Hi Jim, could you supply a patch ? - not sure I understand your use case - or why you would apply it only to networks ?
thanks, Rob On 26 May 2010, at 01:45, Jim Lloyd wrote: > I've done more research and I think I know better where ActiveMQ would > support my desired feature, and it seems the support isn't quite there. I > think I want to be able to create a plugin that allows me to customize the > behavior of DemandForwardingBridgeSupport.isPermissableDestination(). This > is the code that implements the logic for > networkConnector's excludedDestinations, dynamicallyIncludedDestinations, > and staticallyIncludedDestinations. Unfortunately these don't give me the > flexiblity I need. Is it reasonable to provide a hook > like MessageAuthorizationPolicy.isAllowedToConsume so that I could plugin my > own isPermissableDestination()? > > FYI I need a feature where I can deny access to a wild card topic and then > selectively allow access to a specific (non-wildcarded) topic matching the > denied wild card. But I need to do this based on the logged in user on the > connection. > > Thanks, > Jim > > > On Tue, May 25, 2010 at 1:08 PM, Jim Lloyd > <jll...@silvertailsystems.com>wrote: > >> Can a BrokerFilter be used to message-level authorization of messages sent >> from one broker to another in a network of brokers? >> >> Suppose you have a hub and spoke architecture, where there may be many >> 'spoke brokers' that connect to one hub broker using duplex connections. In >> this topology, we want to have all security policies enforced in the hub >> broker (i.e. assume that spoke brokers can be compromised). We have >> partitioned our topic namespace so that each spoke broker has a well-defined >> subset of topics that it may use. I have implemente a custom >> AuthorizationMap that can prevent a client on one spoke from subscribing to >> topics from another spoke. However, Advisory messages are propagated to all >> brokers, so one can look at the Jetty admin console and see the entire >> namespace of all topics. I'd like to do message-level filtering of >> advisories so that each spoke only sees advisories for its subset of topics. >> >> It appeared to me that Message-Level Authorization would give me the hook I >> need, but I discovered that this applies only to filtering of messages >> between client applications and a broker, whereas I need the filtering on >> the network connection between brokers. >> >> I'm now studying the BrokerFilter interface which seems promising, but I'd >> appreciate it if anyone can save me some time by telling me either that 1) >> no, BrokerFilter can't do this, or 2) yes, BrokerFilter can, and then give >> short outline of how to do it. >> >> Thanks, >> Jim Lloyd >> >> >>
