Return-Path: Delivered-To: apmail-geronimo-activemq-dev-archive@www.apache.org Received: (qmail 76791 invoked from network); 1 Aug 2006 10:07:11 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 1 Aug 2006 10:07:11 -0000 Received: (qmail 31299 invoked by uid 500); 1 Aug 2006 10:07:11 -0000 Delivered-To: apmail-geronimo-activemq-dev-archive@geronimo.apache.org Received: (qmail 31284 invoked by uid 500); 1 Aug 2006 10:07:11 -0000 Mailing-List: contact activemq-dev-help@geronimo.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: activemq-dev@geronimo.apache.org Delivered-To: mailing list activemq-dev@geronimo.apache.org Received: (qmail 31275 invoked by uid 99); 1 Aug 2006 10:07:11 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 01 Aug 2006 03:07:11 -0700 X-ASF-Spam-Status: No, hits=0.5 required=10.0 tests=DNS_FROM_RFC_ABUSE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: domain of james.strachan@gmail.com designates 64.233.182.190 as permitted sender) Received: from [64.233.182.190] (HELO nf-out-0910.google.com) (64.233.182.190) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 01 Aug 2006 03:07:10 -0700 Received: by nf-out-0910.google.com with SMTP id n29so216299nfc for ; Tue, 01 Aug 2006 03:06:49 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Z2E29CFDzKajghfatyE966+HSo1SO3kp6cOAhdyGkRsu/YakPUbNbTAjDVuVGejeWlp4y5UJ7e4kN2oPbD2dqAqLGzMzTwsuvA0iHTp3rl3ecIynO+U14y5iKrKWLqLPcggajmQLJ3ruCRBu9BH9VcLS0QdcbP4IVM+sGS/E6v8= Received: by 10.78.147.3 with SMTP id u3mr203139hud; Tue, 01 Aug 2006 03:06:49 -0700 (PDT) Received: by 10.78.174.8 with HTTP; Tue, 1 Aug 2006 03:06:49 -0700 (PDT) Message-ID: Date: Tue, 1 Aug 2006 11:06:49 +0100 From: "James Strachan" To: activemq-dev@geronimo.apache.org Subject: Re: Certificate login In-Reply-To: <5583011.post@talk.nabble.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <5583011.post@talk.nabble.com> X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N On 7/31/06, ngcutura wrote: > > Hi all, > > I have another requirement in my project (a tough one). Instead of using > username/password I want to use only certificate for both authentication and > authorization. > > I see two approaches: > > 1. As JMS allows only (username, password) in createConnection(), I can > export certificate to a String and supply it as a username and develop > custom JAAS login module that would convert username String back to the > certificate and authenticate (against an LDAP directory). However, I don't > like this approach. > > 2. As I am going to use SSL anyway, I would like to use SSL client > authentication as the basis for AMQ authentication. As much as I understood > JSSE, certificates are checked against keystore so I can develop custom > keystore implementation that checks certificates against LDAP directory. > However, I do not know how to make AMQ aware of this process i.e. how to > bind the Subject with SSL connection so that AMQ can use this information > for authorization. SSL client authentication is invisible to AMQ, as I > understood. So the SSL transport could extract the client certificate/subject and append it to the ConnectionInfo that is received on the broker side (in a transient field) which can then be used by any security plugins later on. On the broker side there is an exchange of Command objects of which ConnectionInfo is the start of a connection & the 'login' part. http://activemq.org/site/code-overview.html To get an idea how all that works try looking at AuthorizationBroker. Incidentally its AbstractConnection.processAddConnection(ConnectionInfo) which processes a new connection calling broker.addConnection(context, info). I've just made a small refactor to make it a little easier to extend ConnectionInfo; I've added a constructor of the ConnectionContext object to allow you to extract new fields from the ConnectionInfo and make them available to the ConnectionContext (which typically holds connection related information like user name, password and you might want to add certificate information to. So you should be able to just work with ConnectionInfo and ConnectionContext and the SSL transport to do what you need I think. -- James ------- http://radio.weblogs.com/0112098/