activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dejan Bosanac <>
Subject Re: Dynamically setting activemq username password when logging into web console
Date Fri, 30 Oct 2009 08:56:50 GMT

web console doesn't support fine-grained authorization at the moment. The
jira would be great for starters, if you can provide a patch it'd be even

Dejan Bosanac -

Open Source Integration -
ActiveMQ in Action -
Blog -

On Thu, Oct 29, 2009 at 9:18 PM, magellings <> wrote:

> From what I can tell even with JMX properly set up you still can't maintain
> seperate privs.  One user/password is hard-coded/configured to be used by
> the web console at start up to connect to the broker.  I want to be able to
> configure separate user/passwords to connect to the broker grabbed when the
> user logs into the web console.  I already have the web console configured
> for BASIC authentication with two different user/passwords (based on the
> link in my original post) I just need to somehow use those to then connect
> to the broker.
> It's possible to configure different roles to be used when logging into the
> web console.  But it is not possible to control the rights the user has
> based on this.  Example:
> web.xml
>  <security-constraint>
>    <web-resource-collection>
>      <web-resource-name>adminRealm</web-resource-name>
>      <url-pattern>/*</url-pattern>
>    </web-resource-collection>
>    <auth-constraint>
>      <role-name>admin</role-name>
>      <role-name>guest</role-name>
>    </auth-constraint>
>  </security-constraint>
>  <login-config>
>    <auth-method>BASIC</auth-method>
>    <realm-name>adminRealm</realm-name>
>  </login-config>
> admin: MD5:6990a54322d9232390a784c5c9247dd6,admin
> guest: MD5:084e0343a0486ff05530df6c705c8bb4,guest
> With the above config I can log on as either admin or guest successfully
> when entering the appropriate password at the basic authentication prompt.
> I'd like guest to have read privs (see messages on queues, etc.), and admin
> to have read/write privs (see messages on queues, delete messages, delete
> queues, etc.).  In our scenario guest is producing a message and just wants
> to verify the message has been created successfully on the queue.  Admin
> owns the queue and the broker as they are on a separate development team
> than user guest.  They do not want guest to be able to delete
> messages/queues etc.  Right now we have no way to let guest see for
> themselves that the message is on the queue unless we give them the admin
> user/password for the basic authentication prompt when using the web
> console.  If we give that out, we give out read/write privs to guest which
> we don't want to do.
> I think for this to be possible two separate connections would need to be
> maintained to the broker, one for guest and one for admin so as the
> simpleAuthenticationPlugin and authorizationPlugin can be used based on the
> user/password used to log on.  Ideally the user/password entered during a
> basic authentication prompt could be mapped to the same user/password used
> to connect to the broker.  Maybe this isn't possible if the web console
> only
> maintains one connection to the broker.  Maybe the web console would need
> to
> be enhanced with a user/group security section to control what privs in the
> web console the logged on user has.  An admin could then control whether a
> user has the right to delete a message, a queue, etc. and the web console
> has the smarts to display the delete link or not based on the privs of the
> logged on user.
> Not sure if this was ever discussed.  Maybe a jira should be created and
> the
> functionality request backlogged???
> --
> View this message in context:
> Sent from the ActiveMQ - User mailing list archive at

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message