AuthenticationSwiftlet

 
 

Online Documentation    Property Configuration    AuthenticationSwiftlet

 
 

[Swiftlet Name]     [Authentication Concept]     [Public Group]     [Anonymous User]     [Special Grants]     [Enabling/Disabling Authentication]     [Group Names]     [Queue Grant Names]     [Receive Grant]     [Send Grant]     [Browse Grant]     [Topic Grant Names]     [Subscribe Grant]     [Publish Grant]     [Create Durable Grant]     [User Names]     [Password]     [Group]     [Host Access List]    
[Document Index]

 
     
 
  Swiftlet Name

The Swiftlet name of the AuthenticationSwiftlet is sys$authentication.

Authentication Concept

Usually there are two situations for using a MOM: No authentication is needed, because the MOM is used in a secure area (e.g. behind a firewall or for testing purposes), or a strong authentication with fine grained resource granting is necessary.

The AuthenticationSwiftlet supports both modes by setting a property that enabled/disabled authentication.

With enabling authentication, group(s) must be defined which contains resource grants. Each grant points to a specific resource (e.g. a queue) and specifies which functions are allowed or forbidden. Next, user(s) should be defined that are members of a group. Each operation will now be checked against these definitions. If the operation is not granted, it will rejected and the client receives a JMSSecurityException (if this occurs during JNDI operations, it will be mapped to a NamingException).

Public Group

There are often grants each user should have, like publishing to topic swiftmq.jndi. To support this, a group with the name "public" is predefined. Every user is a predefined member of this group, so defining a resource grant in this group is valid for all users.

Anonymous User

An anonymous user logs into SwiftMQ with a "null" username. This is automatically changed to the predefined username "anonymous". anonymous per default has no password (null), but that could be changed as for every other user.

Special Grants

When enabling authentication, some special grants must be assigned to enable users to access SwiftMQ system resources.

Topic "swiftmq.jndi"

The topic swiftmq.jndi is the topic where each JNDISwiftlet on each router listens for JNDI lookup requests. Each user that uses JNDI lookups must have a publish grant on this topic. It is suggested to put this grant into the group public.

Queue "swiftmqmgmt"

The queue swiftmqmgmt is the queue where each MgmtSwiftlet on each router listens for management requests. These requests are send from SwifMQ management tools such as SwiftMQ Explorer and CLI. A user that have a grant to this queue has full administrator rights to the specific router. So, it is suggested to create an admin group and only specify in this group a send grant to this queue.

Enabling/Disabling Authentication

The whole authentication can be enabled or disabled. Enabled, all resource requests will be checked against the current user/group/grant assignments. Disabled, everybody can do all.
Default value for this property is false (authentication is disabled).

Property definition:


 swiftlet.sys$authentication.authentication.enabled=<Boolean>

Example:


 swiftlet.sys$authentication.authentication.enabled=true

Group Names

Optional property that specifies a list of group names. For every defined group name, sub-properties can be defined as described in the following sections.

Property definition:


 swiftlet.sys$authentication.groups.names=<group name 1>,<group name 2>,..,<group name n>

Example:


 swiftlet.sys$authentication.groups.names=public,admin,tacotest

Queue Grant Names

Specifies a list of queue grant names for a specific group. The names are equal to the queue names. For local queue names, only the queue name part is required, for remote queues, the queue names have to be fully qualified with the router name.

For every defined queue grant name, sub-properties can be defined as described in the following sections.

Property definition:


 swiftlet.sys$authentication.groups.<group>.queuegrants.names=<queuegrant name 1>,\
  <queuegrant name 2>,..,<queuegrant name n>

Example:


 swiftlet.sys$authentication.groups.admin.queuegrants.names=swiftmqmgmt,swiftmgmgmt@router5

Receive Grant

Optional property that specifies the grant to create a QueueReceiver.

Default value for this property is true.

Property definition:


 swiftlet.sys$authentication.groups.<group>.queuegrants.<queuegrant>.receive=<boolean>

Example:


 swiftlet.sys$authentication.groups.admin.queuegrants.swiftmqmgmt@router5.send=true

Send Grant

Optional property that specifies the grant to create a QueueSender.

Default value for this property is true.

