activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pat Fox (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMQ-908) Authorization plugin should have configurable principal classes
Date Fri, 01 Feb 2013 15:08:12 GMT

    [ https://issues.apache.org/jira/browse/AMQ-908?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13568781#comment-13568781
] 

Pat Fox commented on AMQ-908:
-----------------------------

Just an FYI:

To get this working I had to modify the config as follows:

{code}
<plugins>
            <jaasAuthenticationPlugin configuration="karaf" />
            <authorizationPlugin>
              <map>
                <authorizationMap>
               <authorizationEntries>
               <authorizationEntry queue=">" read="admin" write="admin" admin="admin"
groupClass="org.apache.karaf.jaas.boot.principal.RolePrincipal" init-method="afterPropertiesSet"
/>
             <authorizationEntry topic=">" read="admin" write="admin"  admin="admin"
groupClass="org.apache.karaf.jaas.boot.principal.RolePrincipal"  init-method="afterPropertiesSet"
/>
             <authorizationEntry topic="ActiveMQ.Advisory.>" read="admin" write="admin"
admin="admin" groupClass="org.apache.karaf.jaas.boot.principal.RolePrincipal" init-method="afterPropertiesSet"/>
            </authorizationEntries>
           </authorizationMap>
  </map>
</authorizationPlugin>
{code}


If afterPropertiesSet() is not configured then the principals could be placed on the ACL in
the default principal class ( org.apache.activemq.jaas.GroupPrincipal) and some principals
using the configured groupClass depending on the order Spring sets the properties.A downside
of introducing afterPropertiesSet() is that you will have the Principals  on the ACL lists
*twice*.  This is probably not ideal if your iterating through the list

The  javax.annotation.PostConstruct is used for the "AuthorizationEntry.afterPropertiesSet()"
method but the activemq config does not seem to include <context:annotation-config />
so it did not seem to be invoked by Spring.

                
> Authorization plugin should have configurable principal classes
> ---------------------------------------------------------------
>
>                 Key: AMQ-908
>                 URL: https://issues.apache.org/jira/browse/AMQ-908
>             Project: ActiveMQ
>          Issue Type: Improvement
>          Components: Broker
>    Affects Versions: 4.0.1
>            Reporter: Aaron Mulder
>            Assignee: Jonas Lim
>             Fix For: 5.0.0
>
>         Attachments: ASF.LICENSE.NOT.GRANTED--authorizationPlugin.patch, authorizationPlugin.patch,
AuthorizationPlugin.patch, AuthorizationPlugin.patch
>
>
> Currently, if you configure the authorization plugin, it assumes that all principals
listed should be of type {{org.apache.activemq.jaas.GroupPrincipal}}.  This is OK if you're
using ActiveMQ LoginModules, but since there's a fairly small supply of those, it would be
great if you could use arbitrary login modules and tell the authorization plugin which principal
classes to use.  For example, {{groupClass="weblogic.security.principal.WLSGroupImpl}} or
something like that.  A good first step would be to let you change the group class.  A good
second step would be to let you specify user and group classes and then somehow indicate which
names are which (e.g. {{admin="administrators,user:aaron,user:bob"}} or whatever).  Someday
maybe it will be nice to support any arbitrary combination of principal classes but that seems
far away.
> When instantiating the principal classes, I imagine we should use a constructor with
a single String argument if available, or else a default constructor plus a "setName" method,
or else I guess bail.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message