Ok then it seems like you will need to implement a custom Authorizer.
The interface of an Authorizer is quite simple. It looks like:
trait Authorizer {
def can(ctx:SecurityContext, action:String, resource:SecuredResource):Boolean;
}
Basically the ctx will have the user info including the security
subject/cert info. The action is stuff like "send", and the resource
will be an instance of a virtualhost, queue, topic (etc.) that the
user is trying to perform the action against. The method just need
return true if it's allowed.
The only problem is there does not yet exist a way to configure a
custom authorizer. Let me see if add support for that in the apollo
configuration.
On Wed, Jul 10, 2013 at 6:38 PM, Garry Watkins <[email protected]> wrote:
> Yes, the users will be unknown at the time of connection.
>
> On Jul 10, 2013, at 3:00 PM, Hiram Chirino <[email protected]> wrote:
>
>> An the user names are dynamic? You don't know them ahead of time?
>>
>> On Tue, Jul 9, 2013 at 4:14 PM, Garry Watkins <[email protected]> wrote:
>>> I have been looking at the documentation in the security section.
>>>
>>> http://activemq.apache.org/apollo/documentation/user-manual.html#Security
>>>
>>> I need to write code that will capture allow a queue to be created with the
>>> same name as the user. That user may then be allowed to receive and consume
>>> messages.
>>>
>>> Any hints about where i could inject this into the code?
>>>
>>> Thanks
>>>
>>>
>>> On Jul 08, 2013, at 02:06 PM, Christian Posta <[email protected]>
>>> wrote:
>>>
>>> Should be the distinguished name from the X509 cert:
>>>
>>> http://docs.oracle.com/javase/6/docs/api/javax/security/auth/x500/X500Principal.html
>>>
>>>
>>> On Mon, Jul 8, 2013 at 1:31 PM, Garry Watkins <[email protected]> wrote:
>>>
>>> Ok, now that I know that I can do that.
>>>
>>> How does Apollo assign the username? What I want to do is have another
>>>
>>> process create a queue just for that user, and that is the only queue that
>>>
>>> user may access.
>>>
>>> Thanks for the speedy response.
>>>
>>> On Jul 8, 2013, at 1:28 PM, Christian Posta <[email protected]>
>>>
>>> wrote:
>>>
>>>> Yep, try adding the following to your ssl connector:
>>>
>>>>
>>>
>>>> <connector id="default" bind="ssl://0.0.0.0:61614">
>>>
>>>>
>>>
>>>> *<ssl client_auth="need" />*
>>>
>>>>
>>>
>>>> </connector>
>>>
>>>>
>>>
>>>>
>>>
>>>> On Mon, Jul 8, 2013 at 12:51 PM, Garry Watkins <[email protected]> wrote:
>>>
>>>>
>>>
>>>>> Is it possible to use Client Certs for Authentication/Authorization for
>>>
>>>>> Apollo?
>>>
>>>>
>>>
>>>>
>>>
>>>>
>>>
>>>>
>>>
>>>> --
>>>
>>>> *Christian Posta*
>>>
>>>> http://www.christianposta.com/blog
>>>
>>>> twitter: @christianposta
>>>
>>>
>>>
>>> --
>>> *Christian Posta*
>>> http://www.christianposta.com/blog
>>> twitter: @christianposta
>>
>>
>>
>> --
>> Hiram Chirino
>>
>> Engineering | Red Hat, Inc.
>>
>> [email protected] | fusesource.com | redhat.com
>>
>> skype: hiramchirino | twitter: @hiramchirino
>>
>> blog: Hiram Chirino's Bit Mojo
>
--
Hiram Chirino
Engineering | Red Hat, Inc.
[email protected] | fusesource.com | redhat.com
skype: hiramchirino | twitter: @hiramchirino
blog: Hiram Chirino's Bit Mojo
