activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From magellings <mark.gelli...@qg.com>
Subject Re: Dynamically setting activemq username password when logging into web console
Date Thu, 29 Oct 2009 20:18:50 GMT

>From what I can tell even with JMX properly set up you still can't maintain
seperate privs.  One user/password is hard-coded/configured to be used by
the web console at start up to connect to the broker.  I want to be able to
configure separate user/passwords to connect to the broker grabbed when the
user logs into the web console.  I already have the web console configured
for BASIC authentication with two different user/passwords (based on the
link in my original post) I just need to somehow use those to then connect
to the broker.

It's possible to configure different roles to be used when logging into the
web console.  But it is not possible to control the rights the user has
based on this.  Example:

web.xml

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>adminRealm</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>admin</role-name>
      <role-name>guest</role-name>
    </auth-constraint>
  </security-constraint>
  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>adminRealm</realm-name>
  </login-config>

realm.properties

admin: MD5:6990a54322d9232390a784c5c9247dd6,admin
guest: MD5:084e0343a0486ff05530df6c705c8bb4,guest

With the above config I can log on as either admin or guest successfully
when entering the appropriate password at the basic authentication prompt.

I'd like guest to have read privs (see messages on queues, etc.), and admin
to have read/write privs (see messages on queues, delete messages, delete
queues, etc.).  In our scenario guest is producing a message and just wants
to verify the message has been created successfully on the queue.  Admin
owns the queue and the broker as they are on a separate development team
than user guest.  They do not want guest to be able to delete
messages/queues etc.  Right now we have no way to let guest see for
themselves that the message is on the queue unless we give them the admin
user/password for the basic authentication prompt when using the web
console.  If we give that out, we give out read/write privs to guest which
we don't want to do.

I think for this to be possible two separate connections would need to be
maintained to the broker, one for guest and one for admin so as the
simpleAuthenticationPlugin and authorizationPlugin can be used based on the
user/password used to log on.  Ideally the user/password entered during a
basic authentication prompt could be mapped to the same user/password used
to connect to the broker.  Maybe this isn't possible if the web console only
maintains one connection to the broker.  Maybe the web console would need to
be enhanced with a user/group security section to control what privs in the
web console the logged on user has.  An admin could then control whether a
user has the right to delete a message, a queue, etc. and the web console
has the smarts to display the delete link or not based on the privs of the
logged on user.

Not sure if this was ever discussed.  Maybe a jira should be created and the
functionality request backlogged???

-- 
View this message in context: http://www.nabble.com/Dynamically-setting-activemq-username-password-when-logging-into-web-console-tp26118677p26120009.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.


Mime
View raw message