activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Garry Watkins <cats...@me.com>
Subject Re: Is it possible to use Client Certs for Authentication/Authorization for Apollo?
Date Fri, 12 Jul 2013 15:22:07 GMT
That sounds good.  I was searching in the code and that is where i thought I might be able
to hook in.  

Why not add an authorizer attribute which is the class name of the custom authorizer.

<access_rule allow="*" action="create destroy send" authorizer="MyCustomAuthorizer"/>
<access_rule allow="*" action="connect receive consume" authorizer="MyCustomAuthorizer2"/>

On Jul 12, 2013, at 11:01 AM, Hiram Chirino <hiram@hiramchirino.com> wrote:

> Ok then it seems like you will need to implement a custom Authorizer.
> The interface of an Authorizer is quite simple.  It looks like:
> 
> trait Authorizer {
>  def can(ctx:SecurityContext, action:String, resource:SecuredResource):Boolean;
> }
> 
> Basically the ctx will have the user info including the security
> subject/cert info.  The action is stuff like "send", and the resource
> will be an instance of a virtualhost, queue, topic (etc.) that the
> user is trying to perform the action against.  The method just need
> return true if it's allowed.
> 
> The only problem is there does not yet exist a way to configure a
> custom authorizer.  Let me see if add support for that in the apollo
> configuration.
> 
> 
> On Wed, Jul 10, 2013 at 6:38 PM, Garry Watkins <catshow@me.com> wrote:
>> Yes, the users will be unknown at the time of connection.
>> 
>> On Jul 10, 2013, at 3:00 PM, Hiram Chirino <hiram@hiramchirino.com> wrote:
>> 
>>> An the user names are dynamic?  You don't know them ahead of time?
>>> 
>>> On Tue, Jul 9, 2013 at 4:14 PM, Garry Watkins <catshow@icloud.com> wrote:
>>>> I have been looking at the documentation in the security section.
>>>> 
>>>> http://activemq.apache.org/apollo/documentation/user-manual.html#Security
>>>> 
>>>> I need to write code that will capture allow a queue to be created with the
>>>> same name as the user.  That user may then be allowed to receive and consume
>>>> messages.
>>>> 
>>>> Any hints about where i could inject this into the code?
>>>> 
>>>> Thanks
>>>> 
>>>> 
>>>> On Jul 08, 2013, at 02:06 PM, Christian Posta <christian.posta@gmail.com>
>>>> wrote:
>>>> 
>>>> Should be the distinguished name from the X509 cert:
>>>> 
>>>> http://docs.oracle.com/javase/6/docs/api/javax/security/auth/x500/X500Principal.html
>>>> 
>>>> 
>>>> On Mon, Jul 8, 2013 at 1:31 PM, Garry Watkins <catshow@me.com> wrote:
>>>> 
>>>> Ok, now that I know that I can do that.
>>>> 
>>>> How does Apollo assign the username? What I want to do is have another
>>>> 
>>>> process create a queue just for that user, and that is the only queue that
>>>> 
>>>> user may access.
>>>> 
>>>> Thanks for the speedy response.
>>>> 
>>>> On Jul 8, 2013, at 1:28 PM, Christian Posta <christian.posta@gmail.com>
>>>> 
>>>> wrote:
>>>> 
>>>>> Yep, try adding the following to your ssl connector:
>>>> 
>>>>> 
>>>> 
>>>>> <connector id="default" bind="ssl://0.0.0.0:61614">
>>>> 
>>>>> 
>>>> 
>>>>> *<ssl client_auth="need" />*
>>>> 
>>>>> 
>>>> 
>>>>> </connector>
>>>> 
>>>>> 
>>>> 
>>>>> 
>>>> 
>>>>> On Mon, Jul 8, 2013 at 12:51 PM, Garry Watkins <catshow@me.com>
wrote:
>>>> 
>>>>> 
>>>> 
>>>>>> Is it possible to use Client Certs for Authentication/Authorization
for
>>>> 
>>>>>> Apollo?
>>>> 
>>>>> 
>>>> 
>>>>> 
>>>> 
>>>>> 
>>>> 
>>>>> 
>>>> 
>>>>> --
>>>> 
>>>>> *Christian Posta*
>>>> 
>>>>> http://www.christianposta.com/blog
>>>> 
>>>>> twitter: @christianposta
>>>> 
>>>> 
>>>> 
>>>> --
>>>> *Christian Posta*
>>>> http://www.christianposta.com/blog
>>>> twitter: @christianposta
>>> 
>>> 
>>> 
>>> --
>>> Hiram Chirino
>>> 
>>> Engineering | Red Hat, Inc.
>>> 
>>> hchirino@redhat.com | fusesource.com | redhat.com
>>> 
>>> skype: hiramchirino | twitter: @hiramchirino
>>> 
>>> blog: Hiram Chirino's Bit Mojo
>> 
> 
> 
> 
> -- 
> Hiram Chirino
> 
> Engineering | Red Hat, Inc.
> 
> hchirino@redhat.com | fusesource.com | redhat.com
> 
> skype: hiramchirino | twitter: @hiramchirino
> 
> blog: Hiram Chirino's Bit Mojo


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message