Contents

FioranoMQ supports Realm based security that allows FioranoMQ to integrate with Solaris and NT Security realms. This eliminates the need to create MQ specific users/permissions.

A realm is an administrative entity around which basic operational security policies revolve. A realm determines the scope of the security data and is normally used to organize the objects used in defining access control policies.

Security realms represent a logical grouping of Users, Groups, and Access Control Lists (ACLs) for protecting FioranoMQ Server resources. The default security realm or one of the sets of alternative security realms can be used, which allow usage of Windows NT, UNIX, and LDAP (Lightweight Directory Access Protocol) security stores. In addition, FioranoMQ supports custom developed security realms.

A Realm object provides access to users and the main Principals around which a realm is organized, and supports modifying (and extending) it according to policies defined by the realm administrator and by each particular kind of realm. Different Realms use different Authentication Protocols such as passwords (or pass phrases) and public key certificates. Groups of users (and of other groups) are used to define various policies applying to many users. ACLs are uniquely associated with entries in each realm.

FioranoMQ implements a sophisticated security engine that allows dynamic updating of Users/Groups and their privileges. Users, Groups, and ACLs can be retrieved as needed from an external source.

FioranoMQ Realms Subsystem is divided into two services: User Management and Access Control Management, each of which is discussed in the following sections.

FioranoMQ User Management

FioranoMQ User Management service uses Realms to retrieve Users and Groups as Java objects. Any one of the following realms can be chosen for User Management:

  • Default Realm
  • NT Realm
  • RDBMS Realm
  • LDAP Realm
  • Caching Realm
  • XML Realm

The User Manager implementation can be specified in the profile deployed during configuration.

 Access Control Management

FioranoMQ includes a powerful and flexible access control system to control access to applications and to backend services that clients access through the FioranoMQ Server. The access control system is built on the Java2 security APIs.

An ACL guards an object or service in the FioranoMQ Server. ACLs can guard Topics and Queues. Additionally, custom ACLs can be created for use in applications. An ACL holds a list of ACL entries, each with a set of permissions for a user or group. Permission is actions that can be performed on the protected destination, for example, publish, lookup, and subscribe.

FioranoMQ's dynamic verification engine is invoked before any service call is executed, which checks pertinent ACLs, testing whether the user has the permission required to continue.

By default, FioranoMQ uses the file-based data store for storing ACL information. ACLs are associated with realms in such a way that the entries in them, which identify users and groups, are only significant within a particular realm. FioranoMQ realms are dynamic; they retrieve Users, Groups, and ACLs as needed from an external source.

More information about Access Control Lists is available in the Java documentation of the java.security.acl package.

Any of the following realms can be chosen for ACL management:

  • Default Realm
  • RDBMS Realm
  • LDAP Realm
  • XML Realm

The ACL Manager Implementation can be specified in the profile deployed during configuration.

Adaptavist ThemeBuilder EngineAtlassian Confluence