7.11.1 Enabling plug-in based user authentication in FMQ Server
To enable plug-in based authentication in FioranoMQ Server, perform the following steps:
- Launch the admin studio and open the profile (by default FioranoMQ) in offline mode.
- Navigate to FioranoMQ > Fiorano > security > SecuritySubSystem.
- In the properties pane, enable the UseAuthenticationModules property.
- Save the configuration.
7.11.2 Using authentication modules to authenticate a user
Using JAAS modules, FioranoMQ server enables integration with an external pluggable security service provider like a local UNIX/Linux operating system and for LDAP based authentication which can store the user login information. The implementation W.R.T interaction with this external security service provider (like creating the JDBC connection, creating the SSL-enabled LDAP connection and querying the RDBMS/LDAP-provider to validate the user authentication information and so on) and thereby getting the required authentication information (PASSED? FAILED?) is to be done externally using the JAAS modules. FioranoMQ then calls these APIs to get the required authentication information (PASSED? FAILED?) and based on it, will authenticate the user for performing one of the above operations. This section will demonstrate how the necessary plug-in modules need to be provided for the authentication purpose.
7.11.2.1 Login configuration
JAAS authentication is performed in a pluggable fashion. This permits Java applications (in this case FioranoMQ Server) to remain independent from underlying authentication technologies. New or updated technologies can be plugged in without requiring modifications to the application itself. An implementation for a particular authentication technology to be used via LoginModule(s) is determined at runtime. The implementation is specified in a login configuration file.
The configuration file to be used can be specified in one of two ways:
- Through server configuration (preferred)
- Launch the admin studio and open the profile (by default FioranoMQ) in offline mode.
- Navigate to FioranoMQ > Fiorano > security > SecuritySubSystem. In the properties pane, set the ConfigurationFileName property to the location of a desired configuration file.
- Save the configuration.
- Server start-up parameters
- Open %FIORANO_HOME%/fmq/bin/fmq.conf file and under <java.system.props> tag, add the following line:
- java.security.auth.login.config=%location of a desired configuration file%
- Open %FIORANO_HOME%/fmq/bin/fmq.conf file and under <java.system.props> tag, add the following line:
As a login configuration file can consist of one or more entries, each specifying which underlying authentication technology should be used for a particular application or applications, the particular configuration entry to be used by the FioranoMQ server is specified as follows:
- Launch the admin studio and open the profile (by default FioranoMQ) in offline mode.
- Navigate to FioranoMQ > Fiorano > security > SecuritySubSystem. In the properties pane, set ConfigurationName property to 'desired configuration name'.
- Save the configuration.
For more information as to what a login configuration file is and what it contains, see JAAS Online Documentation.
7.11.2.2 Login module
LoginModule describes the interface implemented by authentication technology providers (system administrators). LoginModules are plugged in under applications to provide a particular type of authentication. While FioranoMQ invokes the LoginContext API, authentication technology providers should implement the LoginModule interface. As mentioned in previous section, the Configuration specifies the LoginModule(s) to be used with a particular login application i.e., FioranoMQ server. Therefore different LoginModules can be plugged in seamlessly under the FioranoMQ server without any server-side configurations.
A sample LoginModule must implement the following methods of javax.security.auth.spi.LoginModule
- boolean abort()
- boolean commit()
- void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options)
- boolean login()
- boolean logout()
When the necessary implementations of the LoginModule interface are done, they should be included in the class path of the FioranoMQ Server such that when the server invokes the LoginContext API while authenticating the user credentials, the LoginModules (as per configuration) are inherently invoked successfully. This should be done as follows:
- Locate the jar file which contains the class files of the implementation classes of LoginModule.
- Open %FIORANO_HOME%/fmq/bin/fmq.conf file and under "3RD PARTY LIBRARIES" as the location to the above jar file.
Example implementation
A detailed explanation and an example implementation of LoginModule com.fiorano.jms.auth.SampleLoginModule is provided in %FIORANO_HOME%/fmq/Utilities/ExternalAuthnModule directory. More details of the class and other dependencies are present the readme file in the same directory.