Promote User Identity into the AMQP Protocol

In this procedure, you will learn how to promote a user's credentials into the AMQP protocol.

Before You Begin

Learn how to enable the Gateway to securely propagate (promote) the user identity associated with a WebSocket connection or session from the client to the back-end server or broker in About User Identity Promotion.

Note: The steps in this topic assume that you already have a login module (either one supplied from the Gateway or one that you have created) that establishes the identity associated with this connection and authenticates it.

To Promote User Identity into the AMQP Protocol

  1. In your login module, instantiate a new object of type com.kaazing.gateway.server.spi.AmqpPrincipal and add it to the Subject. This is typically done in the commit() method. For example:
    private Subject subject;
    
    @Override
    public void initialize(Subject         subject,
                                           CallbackHandler callbackHandler, 
                                           Map<String, ?>  sharedState,
                                           Map<String, ?>  options) {
        this.subject = subject;
    }
    
    @Override
    public boolean commit() throws LoginException {
      // username, password, and subject are member variables
      // that must be set earlier in other parts of the 
      // LoginModule implementation. In this method, we use 
      // the username and password are used to create AmqpPrincipal  
      // and add it to the Subject. The username and password will 
      // then be automatically injected into the AMQP protocol.
    
      AmqpPrincipal principal = new AmqpPrincipal(username, password);
      subject.getPrincipals().add(principal)
      return true;
    }
    • You should add only one AmqpPrincipal.
    • If you add more than one AmqpPrincipal principal, then the Gateway uses the first one that the Java iterator happens to return to the Gateway.

    See the AmqpPrincipal method in the SPI (Service Provider Interface) documentation for more information.

  2. Compile your LoginModule and include it in a JAR file that you put into the GATEWAY_HOME/lib directory.

    Note: These instructions assume the jar com.kaazing.gateway.amqp.server.spi.jar is added to the compile-time classpath of the login module.

  3. Start (or restart) the Gateway, then connect a new client.

    After authentication succeeds, the Gateway establishes a connection to the back-end server or broker. At this point, if AmqpPrincipal is available in the Subject, then the Gateway automatically injects the AMQP credentials specified AmqpPrincipal into the AMQP protocol.

Notes

Next Step

You have completed implementation for AMQP credential injection with the Gateway.