Mailing-List: contact users-help@activemq.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@activemq.apache.org
Received-SPF: pass (athena.apache.org: domain of chubrilo@gmail.com designates
 209.85.161.43 as permitted sender)
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:sender:in-reply-to:references:date
         :x-google-sender-auth:message-id:subject:from:to:content-type;
        b=N791RvaBiCygF0Y3EWy8ZbwstG0wYWRcfuVgcDWOE1XAF6mydgumv621OlLzcj8VPt
         72XivKgZtUUODHFp3/p+cMF1HkTEW3EpbF1tC5LZVlS/zNyVFFfFRAPI/jHaGFCLD18E
         +QEVmKDnDKI4fEuVfh4gx2J82OWiTBvQ7egIE=
MIME-Version: 1.0
Sender: chubrilo@gmail.com
In-Reply-To: <AANLkTim5m0rW33vcC047D1MjS8dSZUv6N_czHFO1GSAJ@mail.gmail.com>
References: <AANLkTim_IGWGWSCYthWh0JpUiepzxw5it7b6lj9ncEFI@mail.gmail.com>
	 <AANLkTikiYm0hB1K7BLdzHm77winVuDeEQ_pkwP1vBdUt@mail.gmail.com>
	 <AANLkTim5m0rW33vcC047D1MjS8dSZUv6N_czHFO1GSAJ@mail.gmail.com>
Date: Thu, 20 May 2010 09:13:04 -0400
Message-ID: <AANLkTinBNYxoUovBFGsRJD-ztbR8eVp3AL1wBPh39CS8@mail.gmail.com>
Subject: Re: Fully programmatic authorization map
From: Dejan Bosanac <dejan@nighttale.net>
To: users@activemq.apache.org
Content-Type: multipart/alternative; boundary=001485f6c8dcb446940487065575

--001485f6c8dcb446940487065575
Content-Type: text/plain; charset=ISO-8859-1

Hi James,

thanks for adding this info. I totally forgot to mention activemq-jaas.

Cheers
--
Dejan Bosanac - http://twitter.com/dejanb

Open Source Integration - http://fusesource.com/
ActiveMQ in Action - http://www.manning.com/snyder/
Blog - http://www.nighttale.net


On Thu, May 20, 2010 at 8:34 AM, James Casey <jamesc.000@gmail.com> wrote:

> Hi Jim,
>
> What Dejan has pointed you at is the classes that have all the various
> plugin methods for doing Auth in ActiveMQ by inserting a Broker object
> into the chain which is called during a connection.  It would be
> possible to write a custom Broker subclass here that does what you
> want, but I think it would be easier inside JAAS.
>
> What I'd suggest is you use the standard
> JaasCettificateAuthenticationPlugin and do the work in a JAAS plugin.
>
> The JAAS plugins are in
>
> http://fisheye6.atlassian.com/browse/activemq/trunk/activemq-jaas/src/main/java/org/apache/activemq/jaas
> .
>
> I would suggest to create a subclass of CertificateLoginModule and
> override the getUserNameForCertificate method to extract and return
> the CN.  If you look at TextFileCertificateLoginModule.java you can
> see the logic it uses to extract the DN and match against entries in
> the file - you would just need to write a simpler version which just
> pulls out the CN from the client DN. Then you hook it into ActiveMQ
> via a login.config file pointing at your custom class.
>
> Let me know if this makes sense or if you need any more info.
>
> cheers,
>
> James.
>
>
> On 20 May 2010 12:14, Dejan Bosanac <dejan@nighttale.net> wrote:
> > Hi Jim,
> >
> > the best way is to look at the source code of the current plugin
> > implementation.
> >
> > You can find it in org.apache.activemq.security package.
> >
> > For a quick preview, you can use this URL:
> >
> >
> http://fisheye6.atlassian.com/browse/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security
> >
> > Cheers
> > --
> > Dejan Bosanac - http://twitter.com/dejanb
> >
> > Open Source Integration - http://fusesource.com/
> > ActiveMQ in Action - http://www.manning.com/snyder/
> > Blog - http://www.nighttale.net
> >
> >
> > On Wed, May 19, 2010 at 2:33 PM, Jim Lloyd <jlloyd@silvertailsystems.com
> >wrote:
> >
> >> I'd like to implement an authorization plugin that would allow me to
> >> implement a fully automatic authorization policy. Here's an outline of
> what
> >> I want:
> >>
> >> We have a broker that is a hub in a hub & spoke topology network of
> >> brokers.
> >> A connections to this hub broker are via SSL and the hub broker requires
> >> SSL
> >> client authentication. We require the client certificates to always be
> of a
> >> form where the Common Name (CN) of the certificate defines the user. So,
> >> for
> >> example, if we instead used a jaas.TextFileCertificateLoginModule the
> >> user.properties file would look like this:
> >>
> >> user1=CN=user1,O=Silver Tail Systems,ST=California,C=US
> >> userFoo=CN=userFoo,O=Silver Tail Systems,ST=California,C=US
> >> ...
> >> userZeta=CN=userZeta,O=Silver Tail Systems,ST=California,C=US
> >>
> >> Meanwhile, the AuthorizationMap we want would look something like this:
> >>
> >> <authorizationPlugin>
> >> <map>
> >> <authorizationMap>
> >> <authorizationEntries>
> >> <authorizationEntry topic=">" read="admins" write="admins"
> admin="admins"
> >> />
> >> <authorizationEntry topic="user1.>" read="user1" write="user1"
> >> admin="user1"
> >> />
> >> <authorizationEntry topic="userFoo.>" read="userFoo" write="userFoo"
> >> admin="userFoo" />
> >> ...
> >> <authorizationEntry topic="userZeta.>" read="userZeta" write="userZeta"
> >> admin="userZeta" />
> >> <authorizationEntry topic="ActiveMQ.Advisory.>" read="all" write="all"
> >> admin="all"/>
> >> </authorizationEntries>
> >> </authorizationMap>
> >> </map>
> >> </authorizationPlugin>
> >>
> >> If we use jaas.TextFileCertificateLoginModule, we have to update the
> >> users.properties, groups.properties file and the authorizationMap in the
> >> activemq.xml file every time we add a user. We can automate this with
> >> scripting, but a more elegant solution would be to write our own
> plugin(s)
> >> to implement this policy. I'm in the process of scoping this effort, and
> so
> >> far I haven't found anything other than javadocs on the various classes
> to
> >> guide me. Can anyone provide a high level outline of how I would
> implement
> >> this?
> >>
> >> Thanks,
> >> Jim Lloyd
> >> Silver Tail Systems
> >>
> >
>

--001485f6c8dcb446940487065575--