I've done more research and I think I know better where ActiveMQ would support my desired feature, and it seems the support isn't quite there. I think I want to be able to create a plugin that allows me to customize the behavior of DemandForwardingBridgeSupport.isPermissableDestination(). This is the code that implements the logic for networkConnector's excludedDestinations, dynamicallyIncludedDestinations, and staticallyIncludedDestinations. Unfortunately these don't give me the flexiblity I need. Is it reasonable to provide a hook like MessageAuthorizationPolicy.isAllowedToConsume so that I could plugin my own isPermissableDestination()?
FYI I need a feature where I can deny access to a wild card topic and then selectively allow access to a specific (non-wildcarded) topic matching the denied wild card. But I need to do this based on the logged in user on the connection. Thanks, Jim On Tue, May 25, 2010 at 1:08 PM, Jim Lloyd <jll...@silvertailsystems.com>wrote: > Can a BrokerFilter be used to message-level authorization of messages sent > from one broker to another in a network of brokers? > > Suppose you have a hub and spoke architecture, where there may be many > 'spoke brokers' that connect to one hub broker using duplex connections. In > this topology, we want to have all security policies enforced in the hub > broker (i.e. assume that spoke brokers can be compromised). We have > partitioned our topic namespace so that each spoke broker has a well-defined > subset of topics that it may use. I have implemente a custom > AuthorizationMap that can prevent a client on one spoke from subscribing to > topics from another spoke. However, Advisory messages are propagated to all > brokers, so one can look at the Jetty admin console and see the entire > namespace of all topics. I'd like to do message-level filtering of > advisories so that each spoke only sees advisories for its subset of topics. > > It appeared to me that Message-Level Authorization would give me the hook I > need, but I discovered that this applies only to filtering of messages > between client applications and a broker, whereas I need the filtering on > the network connection between brokers. > > I'm now studying the BrokerFilter interface which seems promising, but I'd > appreciate it if anyone can save me some time by telling me either that 1) > no, BrokerFilter can't do this, or 2) yes, BrokerFilter can, and then give > short outline of how to do it. > > Thanks, > Jim Lloyd > > >
