Hi, web console doesn't support fine-grained authorization at the moment. The jira would be great for starters, if you can provide a patch it'd be even better.
Cheers -- Dejan Bosanac - http://twitter.com/dejanb Open Source Integration - http://fusesource.com/ ActiveMQ in Action - http://www.manning.com/snyder/ Blog - http://www.nighttale.net On Thu, Oct 29, 2009 at 9:18 PM, magellings <mark.gelli...@qg.com> wrote: > > From what I can tell even with JMX properly set up you still can't maintain > seperate privs. One user/password is hard-coded/configured to be used by > the web console at start up to connect to the broker. I want to be able to > configure separate user/passwords to connect to the broker grabbed when the > user logs into the web console. I already have the web console configured > for BASIC authentication with two different user/passwords (based on the > link in my original post) I just need to somehow use those to then connect > to the broker. > > It's possible to configure different roles to be used when logging into the > web console. But it is not possible to control the rights the user has > based on this. Example: > > web.xml > > <security-constraint> > <web-resource-collection> > <web-resource-name>adminRealm</web-resource-name> > <url-pattern>/*</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>admin</role-name> > <role-name>guest</role-name> > </auth-constraint> > </security-constraint> > <login-config> > <auth-method>BASIC</auth-method> > <realm-name>adminRealm</realm-name> > </login-config> > > realm.properties > > admin: MD5:6990a54322d9232390a784c5c9247dd6,admin > guest: MD5:084e0343a0486ff05530df6c705c8bb4,guest > > With the above config I can log on as either admin or guest successfully > when entering the appropriate password at the basic authentication prompt. > > I'd like guest to have read privs (see messages on queues, etc.), and admin > to have read/write privs (see messages on queues, delete messages, delete > queues, etc.). In our scenario guest is producing a message and just wants > to verify the message has been created successfully on the queue. Admin > owns the queue and the broker as they are on a separate development team > than user guest. They do not want guest to be able to delete > messages/queues etc. Right now we have no way to let guest see for > themselves that the message is on the queue unless we give them the admin > user/password for the basic authentication prompt when using the web > console. If we give that out, we give out read/write privs to guest which > we don't want to do. > > I think for this to be possible two separate connections would need to be > maintained to the broker, one for guest and one for admin so as the > simpleAuthenticationPlugin and authorizationPlugin can be used based on the > user/password used to log on. Ideally the user/password entered during a > basic authentication prompt could be mapped to the same user/password used > to connect to the broker. Maybe this isn't possible if the web console > only > maintains one connection to the broker. Maybe the web console would need > to > be enhanced with a user/group security section to control what privs in the > web console the logged on user has. An admin could then control whether a > user has the right to delete a message, a queue, etc. and the web console > has the smarts to display the delete link or not based on the privs of the > logged on user. > > Not sure if this was ever discussed. Maybe a jira should be created and > the > functionality request backlogged??? > > -- > View this message in context: > http://www.nabble.com/Dynamically-setting-activemq-username-password-when-logging-into-web-console-tp26118677p26120009.html > Sent from the ActiveMQ - User mailing list archive at Nabble.com. > >
