activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Fernandez <joe.fernan...@ttmsolutions.com>
Subject Re: Protect queues access with password
Date Mon, 15 Sep 2008 17:21:45 GMT

Full access rights should always be given to the 'ActiveMQ.Advisory'
destinations, else your clients will receive the exception you got below.
See the 'Authorization Example' in the security page. 

http://activemq.apache.org/security.html

Regarding your last question, the only thought I have is to predefine the
destinations, via the broker xml file. Then you shouldn't have to grant
'admin' rights to the clients for the destinations, because they will have
already been created. However, in your case, you are using dynamic
destinations which you can't really predefine.   

Joe
Get a free ActiveMQ user guide @ http://www.ttmsolutions.com


Sandro Tosi wrote:
> 
> Perfect  Joe, that works as a charm!!
> 
> But I still got some question to ask :)
> 
> I even need to add the authentication for 'topic=">"' together with
> 'queue=">"' because otherwise no "dynamic" queue creation was able (here I
> mean when Mule connects to ActiveMQ to read from a non-existing queue,
> that queue is "automatically" registered); not a big deal but still...
> 
> Another problem with that "dynamic queue creation": it seems I need to
> have an admin user to be able to create that queue: if I use
> "user/password" to log in from Mule I receive:
> 
> WARN  Service                        - Failed to remove connection
> ConnectionInfo {commandId = 1, responseRequired = true, connectionId =
> ID:de_tosisa-3398-1221496082109-0:0, clientId =
> ID:de_tosisa-3398-1221496082109-1:0, userName = user, password = password,
> brokerPath = null, brokerMasterConnector = false, manageable = true,
> clientMaster = true}
> java.lang.SecurityException: User user is not authorized to create:
> topic://ActiveMQ.Advisory.Connection
> 
> while using system/manager I got no problem. Is there a way to avoid
> granting admin rights to normal users or not?
> 
> TIA,
> Sandro
> 
> 
> Joe Fernandez wrote:
>> 
>> You have both the <jaasAuthenticationPlugin>  and
>> <simpleAuthenticationPlugin> elements defined, and the
>> <simpleAuthenticationPlugin> is outside the <broker> element. You can't
>> have both elements defined. I believe you were trying to use the
>> <simpleAuthenticationPlugin>. Here's an example. 
>> 
>> 
>>  <plugins>
>>       <simpleAuthenticationPlugin>
>>         <users>
>>                 <authenticationUser username="system" password="manager"
>> groups="users,admins"/>
>>                 <authenticationUser username="user" password="password"
>> groups="users"/>
>>                 <authenticationUser username="guest" password="password"
>> groups="guests"/>
>>         </users>
>>      </simpleAuthenticationPlugin>
>> 
>>       <!--  lets configure a destination based authorization mechanism
>> -->
>>       <authorizationPlugin>
>>         <map>
>>           <authorizationMap>
>>             <authorizationEntries>
>>               <authorizationEntry queue=">" read="users,admins"
>> write="users,admins" admin="admins" />
>>             </authorizationEntries>
>>           </authorizationMap>
>>         </map>
>>       </authorizationPlugin>
>> 
>>     </plugins>
>> 
>> If you're not using Camel, comment out or remove the <camelContext>
>> element if it exists in your config file.  If you are using Camel, then
>> consult the Camel site for info on how to configure Camel.
>> 
>> http://activemq.apache.org/camel/configuring-camel.html
>> 
>> Joe
>> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Protect-queues-access-with-password-tp19453220p19497324.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.


Mime
View raw message