activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Lloyd <jll...@silvertailsystems.com>
Subject Re: Message-Level Authorization between brokers?
Date Wed, 26 May 2010 00:45:25 GMT
I've done more research and I think I know better where ActiveMQ would
support my desired feature, and it seems the support isn't quite there. I
think I want to be able to create a plugin that allows me to customize the
behavior of DemandForwardingBridgeSupport.isPermissableDestination(). This
is the code that implements the logic for
networkConnector's excludedDestinations, dynamicallyIncludedDestinations,
and staticallyIncludedDestinations. Unfortunately these don't give me the
flexiblity I need. Is it reasonable to provide a hook
like MessageAuthorizationPolicy.isAllowedToConsume so that I could plugin my
own isPermissableDestination()?

FYI I need a feature where I can deny access to a wild card topic and then
selectively allow access to a specific (non-wildcarded) topic matching the
denied wild card. But I need to do this based on the logged in user on the
connection.

Thanks,
Jim


On Tue, May 25, 2010 at 1:08 PM, Jim Lloyd <jlloyd@silvertailsystems.com>wrote:

> Can a BrokerFilter be used to message-level authorization of messages sent
> from one broker to another in a network of brokers?
>
> Suppose you have a hub and spoke architecture, where there may be many
> 'spoke brokers' that connect to one hub broker using duplex connections. In
> this topology, we want to have all security policies enforced in the hub
> broker (i.e. assume that spoke brokers can be compromised). We have
> partitioned our topic namespace so that each spoke broker has a well-defined
> subset of topics that it may use. I have implemente a custom
> AuthorizationMap that can prevent a client on one spoke from subscribing to
> topics from another spoke. However, Advisory messages are propagated to all
> brokers, so one can look at the Jetty admin console and see the entire
> namespace of all topics. I'd like to do message-level filtering of
> advisories so that each spoke only sees advisories for its subset of topics.
>
> It appeared to me that Message-Level Authorization would give me the hook I
> need, but I discovered that this applies only to filtering of messages
> between client applications and a broker, whereas I need the filtering on
> the network connection between brokers.
>
> I'm now studying the BrokerFilter interface which seems promising, but I'd
> appreciate it if anyone can save me some time by telling me either that 1)
> no, BrokerFilter can't do this, or 2) yes, BrokerFilter can, and then give
> short outline of how to do it.
>
> Thanks,
> Jim Lloyd
>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message