activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Lloyd <jll...@silvertailsystems.com>
Subject Fully programmatic authorization map
Date Wed, 19 May 2010 18:33:13 GMT
I'd like to implement an authorization plugin that would allow me to
implement a fully automatic authorization policy. Here's an outline of what
I want:

We have a broker that is a hub in a hub & spoke topology network of brokers.
A connections to this hub broker are via SSL and the hub broker requires SSL
client authentication. We require the client certificates to always be of a
form where the Common Name (CN) of the certificate defines the user. So, for
example, if we instead used a jaas.TextFileCertificateLoginModule the
user.properties file would look like this:

user1=CN=user1,O=Silver Tail Systems,ST=California,C=US
userFoo=CN=userFoo,O=Silver Tail Systems,ST=California,C=US
...
userZeta=CN=userZeta,O=Silver Tail Systems,ST=California,C=US

Meanwhile, the AuthorizationMap we want would look something like this:

<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry topic=">" read="admins" write="admins" admin="admins" />
<authorizationEntry topic="user1.>" read="user1" write="user1" admin="user1"
/>
<authorizationEntry topic="userFoo.>" read="userFoo" write="userFoo"
admin="userFoo" />
...
<authorizationEntry topic="userZeta.>" read="userZeta" write="userZeta"
admin="userZeta" />
<authorizationEntry topic="ActiveMQ.Advisory.>" read="all" write="all"
admin="all"/>
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>

If we use jaas.TextFileCertificateLoginModule, we have to update the
users.properties, groups.properties file and the authorizationMap in the
activemq.xml file every time we add a user. We can automate this with
scripting, but a more elegant solution would be to write our own plugin(s)
to implement this policy. I'm in the process of scoping this effort, and so
far I haven't found anything other than javadocs on the various classes to
guide me. Can anyone provide a high level outline of how I would implement
this?

Thanks,
Jim Lloyd
Silver Tail Systems

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message