Hi Jim, What Dejan has pointed you at is the classes that have all the various plugin methods for doing Auth in ActiveMQ by inserting a Broker object into the chain which is called during a connection. It would be possible to write a custom Broker subclass here that does what you want, but I think it would be easier inside JAAS.
What I'd suggest is you use the standard JaasCettificateAuthenticationPlugin and do the work in a JAAS plugin. The JAAS plugins are in http://fisheye6.atlassian.com/browse/activemq/trunk/activemq-jaas/src/main/java/org/apache/activemq/jaas. I would suggest to create a subclass of CertificateLoginModule and override the getUserNameForCertificate method to extract and return the CN. If you look at TextFileCertificateLoginModule.java you can see the logic it uses to extract the DN and match against entries in the file - you would just need to write a simpler version which just pulls out the CN from the client DN. Then you hook it into ActiveMQ via a login.config file pointing at your custom class. Let me know if this makes sense or if you need any more info. cheers, James. On 20 May 2010 12:14, Dejan Bosanac <de...@nighttale.net> wrote: > Hi Jim, > > the best way is to look at the source code of the current plugin > implementation. > > You can find it in org.apache.activemq.security package. > > For a quick preview, you can use this URL: > > http://fisheye6.atlassian.com/browse/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security > > Cheers > -- > Dejan Bosanac - http://twitter.com/dejanb > > Open Source Integration - http://fusesource.com/ > ActiveMQ in Action - http://www.manning.com/snyder/ > Blog - http://www.nighttale.net > > > On Wed, May 19, 2010 at 2:33 PM, Jim Lloyd > <jll...@silvertailsystems.com>wrote: > >> I'd like to implement an authorization plugin that would allow me to >> implement a fully automatic authorization policy. Here's an outline of what >> I want: >> >> We have a broker that is a hub in a hub & spoke topology network of >> brokers. >> A connections to this hub broker are via SSL and the hub broker requires >> SSL >> client authentication. We require the client certificates to always be of a >> form where the Common Name (CN) of the certificate defines the user. So, >> for >> example, if we instead used a jaas.TextFileCertificateLoginModule the >> user.properties file would look like this: >> >> user1=CN=user1,O=Silver Tail Systems,ST=California,C=US >> userFoo=CN=userFoo,O=Silver Tail Systems,ST=California,C=US >> ... >> userZeta=CN=userZeta,O=Silver Tail Systems,ST=California,C=US >> >> Meanwhile, the AuthorizationMap we want would look something like this: >> >> <authorizationPlugin> >> <map> >> <authorizationMap> >> <authorizationEntries> >> <authorizationEntry topic=">" read="admins" write="admins" admin="admins" >> /> >> <authorizationEntry topic="user1.>" read="user1" write="user1" >> admin="user1" >> /> >> <authorizationEntry topic="userFoo.>" read="userFoo" write="userFoo" >> admin="userFoo" /> >> ... >> <authorizationEntry topic="userZeta.>" read="userZeta" write="userZeta" >> admin="userZeta" /> >> <authorizationEntry topic="ActiveMQ.Advisory.>" read="all" write="all" >> admin="all"/> >> </authorizationEntries> >> </authorizationMap> >> </map> >> </authorizationPlugin> >> >> If we use jaas.TextFileCertificateLoginModule, we have to update the >> users.properties, groups.properties file and the authorizationMap in the >> activemq.xml file every time we add a user. We can automate this with >> scripting, but a more elegant solution would be to write our own plugin(s) >> to implement this policy. I'm in the process of scoping this effort, and so >> far I haven't found anything other than javadocs on the various classes to >> guide me. Can anyone provide a high level outline of how I would implement >> this? >> >> Thanks, >> Jim Lloyd >> Silver Tail Systems >> >
