In my previous example there is an error, I meant:
<connection-router name="allow-privileged-users">
<key-type>USER_NAME</key-type>
<local-target-filter>^(foo|too)$</local-target-filter>
</connection-router>
<connection-router name="deny-privileged-users">
<key-type>USER_NAME</key-type>
<local-target-filter>^(?!foo$|too$).*$</local-target-filter>
</connection-router>
<acceptor name="internal">tcp://
10.0.0.1:61616?router=allow-privileged-users.
<http://10.0.0.1:61616/?router=allow-privileged-users.>..
<acceptor name="external">tcp://
0.0.0.0:61616?router=deny-privileged-users.
<http://0.0.0.0:61616/?router=deny-privileged-users.>..
Domenico
On Thu, 17 Apr 2025 at 15:24, Domenico Francesco Bruscino <
bruscin...@gmail.com> wrote:
> Yes, you can use a connection-router to allow only the connections that
> match the local-target-filter, i.e.
>
> <connection-router name="allow-privileged-users">
> <key-type>USER_NAME</key-type>
> <local-target-filter>^(foo|too)$</local-target-filter>
> </connection-router>
>
> <connection-router name="deny-privileged-users">
> <key-type>SOURCE_IP</key-type>
> <local-target-filter>^(?!foo$|too$).*$</local-target-filter>
> </connection-router>
>
> <acceptor name="internal">tcp://
> 10.0.0.1:61616?router=allow-privileged-users...
>
> <acceptor name="external">tcp://
> 0.0.0.0:61616?router=deny-privileged-users...
>
> Domenico
>
>
>
> On Thu, 17 Apr 2025 at 13:55, Vilius Šumskas
> <vilius.sums...@rivile.lt.invalid> wrote:
>
>> I'm trying to wrap my head around how connection router functionality
>> works.
>>
>> In my case, I already have two acceptors. SSL protected and externally
>> exposed one, which should be used only by the external unprivileged users,
>> and internal one on different AMQP port, which should be used by the
>> privileged internal users. If I understand correctly, that external
>> acceptor should be configured in such a way, that it allow all users,
>> except for few privileged ones. Since we are using
>> ActiveMQBasicSecurityManager I probably cannot use security domain here,
>> but looking through documentation, I should be able to use redirection on a
>> specific acceptor with key-type USER_NAME, right?
>>
>> --
>> Vilius
>>
>> -----Original Message-----
>> From: Domenico Francesco Bruscino <bruscin...@gmail.com>
>> Sent: Wednesday, April 16, 2025 9:27 AM
>> To: users@activemq.apache.org
>> Subject: Re: IP address whitelisting for Artemis users
>>
>> Hi Villus,
>>
>> you can create an acceptor that allows only connections from specific
>> users by setting a per-acceptor security domain[1] and a connection
>> router[2] to reject connections with a source IP address that doesn't match
>> your filter, i.e.
>>
>> <connection-router name="privileged-ip-filter">
>> <key-type>SOURCE_IP</key-type>
>>
>>
>> <local-target-filter>^192\.168\.10\.1|192\.168\.10\.2$</local-target-filter>
>> </connection-router>
>>
>> [1]
>>
>> https://activemq.apache.org/components/artemis/documentation/latest/security.html#per-acceptor-security-domains
>> [2]
>>
>> https://activemq.apache.org/components/artemis/documentation/latest/connection-routers.html#connection-routers
>>
>> Regards,
>> Domenico
>>
>>
>> On Tue, 15 Apr 2025 at 22:24, Vilius Šumskas
>> <vilius.sums...@rivile.lt.invalid>
>> wrote:
>>
>> > Hi,
>> >
>> > is there a way to somehow limit which IP Artemis user is allowed to
>> > connect from? We had instances where privileged user dedicated to
>> > internal usage only was used in externalized Java services. I want to
>> > protect these users from being used where they should not be.
>> >
>> > --
>> > Best Regards,
>> > Vilius
>> >
>> >
>>
>
