activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dejan Bosanac <de...@nighttale.net>
Subject Re: Fully programmatic authorization map
Date Thu, 20 May 2010 10:14:49 GMT
Hi Jim,

the best way is to look at the source code of the current plugin
implementation.

You can find it in org.apache.activemq.security package.

For a quick preview, you can use this URL:

http://fisheye6.atlassian.com/browse/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security

Cheers
--
Dejan Bosanac - http://twitter.com/dejanb

Open Source Integration - http://fusesource.com/
ActiveMQ in Action - http://www.manning.com/snyder/
Blog - http://www.nighttale.net


On Wed, May 19, 2010 at 2:33 PM, Jim Lloyd <jlloyd@silvertailsystems.com>wrote:

> I'd like to implement an authorization plugin that would allow me to
> implement a fully automatic authorization policy. Here's an outline of what
> I want:
>
> We have a broker that is a hub in a hub & spoke topology network of
> brokers.
> A connections to this hub broker are via SSL and the hub broker requires
> SSL
> client authentication. We require the client certificates to always be of a
> form where the Common Name (CN) of the certificate defines the user. So,
> for
> example, if we instead used a jaas.TextFileCertificateLoginModule the
> user.properties file would look like this:
>
> user1=CN=user1,O=Silver Tail Systems,ST=California,C=US
> userFoo=CN=userFoo,O=Silver Tail Systems,ST=California,C=US
> ...
> userZeta=CN=userZeta,O=Silver Tail Systems,ST=California,C=US
>
> Meanwhile, the AuthorizationMap we want would look something like this:
>
> <authorizationPlugin>
> <map>
> <authorizationMap>
> <authorizationEntries>
> <authorizationEntry topic=">" read="admins" write="admins" admin="admins"
> />
> <authorizationEntry topic="user1.>" read="user1" write="user1"
> admin="user1"
> />
> <authorizationEntry topic="userFoo.>" read="userFoo" write="userFoo"
> admin="userFoo" />
> ...
> <authorizationEntry topic="userZeta.>" read="userZeta" write="userZeta"
> admin="userZeta" />
> <authorizationEntry topic="ActiveMQ.Advisory.>" read="all" write="all"
> admin="all"/>
> </authorizationEntries>
> </authorizationMap>
> </map>
> </authorizationPlugin>
>
> If we use jaas.TextFileCertificateLoginModule, we have to update the
> users.properties, groups.properties file and the authorizationMap in the
> activemq.xml file every time we add a user. We can automate this with
> scripting, but a more elegant solution would be to write our own plugin(s)
> to implement this policy. I'm in the process of scoping this effort, and so
> far I haven't found anything other than javadocs on the various classes to
> guide me. Can anyone provide a high level outline of how I would implement
> this?
>
> Thanks,
> Jim Lloyd
> Silver Tail Systems
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message