Return-Path: Delivered-To: apmail-activemq-users-archive@www.apache.org Received: (qmail 74914 invoked from network); 30 Aug 2007 13:52:33 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 30 Aug 2007 13:52:33 -0000 Received: (qmail 50565 invoked by uid 500); 30 Aug 2007 13:52:27 -0000 Delivered-To: apmail-activemq-users-archive@activemq.apache.org Received: (qmail 50547 invoked by uid 500); 30 Aug 2007 13:52:27 -0000 Mailing-List: contact users-help@activemq.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@activemq.apache.org Delivered-To: mailing list users@activemq.apache.org Received: (qmail 50538 invoked by uid 99); 30 Aug 2007 13:52:27 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 30 Aug 2007 06:52:27 -0700 X-ASF-Spam-Status: No, hits=2.6 required=10.0 tests=DNS_FROM_OPENWHOIS,SPF_HELO_PASS,SPF_PASS,WHOIS_MYPRIVREG X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of lists@nabble.com designates 216.139.236.158 as permitted sender) Received: from [216.139.236.158] (HELO kuber.nabble.com) (216.139.236.158) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 30 Aug 2007 13:52:22 +0000 Received: from isper.nabble.com ([192.168.236.156]) by kuber.nabble.com with esmtp (Exim 4.63) (envelope-from ) id 1IQkRF-0007sV-Hd for users@activemq.apache.org; Thu, 30 Aug 2007 06:52:01 -0700 Message-ID: <12407601.post@talk.nabble.com> Date: Thu, 30 Aug 2007 06:52:01 -0700 (PDT) From: jgunz To: users@activemq.apache.org Subject: Authorization/Security Question MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-From: slobby@twcny.rr.com X-Virus-Checked: Checked by ClamAV on apache.org I'm having trouble getting my head around some of ActiveMQs authorization settings. I have a relatively specific use case I'm trying to meet, but can't quite figure out what the appropriate permission settings are. The read and write permissions I understand. The admin and temporary destination permissions I do not. I securely handle communication from a client side process to the server side ActiveMQ broker. All communication on the client is considered potentially malicious. I have two main groups of ActiveMQ users, server processes, and client processes. An admin group can be used for overall administration. Inbound traffic is pretty straight forward. The server processes can have read+write on all inbound.> topics as well as admin permissions. The client processes can have write access only to inbound.dirty.> topics. There's no real need for clients to create or remove any topics for inbound communication because the server processes. Outbound traffic is where I get lost. I want to be able to create client specific topics (that is, topics intended for 1 authorized client that will have a customized message stream supplied by the server). I was envisioning having the client create temporary topics, so that they were the only ones who could consume them, and then sending these to the server to write to. These channels would live under outbound.private.> topics. In order to do this though, do I have to give clients admin privileges on outbound.private.>? This seems funny to me because ultimately I don't want clients to be able to see each other's private outbound channels and I certainly don't want them to be able to remove them. So how should I appropriately permission the outbound topic hierarchy to only allow client reads, and further restrict certain topics to specific connections? Any suggestions or comments would be greatly appreciated. Thanks. -- View this message in context: http://www.nabble.com/Authorization-Security-Question-tf4354381s2354.html#a12407601 Sent from the ActiveMQ - User mailing list archive at Nabble.com.