activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dmitry Efremov <dmitriy.yefre...@gmail.com>
Subject AuthorizationBroker and ActiveMQTempQueue
Date Fri, 29 May 2009 18:42:29 GMT

Hi,

We try to use temporary queue in ActiveMQ for clients to receive messages
from server side. So we don't want to allow server to create any new
temporary queue and want allow only to use existing onces which were passed
to it. We use permissions for that. We just denied server side user to
create temporary queue. But we get an error User "name" does not authorized
to create queue: temp-queue://<name of queue>. But this temporary queue is
exist. So we ran through code and found this:

in AuthorizationBroker.java
    public Destination addDestination(ConnectionContext context,
ActiveMQDestination destination) throws Exception {
        final SecurityContext securityContext =
(SecurityContext)context.getSecurityContext();
        if (securityContext == null) {
            throw new SecurityException("User is not authenticated.");
        }
        
        Destination existing = this.getDestinationMap().get(destination);
        if (existing != null) {
        	return existing;
        }
....

        return super.addDestination(context, destination);
    }
When it checks it try to find that destination already exists but method
getDestinationMap() returns only information about Queue and Topic

>From RegionBroker.java
    public Map<ActiveMQDestination, Destination> getDestinationMap() {
        Map<ActiveMQDestination, Destination> answer =
getQueueRegion().getDestinationMap();
        answer.putAll(getTopicRegion().getDestinationMap());
        return answer;
    }

The question is why don't you put information about TempQueue region and
TempTopic region?


Permission configuration section:
    <plugins>
      <!--  use JAAS to authenticate using the login.config file on the
classpath to configure JAAS -->
      <jaasAuthenticationPlugin configuration="activemq-domain" />
      
      <!--  lets configure a destination based authorization mechanism -->
      <authorizationPlugin>
        <map>
          <authorizationMap>
            <authorizationEntries>
              <authorizationEntry queue=">" read="Core,Client"
write="Core,Client" admin="Core,Client"/>
              <authorizationEntry topic=">" read="Core,Client"
write="Core,Client" admin="Core,Client"/>
              <authorizationEntry topic="ActiveMQ.Advisory.>"
read="Core,Client" write="Core,Client" admin="Core,Client"/>
            </authorizationEntries>
            
            <tempDestinationAuthorizationEntry>
              <tempDestinationAuthorizationEntry read="Core,Client"
write="Core,Client" admin="Client"/>
            </tempDestinationAuthorizationEntry>
          </authorizationMap>
        </map>
      </authorizationPlugin>
      
      <simpleAuthenticationPlugin>
        <users>
          <authenticationUser username="Client" password=""
            groups="Client"/>
          <authenticationUser username="Core" password=""
            groups="Core"/>          
        </users>
      </simpleAuthenticationPlugin>
    
    
    </plugins>


Regards,
Dmitry Efremov.
-- 
View this message in context: http://www.nabble.com/AuthorizationBroker-and-ActiveMQTempQueue-tp23785153p23785153.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.


Mime
View raw message