Property definition:


 swiftlet.sys$authentication.groups.<group>.queuegrants.<queuegrant>.send=<boolean>

Example:


 swiftlet.sys$authentication.groups.public.queuegrants.srvinbound.send=false

Browse Grant

Optional property that specifies the grant to create a QueueBrowser.

Default value for this property is true.

Property definition:


 swiftlet.sys$authentication.groups.<group>.queuegrants.<queuegrant>.browse=<boolean>

Example:


 swiftlet.sys$authentication.groups.tacotest.queuegrants.timeQueue.browse=false

Topic Grant Names

Specifies a list of topic grant names for a specific group. The grant names are equals to the topic names.

Topic names can also be SQL-Like predicates. Note, that for predicates the grant to use the predicate is specified. The grant does not cover all the topics that match the predicate.

For every defined topic grant name, sub-properties can be defined as described in the following sections.

Property definition:


 swiftlet.sys$authentication.groups.<group>.topicgrants.names=<topicgrant name 1>,\
  <topicgrant name 2>,..,<topicgrant name n>

Example:


 swiftlet.sys$authentication.groups.public.topicgrants.names=swiftmq.%,iit.sales

Subscribe Grant

Optional property that specifies the grant to create a TopicSubscriber.

Default value for this property is true.

Property definition:


 swiftlet.sys$authentication.groups.<group>.topicgrants.<topicgrant>.subscribe=<boolean>

Example:


 swiftlet.sys$authentication.groups.public.topicgrants.swiftmq.%.subscribe=false

Publish Grant

Optional property that specifies the grant to create a TopicPublisher.

Default value for this property is true.

Property definition:


 swiftlet.sys$authentication.groups.<group>.topicgrants.<topicgrant>.publish=<boolean>

Example:


 swiftlet.sys$authentication.groups.public.topicgrants.timeTopic.publish=true

Create Durable Grant

Optional property that specifies the grant to create a durable subscriber.

Default value for this property is true.

Property definition:


 swiftlet.sys$authentication.groups.<group>.topicgrants.<topicgrant>.createdurable=<boolean>

Example:


 swiftlet.sys$authentication.groups.public.topicgrants.iit.sales.createdurable=false

User Names

Optional property that specifies a list of user names. For every defined user name, sub-properties can be defined as described in the following sections.

Property definition:


 swiftlet.sys$authentication.users.names=<user name 1>,<user name 2>,..,<user name n>

Example:


 swiftlet.sys$authentication.users.names=anonymous,admin,AMueller

Password

Optional property that specifies the user's password.

The exchange between JMS client and JMSSwiftlet takes place using challenge/response factories; the password will not be send over the line.

The default value for this property is null.

Property definition:


 swiftlet.sys$authentication.users.<user>.password=<password>

Example:


 swiftlet.sys$authentication.users.admin.password=secret

Group

Specifies the group of the user.

Note, that every user is also member of the group public.

Property definition:


 swiftlet.sys$authentication.users.<user>.group=<password>

Example:


 swiftlet.sys$authentication.users.AMueller.group=admin

Host Access List

Optional property that specifies a list of host DNS hostnames where the user can login from. Logins from hosts that are not included in this access list are rejected.

The hostnames are SQL-Like predicates. Wildcards such as %.swiftmq.com or secure.%.com can be specified.

The default value for this property is empty which means the user can connect from every host.

Property definition:


 swiftlet.sys$authentication.users.<user>.hostaccesslist.names=<host 1>,<host 2>,..,<host n>

Example:


 swiftlet.sys$authentication.users.AMueller.hostaccesslist.names=%.iit.de,%.swiftmq.com

 
 
     
 

[Swiftlet Name]     [Authentication Concept]     [Public Group]     [Anonymous User]     [Special Grants]     [Enabling/Disabling Authentication]     [Group Names]     [Queue Grant Names]     [Receive Grant]     [Send Grant]     [Browse Grant]     [Topic Grant Names]     [Subscribe Grant]     [Publish Grant]     [Create Durable Grant]     [User Names]     [Password]     [Group]     [Host Access List]    
[Document Index]

 
 

Online Documentation    Property Configuration    AuthenticationSwiftlet

 
 

 Copyright © 2000, IIT GmbH, Bremen/Germany. All rights reserved.
SwiftMQ and Swiftlet are registered trademarks of IIT GmbH.
All other product names mentioned herein are trademarks of their respective owners.