activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James Strachan" <>
Subject Re: Certificate login
Date Tue, 01 Aug 2006 10:06:49 GMT
On 7/31/06, ngcutura <> wrote:
> Hi all,
> I have another requirement in my project (a tough one). Instead of using
> username/password I want to use only certificate for both authentication and
> authorization.
> I see two approaches:
> 1. As JMS allows only (username, password) in createConnection(), I can
> export certificate to a String and supply it as a username and develop
> custom JAAS login module that would convert username String back to the
> certificate and authenticate (against an LDAP directory). However, I don't
> like this approach.
> 2. As I am going to use SSL anyway, I would like to use SSL client
> authentication as the basis for AMQ authentication. As much as I understood
> JSSE, certificates are checked against keystore so I can develop custom
> keystore implementation that checks certificates against LDAP directory.
> However, I do not know how to make AMQ aware of this process i.e. how to
> bind the Subject with SSL connection so that AMQ can use this information
> for authorization. SSL client authentication is invisible to AMQ, as I
> understood.

So the SSL transport could extract the client certificate/subject and
append it to the ConnectionInfo that is received on the broker side
(in a transient field) which can then be used by any security plugins
later on.

On the broker side there is an exchange of Command objects of which
ConnectionInfo is the start of a connection & the 'login' part.

To get an idea how all that works try looking at AuthorizationBroker.
Incidentally its
AbstractConnection.processAddConnection(ConnectionInfo) which
processes a new connection calling broker.addConnection(context,

I've just made a small refactor to make it a little easier to extend
ConnectionInfo; I've added a constructor of the ConnectionContext
object to allow you to extract new fields from the ConnectionInfo and
make them available to the ConnectionContext (which typically holds
connection related information like user name, password and you might
want to add certificate information to.

So you should be able to just work with ConnectionInfo and
ConnectionContext and the SSL transport to do what you need I think.



View raw message