activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sepand M" <sepa...@gmail.com>
Subject Re: Creating a secure connection system and using JMSXUserID support
Date Wed, 02 Aug 2006 00:02:29 GMT
Hi all,

So far I've mainly been reading ActiveMQ and making design docs.
Here's what I've got:

For authorization, my current plan is to just have the client's DN
replace the user name field in the ConnectionInfo class (how this is
done is explained below). I want to do this because I don't know much
about JAAS and I'm trying to avoid writing classes to authorize based
on DNs. If you guys know this stuff (and you probably do), we could
change this easily enough.

Here's the rest of my design:

I want to modify SslTransportFactory to use a specific SslContext
object and allow client's access to its init method so that they can
set their own key and trust managers. I also want to create new
SslTransport and SslTransportServer classes. SslTransport will be
derived from TcpTransport. Its main task will be to replace the user
name field of ConnectionInfo commands with its socket's DN (this could
be changed easily to attach the entire certificate to ConnectionInfo
as a new generic field). SslTransport will also make sure that it uses
SslSocketFactory's. SslTransportServer will only be there to make sure
SslSocketFactory's are used.

For my current design that about does it. The proper Brokers and
plugins (JaasAuthenticationBroker and AuthorizationPlugin) would have
to be used and the configuration files would need to use the DN as the
username.

I'm not sure about this, but I think if we were to attach the complete
certificate and try to do things "properly" we'd need a new
CertificateAuthenticationBroker and a way for JAAS to authenticate
that certificate (I'm new to JAAS so I don't know how easy/hard this
would be).

Any thoughts?
- Sepand

On 8/1/06, James Strachan <james.strachan@gmail.com> wrote:
> On 8/1/06, ngcutura <ngcutura@gmail.com> wrote:
> >
> > My JIRA username is 'ngcutura' and I'll be glad to assign LDAP Authorization
> > issue to myself.
>
> Great! You're all set now with JIRA karma
>
> > I also take this opportunity to remind you of my code
> > waiting for your review. :-)
>
> Thanks for the reminder - will try get there soon :)
>
> > I wouldn't mind creating and assigning certificate login but as  Sepand was
> > the first to raise it I'd wait for him (a while).
>
> Coolio
>
> --
>
> James
> -------
> http://radio.weblogs.com/0112098/
>

Mime
View raw message