Hi Jim, it can be set of any objects you need. The only thing is that they can be matched using equals() method. Take a look at SecurityContext.isInOneOf() method, which is used for authorization purposes. For example JaasSecurityContext is dealing with Subject objects set by JaasAuthenticationBroker.addConnection().
Hope this helps Cheers -- Dejan Bosanac - http://twitter.com/dejanb Open Source Integration - http://fusesource.com/ ActiveMQ in Action - http://www.manning.com/snyder/ Blog - http://www.nighttale.net On Thu, May 20, 2010 at 12:21 PM, Jim Lloyd <jll...@silvertailsystems.com>wrote: > Dejan and James, > > I'm looking at the JAAS plugins now and yes this approach for deriving the > user and group from a certificate looks pretty clear, and this will save me > a lot of time. Thanks! > > Can either of you give me a similar guidance for how I would do the > AuthorizationMap piece? It looks like I can simply implement > AuthorizationMap, but the return type of Set<?> for the methods seems > highly > under-constrained. The comments say that the methods return ACLs, but its > not obvious to me what forms the ACLs take. Looking at > SimpleAuthorizationMap, I see that it is primarily delegating to > DestinationMap, but DestinationMap (and its helper DestinationMapNode, > DestinationMapEntry) is just complex enough that I haven't been able to > figure it out from just browsing the code. I have a hunch that one of you > can give me some quick pointers here that will also save me a lot of time. > > Thanks, > Jim > > > On Thu, May 20, 2010 at 6:13 AM, Dejan Bosanac <de...@nighttale.net> > wrote: > > > Hi James, > > > > thanks for adding this info. I totally forgot to mention activemq-jaas. > > > > Cheers > > -- > > Dejan Bosanac - http://twitter.com/dejanb > > > > Open Source Integration - http://fusesource.com/ > > ActiveMQ in Action - http://www.manning.com/snyder/ > > Blog - http://www.nighttale.net > > > > > > On Thu, May 20, 2010 at 8:34 AM, James Casey <jamesc....@gmail.com> > wrote: > > > > > Hi Jim, > > > > > > What Dejan has pointed you at is the classes that have all the various > > > plugin methods for doing Auth in ActiveMQ by inserting a Broker object > > > into the chain which is called during a connection. It would be > > > possible to write a custom Broker subclass here that does what you > > > want, but I think it would be easier inside JAAS. > > > > > > What I'd suggest is you use the standard > > > JaasCettificateAuthenticationPlugin and do the work in a JAAS plugin. > > > > > > The JAAS plugins are in > > > > > > > > > http://fisheye6.atlassian.com/browse/activemq/trunk/activemq-jaas/src/main/java/org/apache/activemq/jaas > > > . > > > > > > I would suggest to create a subclass of CertificateLoginModule and > > > override the getUserNameForCertificate method to extract and return > > > the CN. If you look at TextFileCertificateLoginModule.java you can > > > see the logic it uses to extract the DN and match against entries in > > > the file - you would just need to write a simpler version which just > > > pulls out the CN from the client DN. Then you hook it into ActiveMQ > > > via a login.config file pointing at your custom class. > > > > > > Let me know if this makes sense or if you need any more info. > > > > > > cheers, > > > > > > James. > > > > > > > > > On 20 May 2010 12:14, Dejan Bosanac <de...@nighttale.net> wrote: > > > > Hi Jim, > > > > > > > > the best way is to look at the source code of the current plugin > > > > implementation. > > > > > > > > You can find it in org.apache.activemq.security package. > > > > > > > > For a quick preview, you can use this URL: > > > > > > > > > > > > > > http://fisheye6.atlassian.com/browse/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security > > > > > > > > Cheers > > > > -- > > > > Dejan Bosanac - http://twitter.com/dejanb > > > > > > > > Open Source Integration - http://fusesource.com/ > > > > ActiveMQ in Action - http://www.manning.com/snyder/ > > > > Blog - http://www.nighttale.net > > > > > > > > > > > > On Wed, May 19, 2010 at 2:33 PM, Jim Lloyd < > > jll...@silvertailsystems.com > > > >wrote: > > > > > > > >> I'd like to implement an authorization plugin that would allow me to > > > >> implement a fully automatic authorization policy. Here's an outline > of > > > what > > > >> I want: > > > >> > > > >> We have a broker that is a hub in a hub & spoke topology network of > > > >> brokers. > > > >> A connections to this hub broker are via SSL and the hub broker > > requires > > > >> SSL > > > >> client authentication. We require the client certificates to always > be > > > of a > > > >> form where the Common Name (CN) of the certificate defines the user. > > So, > > > >> for > > > >> example, if we instead used a jaas.TextFileCertificateLoginModule > the > > > >> user.properties file would look like this: > > > >> > > > >> user1=CN=user1,O=Silver Tail Systems,ST=California,C=US > > > >> userFoo=CN=userFoo,O=Silver Tail Systems,ST=California,C=US > > > >> ... > > > >> userZeta=CN=userZeta,O=Silver Tail Systems,ST=California,C=US > > > >> > > > >> Meanwhile, the AuthorizationMap we want would look something like > > this: > > > >> > > > >> <authorizationPlugin> > > > >> <map> > > > >> <authorizationMap> > > > >> <authorizationEntries> > > > >> <authorizationEntry topic=">" read="admins" write="admins" > > > admin="admins" > > > >> /> > > > >> <authorizationEntry topic="user1.>" read="user1" write="user1" > > > >> admin="user1" > > > >> /> > > > >> <authorizationEntry topic="userFoo.>" read="userFoo" write="userFoo" > > > >> admin="userFoo" /> > > > >> ... > > > >> <authorizationEntry topic="userZeta.>" read="userZeta" > > write="userZeta" > > > >> admin="userZeta" /> > > > >> <authorizationEntry topic="ActiveMQ.Advisory.>" read="all" > write="all" > > > >> admin="all"/> > > > >> </authorizationEntries> > > > >> </authorizationMap> > > > >> </map> > > > >> </authorizationPlugin> > > > >> > > > >> If we use jaas.TextFileCertificateLoginModule, we have to update the > > > >> users.properties, groups.properties file and the authorizationMap in > > the > > > >> activemq.xml file every time we add a user. We can automate this > with > > > >> scripting, but a more elegant solution would be to write our own > > > plugin(s) > > > >> to implement this policy. I'm in the process of scoping this effort, > > and > > > so > > > >> far I haven't found anything other than javadocs on the various > > classes > > > to > > > >> guide me. Can anyone provide a high level outline of how I would > > > implement > > > >> this? > > > >> > > > >> Thanks, > > > >> Jim Lloyd > > > >> Silver Tail Systems > > > >> > > > > > > > > > >
