activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Lloyd <>
Subject Message-Level Authorization between brokers?
Date Tue, 25 May 2010 20:08:44 GMT
Can a BrokerFilter be used to message-level authorization of messages sent
from one broker to another in a network of brokers?

Suppose you have a hub and spoke architecture, where there may be many
'spoke brokers' that connect to one hub broker using duplex connections. In
this topology, we want to have all security policies enforced in the hub
broker (i.e. assume that spoke brokers can be compromised). We have
partitioned our topic namespace so that each spoke broker has a well-defined
subset of topics that it may use. I have implemente a custom
AuthorizationMap that can prevent a client on one spoke from subscribing to
topics from another spoke. However, Advisory messages are propagated to all
brokers, so one can look at the Jetty admin console and see the entire
namespace of all topics. I'd like to do message-level filtering of
advisories so that each spoke only sees advisories for its subset of topics.

It appeared to me that Message-Level Authorization would give me the hook I
need, but I discovered that this applies only to filtering of messages
between client applications and a broker, whereas I need the filtering on
the network connection between brokers.

I'm now studying the BrokerFilter interface which seems promising, but I'd
appreciate it if anyone can save me some time by telling me either that 1)
no, BrokerFilter can't do this, or 2) yes, BrokerFilter can, and then give
short outline of how to do it.

Jim Lloyd

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message