activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hiram Chirino" <hi...@hiramchirino.com>
Subject Re: JAAS authorizationEntry for temporary Queue
Date Tue, 04 Jul 2006 15:58:06 GMT
On 7/4/06, James Strachan <james.strachan@gmail.com> wrote:
>
> On 7/4/06, The_real_Ulf <ralphs_email@gmx.de> wrote:
> >
> > Hi,
> > I'm using the JAAS-Plugin with ActiveMQ. It works fine so far. But the
> > proplem is, that I don't know how to set an authorizationEntry in the
> > activemq.xml for a temporary Queue. The aim is to allow a group to read
> from
> > their own temporary Queue.
> > I have this in my activemq.xml:
> >
> > <plugins>
> >       <!--  use JAAS to authenticate using the login.config file on the
> > classpath to configure JAAS -->
> >       <jaasAuthenticationPlugin configuration="activemq-domain" />
> >
> >       <!--  lets configure a destination based authorization mechanism
> -->
> >       <authorizationPlugin>
> >         <map>
> >           <authorizationMap>
> >             <authorizationEntries>
> >               <authorizationEntry queue=">" read="managers"
> write="managers"
> > admin="managers" />
> >               <authorizationEntry queue="manage" read="managers"
> > write="clients" admin="managers,clients" />
> >                   <authorizationEntry queue="clients.>" read="clients"
> write="managers"
> > admin="managers" />
> >                   <authorizationEntry topic=">" read="managers"
> write="managers"
> > admin="managers" />
> >                   <authorizationEntry topic="ActiveMQ.Advisory.>"
> read="managers,clients"
> > write="managers,clients" admin="managers,clients"/>
> >             </authorizationEntries>
> >           </authorizationMap>
> >         </map>
> >       </authorizationPlugin>
> >     </plugins>
> >
> > With my client i create a TemporaryQueue via:
> >
> > tempQueue = inSession.createTemporaryQueue();
> >
> > this works, but if i want to create a consumer for the queue I get an
> error:
> >
> > MessageConsumer tempConsumer = inSession.createConsumer(tempQueue);
> >
> > Error: javax.jms.JMSException: User client is not authorized to read
> from:
> > temp-queue://ID:windowspc-2300-1152021141855-0:0:1
> >
> > So the question is, how to tell him that any user "client" from group
> > "clients" is allowed to consume it's own temporaryQueue?
>
> This sounds like a bug - I wonder could you raise a JIRA for this please?


agreed.

Generally the only people capable of consuming from a temporary
> destination should be the connection which created it; so I'm not sure
> we should even use the security plugin to authorize read access to


agreed.


temporary destinations. I guess we could prevent certain users from
> writing to temporary destinations.


The question is how would plugin be able to figure out who can write to a
temporary queue?  Temporary queue names are dynamic so it would be hard to
implement rules that authorize against the queue name.

--
>
> James
> -------
> http://radio.weblogs.com/0112098/
>



-- 
Regards,
Hiram

Blog: http://hiramchirino.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message