Return-Path: X-Original-To: apmail-activemq-users-archive@www.apache.org Delivered-To: apmail-activemq-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 37E6518331 for ; Wed, 14 Oct 2015 19:15:31 +0000 (UTC) Received: (qmail 97293 invoked by uid 500); 14 Oct 2015 19:15:30 -0000 Delivered-To: apmail-activemq-users-archive@activemq.apache.org Received: (qmail 97239 invoked by uid 500); 14 Oct 2015 19:15:30 -0000 Mailing-List: contact users-help@activemq.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@activemq.apache.org Delivered-To: mailing list users@activemq.apache.org Received: (qmail 97223 invoked by uid 99); 14 Oct 2015 19:15:30 -0000 Received: from Unknown (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 14 Oct 2015 19:15:30 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 364C7C0257 for ; Wed, 14 Oct 2015 19:15:30 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.311 X-Spam-Level: * X-Spam-Status: No, score=1.311 tagged_above=-999 required=6.31 tests=[HEADER_FROM_DIFFERENT_DOMAINS=0.008, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001, URI_HEX=1.313, URI_TRY_3LD=0.001] autolearn=disabled Received: from mx1-us-west.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id S9c50tiNoftq for ; Wed, 14 Oct 2015 19:15:20 +0000 (UTC) Received: from mx6-phx2.redhat.com (mx6-phx2.redhat.com [209.132.183.39]) by mx1-us-west.apache.org (ASF Mail Server at mx1-us-west.apache.org) with ESMTPS id 3E58C23052 for ; Wed, 14 Oct 2015 19:15:19 +0000 (UTC) Received: from zmail09.collab.prod.int.phx2.redhat.com (zmail09.collab.prod.int.phx2.redhat.com [10.5.83.11]) by mx6-phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t9EJFD5S004028 for ; Wed, 14 Oct 2015 15:15:13 -0400 Date: Wed, 14 Oct 2015 15:15:13 -0400 (EDT) From: Justin Bertram To: users@activemq.apache.org Message-ID: <1640516219.31946425.1444850113251.JavaMail.zimbra@redhat.com> In-Reply-To: <1444841282120-4702960.post@n4.nabble.com> References: <1444841282120-4702960.post@n4.nabble.com> Subject: Re: Artemis - Certificate Security MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [10.10.55.76] X-Mailer: Zimbra 8.0.6_GA_5922 (ZimbraWebClient - GC45 (Linux)/8.0.6_GA_5922) Thread-Topic: Artemis - Certificate Security Thread-Index: ms6wBuevD0KvNqjx+kF/5lSTJuWbKA== I recently added support for JAAS modules which utilize username/password for authentication and authorization. See here [1]. Part of that work involved importing the certificate JAAS module as well, but Artemis doesn't yet have all the plumbing necessary to support it since it doesn't pass around the certificate to all the relevant parties. I plan on adding support for this in the future, but I'm working on other things at the moment. Feel free to contribute. Justin [1] https://github.com/jbertram/activemq-artemis/commit/6ed9c5ae91dc7a08cdb3825fb17a5da24037fa36 ----- Original Message ----- From: "slew77" To: users@activemq.apache.org Sent: Wednesday, October 14, 2015 11:48:02 AM Subject: Artemis - Certificate Security Hi, Hoping to get some advice on adding a security plugin to Artemis. We are using an Artemis 1.1.0 broker. Client systems post messages to a common queue and listen for messages on a client specific queue. There will be thousands of client systems. Each client should be able to write to the common queue, but not read from it. Each client should be able to read from their response queue only, but not write to it. We must base this access on the client certificate used to connect, i.e. we can't use username/password. The docs suggest it's possible to add a JAAS plugin, is that correct and is there an example I could follow? If it is possible, is it feasible to base the authorisation on the client certificate? Ideally we'd do a lookup from the certificate thumbprint to get either a username or the roles that we need. Any help gratefully received! Thanks in advance, Steve. -- View this message in context: http://activemq.2283324.n4.nabble.com/Artemis-Certificate-Security-tp4702960.html Sent from the ActiveMQ - User mailing list archive at Nabble.com.