activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Davies <>
Subject Re: Message-Level Authorization between brokers?
Date Wed, 26 May 2010 07:05:23 GMT
Hi Jim,

could you supply a patch ? - not sure I understand your use case - or why you would apply
it only to networks ?


On 26 May 2010, at 01:45, Jim Lloyd wrote:

> I've done more research and I think I know better where ActiveMQ would
> support my desired feature, and it seems the support isn't quite there. I
> think I want to be able to create a plugin that allows me to customize the
> behavior of DemandForwardingBridgeSupport.isPermissableDestination(). This
> is the code that implements the logic for
> networkConnector's excludedDestinations, dynamicallyIncludedDestinations,
> and staticallyIncludedDestinations. Unfortunately these don't give me the
> flexiblity I need. Is it reasonable to provide a hook
> like MessageAuthorizationPolicy.isAllowedToConsume so that I could plugin my
> own isPermissableDestination()?
> FYI I need a feature where I can deny access to a wild card topic and then
> selectively allow access to a specific (non-wildcarded) topic matching the
> denied wild card. But I need to do this based on the logged in user on the
> connection.
> Thanks,
> Jim
> On Tue, May 25, 2010 at 1:08 PM, Jim Lloyd <>wrote:
>> Can a BrokerFilter be used to message-level authorization of messages sent
>> from one broker to another in a network of brokers?
>> Suppose you have a hub and spoke architecture, where there may be many
>> 'spoke brokers' that connect to one hub broker using duplex connections. In
>> this topology, we want to have all security policies enforced in the hub
>> broker (i.e. assume that spoke brokers can be compromised). We have
>> partitioned our topic namespace so that each spoke broker has a well-defined
>> subset of topics that it may use. I have implemente a custom
>> AuthorizationMap that can prevent a client on one spoke from subscribing to
>> topics from another spoke. However, Advisory messages are propagated to all
>> brokers, so one can look at the Jetty admin console and see the entire
>> namespace of all topics. I'd like to do message-level filtering of
>> advisories so that each spoke only sees advisories for its subset of topics.
>> It appeared to me that Message-Level Authorization would give me the hook I
>> need, but I discovered that this applies only to filtering of messages
>> between client applications and a broker, whereas I need the filtering on
>> the network connection between brokers.
>> I'm now studying the BrokerFilter interface which seems promising, but I'd
>> appreciate it if anyone can save me some time by telling me either that 1)
>> no, BrokerFilter can't do this, or 2) yes, BrokerFilter can, and then give
>> short outline of how to do it.
>> Thanks,
>> Jim Lloyd

View raw message