Return-Path: 
 <users-return-16016-apmail-activemq-users-archive=activemq.apache.org@activemq.apache.org>
Delivered-To: apmail-activemq-users-archive@www.apache.org
Received: (qmail 66259 invoked from network); 15 Sep 2008 17:22:23 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 15 Sep 2008 17:22:23 -0000
Received: (qmail 31322 invoked by uid 500); 15 Sep 2008 17:22:19 -0000
Delivered-To: apmail-activemq-users-archive@activemq.apache.org
Received: (qmail 31301 invoked by uid 500); 15 Sep 2008 17:22:19 -0000
Mailing-List: contact users-help@activemq.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@activemq.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@activemq.apache.org>
List-Post: <mailto:users@activemq.apache.org>
List-Id: <users.activemq.apache.org>
Reply-To: users@activemq.apache.org
Delivered-To: mailing list users@activemq.apache.org
Received: (qmail 31277 invoked by uid 99); 15 Sep 2008 17:22:19 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 15 Sep 2008 10:22:19 -0700
X-ASF-Spam-Status: No, hits=2.6 required=10.0
	tests=DNS_FROM_OPENWHOIS,SPF_HELO_PASS,SPF_PASS,WHOIS_MYPRIVREG
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of lists@nabble.com designates
 216.139.236.158 as permitted sender)
Received: from [216.139.236.158] (HELO kuber.nabble.com) (216.139.236.158)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 15 Sep 2008 17:21:19 +0000
Received: from isper.nabble.com ([192.168.236.156])
	by kuber.nabble.com with esmtp (Exim 4.63)
	(envelope-from <lists@nabble.com>)
	id 1KfHlh-0006zW-5t
	for users@activemq.apache.org; Mon, 15 Sep 2008 10:21:48 -0700
Message-ID: <19497324.post@talk.nabble.com>
Date: Mon, 15 Sep 2008 10:21:45 -0700 (PDT)
From: Joe Fernandez <joe.fernandez@ttmsolutions.com>
To: users@activemq.apache.org
Subject: Re: Protect queues access with password
In-Reply-To: <19496448.post@talk.nabble.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Nabble-From: joe.fernandez@ttmsolutions.com
References: <19453220.post@talk.nabble.com> <19453411.post@talk.nabble.com>
 <19490424.post@talk.nabble.com> <19491106.post@talk.nabble.com>
 <19496448.post@talk.nabble.com>
X-Virus-Checked: Checked by ClamAV on apache.org


Full access rights should always be given to the 'ActiveMQ.Advisory'
destinations, else your clients will receive the exception you got below.
See the 'Authorization Example' in the security page. 

http://activemq.apache.org/security.html

Regarding your last question, the only thought I have is to predefine the
destinations, via the broker xml file. Then you shouldn't have to grant
'admin' rights to the clients for the destinations, because they will have
already been created. However, in your case, you are using dynamic
destinations which you can't really predefine.   

Joe
Get a free ActiveMQ user guide @ http://www.ttmsolutions.com


Sandro Tosi wrote:
> 
> Perfect  Joe, that works as a charm!!
> 
> But I still got some question to ask :)
> 
> I even need to add the authentication for 'topic=">"' together with
> 'queue=">"' because otherwise no "dynamic" queue creation was able (here I
> mean when Mule connects to ActiveMQ to read from a non-existing queue,
> that queue is "automatically" registered); not a big deal but still...
> 
> Another problem with that "dynamic queue creation": it seems I need to
> have an admin user to be able to create that queue: if I use
> "user/password" to log in from Mule I receive:
> 
> WARN  Service                        - Failed to remove connection
> ConnectionInfo {commandId = 1, responseRequired = true, connectionId =
> ID:de_tosisa-3398-1221496082109-0:0, clientId =
> ID:de_tosisa-3398-1221496082109-1:0, userName = user, password = password,
> brokerPath = null, brokerMasterConnector = false, manageable = true,
> clientMaster = true}
> java.lang.SecurityException: User user is not authorized to create:
> topic://ActiveMQ.Advisory.Connection
> 
> while using system/manager I got no problem. Is there a way to avoid
> granting admin rights to normal users or not?
> 
> TIA,
> Sandro
> 
> 
> Joe Fernandez wrote:
>> 
>> You have both the <jaasAuthenticationPlugin>  and
>> <simpleAuthenticationPlugin> elements defined, and the
>> <simpleAuthenticationPlugin> is outside the <broker> element. You can't
>> have both elements defined. I believe you were trying to use the
>> <simpleAuthenticationPlugin>. Here's an example. 
>> 
>> 
>>  <plugins>
>>       <simpleAuthenticationPlugin>
>>         <users>
>>                 <authenticationUser username="system" password="manager"
>> groups="users,admins"/>
>>                 <authenticationUser username="user" password="password"
>> groups="users"/>
>>                 <authenticationUser username="guest" password="password"
>> groups="guests"/>
>>         </users>
>>      </simpleAuthenticationPlugin>
>> 
>>       <!--  lets configure a destination based authorization mechanism
>> -->
>>       <authorizationPlugin>
>>         <map>
>>           <authorizationMap>
>>             <authorizationEntries>
>>               <authorizationEntry queue=">" read="users,admins"
>> write="users,admins" admin="admins" />
>>             </authorizationEntries>
>>           </authorizationMap>
>>         </map>
>>       </authorizationPlugin>
>> 
>>     </plugins>
>> 
>> If you're not using Camel, comment out or remove the <camelContext>
>> element if it exists in your config file.  If you are using Camel, then
>> consult the Camel site for info on how to configure Camel.
>> 
>> http://activemq.apache.org/camel/configuring-camel.html
>> 
>> Joe
>> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Protect-queues-access-with-password-tp19453220p19497324.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.