activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ken Gallo (JIRA)" <j...@apache.org>
Subject [jira] Updated: (AMQ-908) Authorization plugin should have configurable principal classes
Date Tue, 12 Dec 2006 07:24:02 GMT
     [ https://issues.apache.org/activemq/browse/AMQ-908?page=all ]

Ken Gallo updated AMQ-908:
--------------------------

    Attachment: authorizationPlugin.patch

In: 

<authorizationEntry queue="USERS.>" read="users" write="users" admin="users" groupClass="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
/>

I've noticed that xbean sets "admin" before "groupClass" in the xml config of authorizationEntry
(I think its alphabetical), so even if you set the principal class, admin is intialized with
the default org.apache.activemq.jaas.GroupPrincipal class. 

I've renamed "groupClass" to "ACLPrincipal" so the principal class to be used can be set first
before xbean sets admin.

So it should be:

> Authorization plugin should have configurable principal classes
> ---------------------------------------------------------------
>
>                 Key: AMQ-908
>                 URL: https://issues.apache.org/activemq/browse/AMQ-908
>             Project: ActiveMQ
>          Issue Type: Improvement
>          Components: Broker
>    Affects Versions: 4.0.1
>            Reporter: Aaron Mulder
>             Fix For: 4.2.0
>
>         Attachments: authorizationPlugin.patch, authorizationPlugin.patch, AuthorizationPlugin.patch,
AuthorizationPlugin.patch
>
>
> Currently, if you configure the authorization plugin, it assumes that all principals
listed should be of type {{org.apache.activemq.jaas.GroupPrincipal}}.  This is OK if you're
using ActiveMQ LoginModules, but since there's a fairly small supply of those, it would be
great if you could use arbitrary login modules and tell the authorization plugin which principal
classes to use.  For example, {{groupClass="weblogic.security.principal.WLSGroupImpl}} or
something like that.  A good first step would be to let you change the group class.  A good
second step would be to let you specify user and group classes and then somehow indicate which
names are which (e.g. {{admin="administrators,user:aaron,user:bob"}} or whatever).  Someday
maybe it will be nice to support any arbitrary combination of principal classes but that seems
far away.
> When instantiating the principal classes, I imagine we should use a constructor with
a single String argument if available, or else a default constructor plus a "setName" method,
or else I guess bail.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/activemq/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message