activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dejan Bosanac <de...@nighttale.net>
Subject Re: Fully programmatic authorization map
Date Thu, 20 May 2010 13:13:04 GMT
Hi James,

thanks for adding this info. I totally forgot to mention activemq-jaas.

Cheers
--
Dejan Bosanac - http://twitter.com/dejanb

Open Source Integration - http://fusesource.com/
ActiveMQ in Action - http://www.manning.com/snyder/
Blog - http://www.nighttale.net


On Thu, May 20, 2010 at 8:34 AM, James Casey <jamesc.000@gmail.com> wrote:

> Hi Jim,
>
> What Dejan has pointed you at is the classes that have all the various
> plugin methods for doing Auth in ActiveMQ by inserting a Broker object
> into the chain which is called during a connection.  It would be
> possible to write a custom Broker subclass here that does what you
> want, but I think it would be easier inside JAAS.
>
> What I'd suggest is you use the standard
> JaasCettificateAuthenticationPlugin and do the work in a JAAS plugin.
>
> The JAAS plugins are in
>
> http://fisheye6.atlassian.com/browse/activemq/trunk/activemq-jaas/src/main/java/org/apache/activemq/jaas
> .
>
> I would suggest to create a subclass of CertificateLoginModule and
> override the getUserNameForCertificate method to extract and return
> the CN.  If you look at TextFileCertificateLoginModule.java you can
> see the logic it uses to extract the DN and match against entries in
> the file - you would just need to write a simpler version which just
> pulls out the CN from the client DN. Then you hook it into ActiveMQ
> via a login.config file pointing at your custom class.
>
> Let me know if this makes sense or if you need any more info.
>
> cheers,
>
> James.
>
>
> On 20 May 2010 12:14, Dejan Bosanac <dejan@nighttale.net> wrote:
> > Hi Jim,
> >
> > the best way is to look at the source code of the current plugin
> > implementation.
> >
> > You can find it in org.apache.activemq.security package.
> >
> > For a quick preview, you can use this URL:
> >
> >
> http://fisheye6.atlassian.com/browse/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security
> >
> > Cheers
> > --
> > Dejan Bosanac - http://twitter.com/dejanb
> >
> > Open Source Integration - http://fusesource.com/
> > ActiveMQ in Action - http://www.manning.com/snyder/
> > Blog - http://www.nighttale.net
> >
> >
> > On Wed, May 19, 2010 at 2:33 PM, Jim Lloyd <jlloyd@silvertailsystems.com
> >wrote:
> >
> >> I'd like to implement an authorization plugin that would allow me to
> >> implement a fully automatic authorization policy. Here's an outline of
> what
> >> I want:
> >>
> >> We have a broker that is a hub in a hub & spoke topology network of
> >> brokers.
> >> A connections to this hub broker are via SSL and the hub broker requires
> >> SSL
> >> client authentication. We require the client certificates to always be
> of a
> >> form where the Common Name (CN) of the certificate defines the user. So,
> >> for
> >> example, if we instead used a jaas.TextFileCertificateLoginModule the
> >> user.properties file would look like this:
> >>
> >> user1=CN=user1,O=Silver Tail Systems,ST=California,C=US
> >> userFoo=CN=userFoo,O=Silver Tail Systems,ST=California,C=US
> >> ...
> >> userZeta=CN=userZeta,O=Silver Tail Systems,ST=California,C=US
> >>
> >> Meanwhile, the AuthorizationMap we want would look something like this:
> >>
> >> <authorizationPlugin>
> >> <map>
> >> <authorizationMap>
> >> <authorizationEntries>
> >> <authorizationEntry topic=">" read="admins" write="admins"
> admin="admins"
> >> />
> >> <authorizationEntry topic="user1.>" read="user1" write="user1"
> >> admin="user1"
> >> />
> >> <authorizationEntry topic="userFoo.>" read="userFoo" write="userFoo"
> >> admin="userFoo" />
> >> ...
> >> <authorizationEntry topic="userZeta.>" read="userZeta" write="userZeta"
> >> admin="userZeta" />
> >> <authorizationEntry topic="ActiveMQ.Advisory.>" read="all" write="all"
> >> admin="all"/>
> >> </authorizationEntries>
> >> </authorizationMap>
> >> </map>
> >> </authorizationPlugin>
> >>
> >> If we use jaas.TextFileCertificateLoginModule, we have to update the
> >> users.properties, groups.properties file and the authorizationMap in the
> >> activemq.xml file every time we add a user. We can automate this with
> >> scripting, but a more elegant solution would be to write our own
> plugin(s)
> >> to implement this policy. I'm in the process of scoping this effort, and
> so
> >> far I haven't found anything other than javadocs on the various classes
> to
> >> guide me. Can anyone provide a high level outline of how I would
> implement
> >> this?
> >>
> >> Thanks,
> >> Jim Lloyd
> >> Silver Tail Systems
> >>
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message