Security - Alfresco Content Services - 23.4 - 23.4 - Ready - Alfresco - external

Alfresco Content Services

Platform
Alfresco
Product
Alfresco Content Services
Release
23.4
License

You can secure the repository - ActiveMQ - your module’s topic and queue communication using authentication, authorization, and SSL encryption. For more information, see ActiveMQ - security and ActiveMQ - using SSL.

For example, to configure authentication, add the following code snippet under the broker element in sync/activemq/apache-activemq-5.15.8/confactivemq.xml:

<broker>
..
  <plugins>
     <simpleAuthenticationPlugin>
         <users>
            <authenticationUser username="system" password="manager" groups="users,admins"/>
            <authenticationUser username="user" password="password" groups="users"/>
            <authenticationUser username="guest" password="password" groups="guests"/>
         </users>
     </simpleAuthenticationPlugin>

     <authorizationPlugin>
         <map>
            <authorizationMap>
               <authorizationEntries>
                   <authorizationEntry topic="Consumer.*.VirtualTopic.alfresco.repo.events.nodes>" read="users"
                    write="users" admin="users"/>
                   <authorizationEntry topic="ActiveMQ.Advisory.>" read="guests,users"
                   write="guests,users" admin="guests,users"/>
                   <authorizationEntry topic="VirtualTopic.alfresco.repo.events.nodes" read="guests,users"
                    write="guests,users" admin="guests,users"/>
               </authorizationEntries>
            </authorizationMap>
         </map>
     </authorizationPlugin>
  </plugins>
..
</broker>

This configures ActiveMQ to use basic authentication (username and password) and limit access to the your module’s topic Consumer.*.VirtualTopic.alfresco.repo.events.nodes. Both the repository and sync service will have to provide a username and password. It it fails, an exception will be shown in the repository and the sync service logs.

Here’s an example of the exception in the repository log:

Caused by: java.lang.SecurityException: User name [null] or password is invalid.
at
org.apache.activemq.security.SimpleAuthenticationBroker.authenticate(SimpleAuthenticationBroker.java:103)
at
org.apache.activemq.security.SimpleAuthenticationBroker.addConnection(SimpleAuthenticationBroker.java:71)
at
org.apache.activemq.broker.BrokerFilter.addConnection(BrokerFilter.java:98)
at
org.apache.activemq.broker.MutableBrokerFilter.addConnection(MutableBrokerFilter.java:103)

Here’s an example of the exception in the sync service log:

ERROR [2016-03-16 16:07:21.251] [Camel (alfrescoServiceCamelContext) thread #3 -
JmsConsumer[Consumer.074f6b96-685b-4a03-959f-7e77793f1ce2.VirtualTopic.alfresco.repo.events.nodes]]
org.apache.camel.component.jms.DefaultJmsMessageListenerContainer - Could not refresh JMS Connection
for destination
'Consumer.074f6b96-685b-4a03-959f-7e77793f1ce2.VirtualTopic.alfresco.repo.events.nodes?consumer.prefetchSize=3000'
- retrying in 5000 ms. Cause: User name [null] or password is invalid.

The module’s ActiveMQ username and password can be set using the properties, messaging.username and messaging.password. The repository ActiveMQ username and password can be set using the properties messaging.broker.username and messaging.broker.password.

Additionally, enable SSL to provide secure communication of events. See ActiveMQ - HTTP and HTTPS Transports.