activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Casey <jamesc....@gmail.com>
Subject Re: Fully programmatic authorization map
Date Thu, 20 May 2010 12:34:04 GMT
Hi Jim,

What Dejan has pointed you at is the classes that have all the various
plugin methods for doing Auth in ActiveMQ by inserting a Broker object
into the chain which is called during a connection.  It would be
possible to write a custom Broker subclass here that does what you
want, but I think it would be easier inside JAAS.

What I'd suggest is you use the standard
JaasCettificateAuthenticationPlugin and do the work in a JAAS plugin.

The JAAS plugins are in
http://fisheye6.atlassian.com/browse/activemq/trunk/activemq-jaas/src/main/java/org/apache/activemq/jaas.

I would suggest to create a subclass of CertificateLoginModule and
override the getUserNameForCertificate method to extract and return
the CN.  If you look at TextFileCertificateLoginModule.java you can
see the logic it uses to extract the DN and match against entries in
the file - you would just need to write a simpler version which just
pulls out the CN from the client DN. Then you hook it into ActiveMQ
via a login.config file pointing at your custom class.

Let me know if this makes sense or if you need any more info.

cheers,

James.


On 20 May 2010 12:14, Dejan Bosanac <dejan@nighttale.net> wrote:
> Hi Jim,
>
> the best way is to look at the source code of the current plugin
> implementation.
>
> You can find it in org.apache.activemq.security package.
>
> For a quick preview, you can use this URL:
>
> http://fisheye6.atlassian.com/browse/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security
>
> Cheers
> --
> Dejan Bosanac - http://twitter.com/dejanb
>
> Open Source Integration - http://fusesource.com/
> ActiveMQ in Action - http://www.manning.com/snyder/
> Blog - http://www.nighttale.net
>
>
> On Wed, May 19, 2010 at 2:33 PM, Jim Lloyd <jlloyd@silvertailsystems.com>wrote:
>
>> I'd like to implement an authorization plugin that would allow me to
>> implement a fully automatic authorization policy. Here's an outline of what
>> I want:
>>
>> We have a broker that is a hub in a hub & spoke topology network of
>> brokers.
>> A connections to this hub broker are via SSL and the hub broker requires
>> SSL
>> client authentication. We require the client certificates to always be of a
>> form where the Common Name (CN) of the certificate defines the user. So,
>> for
>> example, if we instead used a jaas.TextFileCertificateLoginModule the
>> user.properties file would look like this:
>>
>> user1=CN=user1,O=Silver Tail Systems,ST=California,C=US
>> userFoo=CN=userFoo,O=Silver Tail Systems,ST=California,C=US
>> ...
>> userZeta=CN=userZeta,O=Silver Tail Systems,ST=California,C=US
>>
>> Meanwhile, the AuthorizationMap we want would look something like this:
>>
>> <authorizationPlugin>
>> <map>
>> <authorizationMap>
>> <authorizationEntries>
>> <authorizationEntry topic=">" read="admins" write="admins" admin="admins"
>> />
>> <authorizationEntry topic="user1.>" read="user1" write="user1"
>> admin="user1"
>> />
>> <authorizationEntry topic="userFoo.>" read="userFoo" write="userFoo"
>> admin="userFoo" />
>> ...
>> <authorizationEntry topic="userZeta.>" read="userZeta" write="userZeta"
>> admin="userZeta" />
>> <authorizationEntry topic="ActiveMQ.Advisory.>" read="all" write="all"
>> admin="all"/>
>> </authorizationEntries>
>> </authorizationMap>
>> </map>
>> </authorizationPlugin>
>>
>> If we use jaas.TextFileCertificateLoginModule, we have to update the
>> users.properties, groups.properties file and the authorizationMap in the
>> activemq.xml file every time we add a user. We can automate this with
>> scripting, but a more elegant solution would be to write our own plugin(s)
>> to implement this policy. I'm in the process of scoping this effort, and so
>> far I haven't found anything other than javadocs on the various classes to
>> guide me. Can anyone provide a high level outline of how I would implement
>> this?
>>
>> Thanks,
>> Jim Lloyd
>> Silver Tail Systems
>>
>

Mime
View raw message