Chapter 4. Securing a Standalone Red Hat AMQ Container

download PDF


The Red Hat AMQ container is secured using JAAS. By defining JAAS realms, you can configure the mechanism used to retrieve user credentials. You can also refine access to the container's administrative interfaces by changing the default roles. Red Hat AMQ runs in an OSGi container that uses the Java Authentication and Authorization Service(JAAS) to perform authorization. Changing the authorization scheme for the container involves defining a new JAAS realm and deploying it into the container.

4.1. Defining JAAS Realms


When defining a JAAS realm in the OSGi container, you cannot put the definitions in a conventional JAAS login configuration file. Instead, the OSGi container uses a special jaas:config element for defining JAAS realms in a blueprint configuration file. The JAAS realms defined in this way are made available to all of the application bundles deployed in the container, making it possible to share the JAAS security infrastructure across the whole container.


The jaas:config element is defined in the namespace. When defining a JAAS realm you will need to include the line shown in Example 4.1, “JAAS Blueprint Namespace”.

Example 4.1. JAAS Blueprint Namespace


Configuring a JAAS realm

The syntax for the jaas:config element is shown in Example 4.2, “Defining a JAAS Realm in Blueprint XML”.

Example 4.2. Defining a JAAS Realm in Blueprint XML

<blueprint xmlns=""

    <jaas:config name="JaasRealmName"
        <jaas:module className="LoginModuleClassName"
        <!-- Can optionally define multiple modules -->

The elements are used as follows:
Defines the JAAS realm. It has the following attributes:
  • name—specifies the name of the JAAS realm.
  • rank—specifies an optional rank for resolving naming conflicts between JAAS realms . When two or more JAAS realms are registered under the same name, the OSGi container always picks the realm instance with the highest rank. If you decide to override the default realm, karaf, you should specify a rank of 100 or more, so that it overrides all of the previously installed karaf realms (in the context of Fabric, you need to override the default ZookeeperLoginModule, which has a rank of 99).
Defines a JAAS login module in the current realm. jaas:module has the following attributes:
  • className—the fully-qualified class name of a JAAS login module. The specified class must be available from the bundle classloader.
  • flags—determines what happens upon success or failure of the login operation. Table 4.1, “Flags for Defining a JAAS Module” describes the valid values.
    Table 4.1. Flags for Defining a JAAS Module
    requiredAuthentication of this login module must succeed. Always proceed to the next login module in this entry, irrespective of success or failure.
    requisiteAuthentication of this login module must succeed. If success, proceed to the next login module; if failure, return immediately without processing the remaining login modules.
    sufficientAuthentication of this login module is not required to succeed. If success, return immediately without processing the remaining login modules; if failure, proceed to the next login module.
    optionalAuthentication of this login module is not required to succeed. Always proceed to the next login module in this entry, irrespective of success or failure.
The contents of a jaas:module element is a space separated list of property settings, which are used to initialize the JAAS login module instance. The specific properties are determined by the JAAS login module and must be put into the proper format.
You can define multiple login modules in a realm.

Converting standard JAAS login properties to XML

Red Hat AMQ uses the same properties as a standard Java login configuration file, however Red Hat AMQ requires that they are specified slightly differently. To see how the Red Hat AMQ approach to defining JAAS realms compares with the standard Java login configuration file approach, consider how to convert the login configuration shown in Example 4.3, “Standard JAAS Properties”, which defines the PropertiesLogin realm using the Red Hat AMQ properties login module class, PropertiesLoginModule:

Example 4.3. Standard JAAS Properties

PropertiesLogin {
    org.apache.activemq.jaas.PropertiesLoginModule required"""";
The equivalent JAAS realm definition, using the jaas:config element in a blueprint file, is shown in Example 4.4, “Blueprint JAAS Properties”.

Example 4.4. Blueprint JAAS Properties

<blueprint xmlns=""

  <jaas:config name="PropertiesLogin">
    <jaas:module flags="required" 

You do not use double quotes for JAAS properties in the blueprint configuration.


Red Hat AMQ also provides an adapter that enables you to store JAAS authentication data in an X.500 server. Example 4.5, “Configuring a JAAS Realm” defines the LDAPLogin realm to use Red Hat AMQ's LDAPLoginModule class, which connects to the LDAP server located at ldap://localhost:10389.

Example 4.5. Configuring a JAAS Realm

<?xml version="1.0" encoding="UTF-8"?>
<blueprint xmlns=""

  <jaas:config name="LDAPLogin" rank="200">
    <jaas:module flags="required" 
        connection.url = ldap://localhost:10389
        user.base.dn = ou=users,ou=system
        user.filter = (uid=%u) = true
        role.base.dn = ou=users,ou=system
        role.filter = (uid=%u) = ou = true
        authentication = simple
For a detailed description and example of using the LDAP login module, see ???.
Red Hat logoGithubRedditYoutubeTwitter


Try, buy, & sell


About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.