | Creation and use of role-based permissions. |
| Availability | Clustering using Apache Zookeeper. |
| Integrity | Message-level encryption using WS-Security. |
Let's see how each concept in the table above is implemented in WSO2 MB.
To set up WSO2 MB with WSO2 ESB, refer to section Configure with WSO2 Message Broker. Also, open <MB_HOME>/repository/conf/advanced/qpid-config.xml file and add the following line as a child element of <tuning>.
<messageBatchSizeForBrowserSubscriptions>100000</messageBatchSizeForBrowserSubscriptions>
Authentication: Plain Text
WSO2 MB requires all its incoming connections to be authenticated. The <ESB_HOME>/repository/conf/jndi.properties file contains lines similar to the following. They contain the username and password credentials used to authenticate connections made to the WSO2 MB. This is plain text authentication.
connectionfactory.TopicConnectionFactory = amqp://admin:admin@clientID/carbon?brokerlist='tcp://localhost:5672' connectionfactory.QueueConnectionFactory = amqp://admin:admin@clientID/carbon?brokerlist='tcp://localhost:5672'
In the WSO2 MB authentication example below, we send a request to the proxy service testJMSProxy, which adds a message to the example.MyQueue queue.
<definitions xmlns="http://ws.apache.org/ns/synapse">
<registry provider="org.wso2.carbon.mediation.registry.WSO2Registry">
<parameter name="cachableDuration">15000</parameter>
</registry>
<proxy name="testJMSProxy"
transports="https http"
startOnLoad="true"
trace="disable">
<target>
<inSequence>
<property name="FORCE_SC_ACCEPTED" value="true" scope="axis2"/>
<property name="target.endpoint" value="jmsEP" scope="default"/>
<store messageStore="testMsgStore"/>
</inSequence>
</target>
</proxy>
<endpoint name="jmsEP">
<address uri="http://localhost:9000/services/SimpleStockQuoteService"/>
</endpoint>
<sequence name="fault">
<log level="full">
<property name="MESSAGE" value="Executing default 'fault' sequence"/>
<property name="ERROR_CODE" expression="get-property('ERROR_CODE')"/>
<property name="ERROR_MESSAGE" expression="get-property('ERROR_MESSAGE')"/>
</log>
<drop/>
</sequence>
<sequence name="main">
<in>
<log level="full"/>
<filter source="get-property('To')" regex="http://localhost:9000.*">
<send/>
</filter>
</in>
<out>
<send/>
</out>
<description>The main sequence for the message mediation</description>
</sequence>
<messageStore class="org.wso2.carbon.message.store.persistence.jms.JMSMessageStore"
name="testMsgStore">
<parameter name="java.naming.factory.initial">org.wso2.andes.jndi.PropertiesFileInitialContextFactory</parameter>
<parameter name="java.naming.provider.url">repository/conf/jndi.properties</parameter>
<parameter name="store.jms.destination">MyQueue</parameter>
</messageStore>
</definitions>
If you change the authentication credentials of the jndi.properties file, the connection will not be authenticated. You will see an error similar to:
ERROR - AMQConnection Throwable Received but no listener set: org.wso2.andes.AMQDisconnectedException: Server closed connection and reconnection not permitted.
Authentication: Encrypted
In the previous authentication example, the user names and passwords are stored in plain text inside the WSO2 ESB’s jndi.properties file. These credentials can be stored in an encrypted manner for added security. For WSO2 MB based encryption, refer to section WSO2 Carbon Secure Vault in WSO2 MB documentation here: http://docs.wso2.org/wiki/display/MB201/WSO2+Carbon+Secure+Vault.
Authorization
WSO2 MB allows user-based authorization as seen in the example on WSO2 MB Authentication. To set up users, follow the instructions in User Management section of the WSO2 MB documentation here: http://docs.wso2.org/wiki/display/MB201/User+Management.
WSO2 MB provides role-based authorization for topics, where public/subscribe access can be assigned to user groups. For more information on setting up role-based authorization for topics, refer to section Managing Topics and Subscriptions section of the WSO2 MB documentation here: http://docs.wso2.org/wiki/display/MB201/Managing+Topics+and+Subscriptions Managing Topics and Subscriptions .
Integrity
Integrity is part of message-level security, and can be implemented using a standard like WS-Security. Refer to the section on Integrity in ActiveMQ to see how message-level security works over JMS.
Next, let's see how security is implemented in Apache ActiveMQ: Security in Apache ActiveMQ.