activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James Strachan" <james.strac...@gmail.com>
Subject Re: JAAS authorizationEntry for temporary Queue
Date Tue, 04 Jul 2006 16:00:50 GMT
On 7/4/06, Hiram Chirino <hiram@hiramchirino.com> wrote:
> On 7/4/06, James Strachan <james.strachan@gmail.com> wrote:
> >
> > On 7/4/06, The_real_Ulf <ralphs_email@gmx.de> wrote:
> > >
> > > Hi,
> > > I'm using the JAAS-Plugin with ActiveMQ. It works fine so far. But the
> > > proplem is, that I don't know how to set an authorizationEntry in the
> > > activemq.xml for a temporary Queue. The aim is to allow a group to read
> > from
> > > their own temporary Queue.
> > > I have this in my activemq.xml:
> > >
> > > <plugins>
> > >       <!--  use JAAS to authenticate using the login.config file on the
> > > classpath to configure JAAS -->
> > >       <jaasAuthenticationPlugin configuration="activemq-domain" />
> > >
> > >       <!--  lets configure a destination based authorization mechanism
> > -->
> > >       <authorizationPlugin>
> > >         <map>
> > >           <authorizationMap>
> > >             <authorizationEntries>
> > >               <authorizationEntry queue=">" read="managers"
> > write="managers"
> > > admin="managers" />
> > >               <authorizationEntry queue="manage" read="managers"
> > > write="clients" admin="managers,clients" />
> > >                   <authorizationEntry queue="clients.>" read="clients"
> > write="managers"
> > > admin="managers" />
> > >                   <authorizationEntry topic=">" read="managers"
> > write="managers"
> > > admin="managers" />
> > >                   <authorizationEntry topic="ActiveMQ.Advisory.>"
> > read="managers,clients"
> > > write="managers,clients" admin="managers,clients"/>
> > >             </authorizationEntries>
> > >           </authorizationMap>
> > >         </map>
> > >       </authorizationPlugin>
> > >     </plugins>
> > >
> > > With my client i create a TemporaryQueue via:
> > >
> > > tempQueue = inSession.createTemporaryQueue();
> > >
> > > this works, but if i want to create a consumer for the queue I get an
> > error:
> > >
> > > MessageConsumer tempConsumer = inSession.createConsumer(tempQueue);
> > >
> > > Error: javax.jms.JMSException: User client is not authorized to read
> > from:
> > > temp-queue://ID:windowspc-2300-1152021141855-0:0:1
> > >
> > > So the question is, how to tell him that any user "client" from group
> > > "clients" is allowed to consume it's own temporaryQueue?
> >
> > This sounds like a bug - I wonder could you raise a JIRA for this please?
>
>
> agreed.
>
> Generally the only people capable of consuming from a temporary
> > destination should be the connection which created it; so I'm not sure
> > we should even use the security plugin to authorize read access to
>
>
> agreed.
>
>
> temporary destinations. I guess we could prevent certain users from
> > writing to temporary destinations.
>
>
> The question is how would plugin be able to figure out who can write to a
> temporary queue?  Temporary queue names are dynamic so it would be hard to
> implement rules that authorize against the queue name.

Agreed - I guess I was thinking; either you are allowed to send to all
of them or none of them.  i.e. there is a read/write/admin role for
'temporaryQueue' and 'temoraryTopic'? Maybe thats as granular as we
can get.

-- 

James
-------
http://radio.weblogs.com/0112098/

Mime
View raw message