On 7/4/06, Hiram Chirino <hiram@hiramchirino.com> wrote:
> On 7/4/06, James Strachan <james.strachan@gmail.com> wrote:
> >
> > On 7/4/06, The_real_Ulf <ralphs_email@gmx.de> wrote:
> > >
> > > Hi,
> > > I'm using the JAAS-Plugin with ActiveMQ. It works fine so far. But the
> > > proplem is, that I don't know how to set an authorizationEntry in the
> > > activemq.xml for a temporary Queue. The aim is to allow a group to read
> > from
> > > their own temporary Queue.
> > > I have this in my activemq.xml:
> > >
> > > <plugins>
> > > <!-- use JAAS to authenticate using the login.config file on the
> > > classpath to configure JAAS -->
> > > <jaasAuthenticationPlugin configuration="activemq-domain" />
> > >
> > > <!-- lets configure a destination based authorization mechanism
> > -->
> > > <authorizationPlugin>
> > > <map>
> > > <authorizationMap>
> > > <authorizationEntries>
> > > <authorizationEntry queue=">" read="managers"
> > write="managers"
> > > admin="managers" />
> > > <authorizationEntry queue="manage" read="managers"
> > > write="clients" admin="managers,clients" />
> > > <authorizationEntry queue="clients.>" read="clients"
> > write="managers"
> > > admin="managers" />
> > > <authorizationEntry topic=">" read="managers"
> > write="managers"
> > > admin="managers" />
> > > <authorizationEntry topic="ActiveMQ.Advisory.>"
> > read="managers,clients"
> > > write="managers,clients" admin="managers,clients"/>
> > > </authorizationEntries>
> > > </authorizationMap>
> > > </map>
> > > </authorizationPlugin>
> > > </plugins>
> > >
> > > With my client i create a TemporaryQueue via:
> > >
> > > tempQueue = inSession.createTemporaryQueue();
> > >
> > > this works, but if i want to create a consumer for the queue I get an
> > error:
> > >
> > > MessageConsumer tempConsumer = inSession.createConsumer(tempQueue);
> > >
> > > Error: javax.jms.JMSException: User client is not authorized to read
> > from:
> > > temp-queue://ID:windowspc-2300-1152021141855-0:0:1
> > >
> > > So the question is, how to tell him that any user "client" from group
> > > "clients" is allowed to consume it's own temporaryQueue?
> >
> > This sounds like a bug - I wonder could you raise a JIRA for this please?
>
>
> agreed.
>
> Generally the only people capable of consuming from a temporary
> > destination should be the connection which created it; so I'm not sure
> > we should even use the security plugin to authorize read access to
>
>
> agreed.
>
>
> temporary destinations. I guess we could prevent certain users from
> > writing to temporary destinations.
>
>
> The question is how would plugin be able to figure out who can write to a
> temporary queue? Temporary queue names are dynamic so it would be hard to
> implement rules that authorize against the queue name.
Agreed - I guess I was thinking; either you are allowed to send to all
of them or none of them. i.e. there is a read/write/admin role for
'temporaryQueue' and 'temoraryTopic'? Maybe thats as granular as we
can get.
--
James
-------
http://radio.weblogs.com/0112098/
|