activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dejan Bosanac <de...@nighttale.net>
Subject Re: Fully programmatic authorization map
Date Fri, 21 May 2010 20:08:53 GMT
Hi Jim,

it can be set of any objects you need. The only thing is that they can be
matched using equals() method. Take a look at SecurityContext.isInOneOf()
method, which is used for authorization purposes. For example
JaasSecurityContext is dealing with Subject objects set by
JaasAuthenticationBroker.addConnection().

Hope this helps

Cheers
--
Dejan Bosanac - http://twitter.com/dejanb

Open Source Integration - http://fusesource.com/
ActiveMQ in Action - http://www.manning.com/snyder/
Blog - http://www.nighttale.net


On Thu, May 20, 2010 at 12:21 PM, Jim Lloyd <jlloyd@silvertailsystems.com>wrote:

> Dejan and James,
>
> I'm looking at the JAAS plugins now and yes this approach for deriving the
> user and group from a certificate looks pretty clear, and this will save me
> a lot of time. Thanks!
>
> Can either of you give me a similar guidance for how I would do the
> AuthorizationMap piece? It looks like I can simply implement
> AuthorizationMap, but the return type of Set<?> for the methods seems
> highly
> under-constrained. The comments say that the methods return ACLs, but its
> not obvious to me what forms the ACLs take. Looking at
> SimpleAuthorizationMap, I see that it is primarily delegating to
> DestinationMap, but DestinationMap (and its helper DestinationMapNode,
> DestinationMapEntry) is just complex enough that I haven't been able to
> figure it out from just browsing the code. I have a hunch that one of you
> can give me some quick pointers here that will also save me a lot of time.
>
> Thanks,
> Jim
>
>
> On Thu, May 20, 2010 at 6:13 AM, Dejan Bosanac <dejan@nighttale.net>
> wrote:
>
> > Hi James,
> >
> > thanks for adding this info. I totally forgot to mention activemq-jaas.
> >
> > Cheers
> > --
> > Dejan Bosanac - http://twitter.com/dejanb
> >
> > Open Source Integration - http://fusesource.com/
> > ActiveMQ in Action - http://www.manning.com/snyder/
> > Blog - http://www.nighttale.net
> >
> >
> > On Thu, May 20, 2010 at 8:34 AM, James Casey <jamesc.000@gmail.com>
> wrote:
> >
> > > Hi Jim,
> > >
> > > What Dejan has pointed you at is the classes that have all the various
> > > plugin methods for doing Auth in ActiveMQ by inserting a Broker object
> > > into the chain which is called during a connection.  It would be
> > > possible to write a custom Broker subclass here that does what you
> > > want, but I think it would be easier inside JAAS.
> > >
> > > What I'd suggest is you use the standard
> > > JaasCettificateAuthenticationPlugin and do the work in a JAAS plugin.
> > >
> > > The JAAS plugins are in
> > >
> > >
> >
> http://fisheye6.atlassian.com/browse/activemq/trunk/activemq-jaas/src/main/java/org/apache/activemq/jaas
> > > .
> > >
> > > I would suggest to create a subclass of CertificateLoginModule and
> > > override the getUserNameForCertificate method to extract and return
> > > the CN.  If you look at TextFileCertificateLoginModule.java you can
> > > see the logic it uses to extract the DN and match against entries in
> > > the file - you would just need to write a simpler version which just
> > > pulls out the CN from the client DN. Then you hook it into ActiveMQ
> > > via a login.config file pointing at your custom class.
> > >
> > > Let me know if this makes sense or if you need any more info.
> > >
> > > cheers,
> > >
> > > James.
> > >
> > >
> > > On 20 May 2010 12:14, Dejan Bosanac <dejan@nighttale.net> wrote:
> > > > Hi Jim,
> > > >
> > > > the best way is to look at the source code of the current plugin
> > > > implementation.
> > > >
> > > > You can find it in org.apache.activemq.security package.
> > > >
> > > > For a quick preview, you can use this URL:
> > > >
> > > >
> > >
> >
> http://fisheye6.atlassian.com/browse/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security
> > > >
> > > > Cheers
> > > > --
> > > > Dejan Bosanac - http://twitter.com/dejanb
> > > >
> > > > Open Source Integration - http://fusesource.com/
> > > > ActiveMQ in Action - http://www.manning.com/snyder/
> > > > Blog - http://www.nighttale.net
> > > >
> > > >
> > > > On Wed, May 19, 2010 at 2:33 PM, Jim Lloyd <
> > jlloyd@silvertailsystems.com
> > > >wrote:
> > > >
> > > >> I'd like to implement an authorization plugin that would allow me
to
> > > >> implement a fully automatic authorization policy. Here's an outline
> of
> > > what
> > > >> I want:
> > > >>
> > > >> We have a broker that is a hub in a hub & spoke topology network
of
> > > >> brokers.
> > > >> A connections to this hub broker are via SSL and the hub broker
> > requires
> > > >> SSL
> > > >> client authentication. We require the client certificates to always
> be
> > > of a
> > > >> form where the Common Name (CN) of the certificate defines the user.
> > So,
> > > >> for
> > > >> example, if we instead used a jaas.TextFileCertificateLoginModule
> the
> > > >> user.properties file would look like this:
> > > >>
> > > >> user1=CN=user1,O=Silver Tail Systems,ST=California,C=US
> > > >> userFoo=CN=userFoo,O=Silver Tail Systems,ST=California,C=US
> > > >> ...
> > > >> userZeta=CN=userZeta,O=Silver Tail Systems,ST=California,C=US
> > > >>
> > > >> Meanwhile, the AuthorizationMap we want would look something like
> > this:
> > > >>
> > > >> <authorizationPlugin>
> > > >> <map>
> > > >> <authorizationMap>
> > > >> <authorizationEntries>
> > > >> <authorizationEntry topic=">" read="admins" write="admins"
> > > admin="admins"
> > > >> />
> > > >> <authorizationEntry topic="user1.>" read="user1" write="user1"
> > > >> admin="user1"
> > > >> />
> > > >> <authorizationEntry topic="userFoo.>" read="userFoo" write="userFoo"
> > > >> admin="userFoo" />
> > > >> ...
> > > >> <authorizationEntry topic="userZeta.>" read="userZeta"
> > write="userZeta"
> > > >> admin="userZeta" />
> > > >> <authorizationEntry topic="ActiveMQ.Advisory.>" read="all"
> write="all"
> > > >> admin="all"/>
> > > >> </authorizationEntries>
> > > >> </authorizationMap>
> > > >> </map>
> > > >> </authorizationPlugin>
> > > >>
> > > >> If we use jaas.TextFileCertificateLoginModule, we have to update the
> > > >> users.properties, groups.properties file and the authorizationMap
in
> > the
> > > >> activemq.xml file every time we add a user. We can automate this
> with
> > > >> scripting, but a more elegant solution would be to write our own
> > > plugin(s)
> > > >> to implement this policy. I'm in the process of scoping this effort,
> > and
> > > so
> > > >> far I haven't found anything other than javadocs on the various
> > classes
> > > to
> > > >> guide me. Can anyone provide a high level outline of how I would
> > > implement
> > > >> this?
> > > >>
> > > >> Thanks,
> > > >> Jim Lloyd
> > > >> Silver Tail Systems
> > > >>
> > > >
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message