activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James Strachan" <james.strac...@gmail.com>
Subject Re: LDAP Authorization
Date Thu, 29 Jun 2006 12:28:19 GMT
On 6/26/06, ngcutura <ngcutura@gmail.com> wrote:
>
> Hi,
>
> I am working on LDAPAuthorizationMap to enable use of LDAP for storing
> access privilege information. The project I am engaged in requires dynamic
> creation of destinations and users so external source of authentication and
> authorization information is crucial.
>
> I checked out code from SVN and managed to build it with Maven and Eclipse.
> Thanks to Hiram and James for instructions. :-) The idea of
> LDAPAuthorizationMap is simple: there is hierarchy like this one:
>
> destinations
>   topic
>     topicA
>        read: role1
>        read: role2
>        write: role3
>        admin: role2
>   queue
>     queue1
>       read: roleA
>       write: roleB
>       write: roleC
>       admin: roleD
>
> It is quite easy to obtain read, write and admin ACLs from this hierarchy.
>
> However, looking at the code of DefaultAthorizationMap, AuthorizationEntry,
> DestinationMap and DestinationMapEntry I cannot clearly differentiate
> between default behaviour of AuthorizationMap (except for the interface) and
> implementation specifics of authorization map defined in AMQ config file.

So the AuthorizationMap interface can be implemented however you wish.

The DefaultAuthorizationMap derives from the DestinationMap to be able
to associate wildcards with 'entries' where an entry is an
AuthorizationEntry which defines the set of ACLs for read/write/admin
roles. This allows you to associate a single entry (set of ACLs) with
a destination or wildcard.

Now if you want to go to LDAP each time and are not too worried about
wildcard support, you could just implement the AuthorizationMap
interface directory and for each of the methods, just walk JNDI/LDAP
to find the set of ACLs for read, write, admin for the given
destination.


> My questions (that I believe will clear something out for me):
>  - how are authorization data from AMQ config file passed to the code? I
> believe it is DefaultAuthorizationMap or SimpleAuthorizationMap.

Any implementation of AuthorizationMap is passed into the
AuthorizationPlugin via its "map" property using introspection.  See
http://incubator.apache.org/activemq/security.html for an example. You
could add your own using Spring stufff...

<broker xmlns="http://activemq.org/config/1.0">
    <plugins>
      <authorizationPlugin>
        <map>
          <bean class="com.acme.MyAuthorizationMap" xmlns=""> ...



>  - how should I specify LDAP configuration in AMQ config?

Via properties on your POJO then we can use Spring / XBean to wire
them all up. e.g. can you specify properties on your POJO then we can
use dependency injection to wire them in.

> These config
> information are similar to those of LDAPLoginModule which are specified in
> java VM login policy file.
>  - AuthorizationMap is supposed to return Set of privileged Principals.
> DefaultAuthorizationMap relies on AuthorizationEntry that seems specific to
> AMQ config file (parseACLs(String) method parses String from config file).
> Am I supposed to create a subclass of AuthorizationEntry that will return
> information parsed from LDAP server?

The AuthorizationEntry just makes a set of GroupPrincipal objects (a
little helper class). Maybe you could just reuse it as the element
inside the Set of groups - you just need to give it a String
constructor?

-- 

James
-------
http://radio.weblogs.com/0112098/

Mime
View raw message