Yes, you can use a connection-router to allow only the connections that
match the local-target-filter, i.e.
<connection-router name="allow-privileged-users">
<key-type>USER_NAME</key-type>
<local-target-filter>^(foo|too)$</local-target-filter>
</connection-router>
<connection-router name="deny-privileged-users">
<key-type>SOURCE_IP</key-type>
<local-target-filter>^(?!foo$|too$).*$</local-target-filter>
</connection-router>
<acceptor name="internal">tcp://
10.0.0.1:61616?router=allow-privileged-users...
<acceptor name="external">tcp://
0.0.0.0:61616?router=deny-privileged-users...
Domenico
On Thu, 17 Apr 2025 at 13:55, Vilius Šumskas
<vilius.sums...@rivile.lt.invalid> wrote:
> I'm trying to wrap my head around how connection router functionality
> works.
>
> In my case, I already have two acceptors. SSL protected and externally
> exposed one, which should be used only by the external unprivileged users,
> and internal one on different AMQP port, which should be used by the
> privileged internal users. If I understand correctly, that external
> acceptor should be configured in such a way, that it allow all users,
> except for few privileged ones. Since we are using
> ActiveMQBasicSecurityManager I probably cannot use security domain here,
> but looking through documentation, I should be able to use redirection on a
> specific acceptor with key-type USER_NAME, right?
>
> --
> Vilius
>
> -----Original Message-----
> From: Domenico Francesco Bruscino <bruscin...@gmail.com>
> Sent: Wednesday, April 16, 2025 9:27 AM
> To: users@activemq.apache.org
> Subject: Re: IP address whitelisting for Artemis users
>
> Hi Villus,
>
> you can create an acceptor that allows only connections from specific
> users by setting a per-acceptor security domain[1] and a connection
> router[2] to reject connections with a source IP address that doesn't match
> your filter, i.e.
>
> <connection-router name="privileged-ip-filter">
> <key-type>SOURCE_IP</key-type>
>
>
> <local-target-filter>^192\.168\.10\.1|192\.168\.10\.2$</local-target-filter>
> </connection-router>
>
> [1]
>
> https://activemq.apache.org/components/artemis/documentation/latest/security.html#per-acceptor-security-domains
> [2]
>
> https://activemq.apache.org/components/artemis/documentation/latest/connection-routers.html#connection-routers
>
> Regards,
> Domenico
>
>
> On Tue, 15 Apr 2025 at 22:24, Vilius Šumskas
> <vilius.sums...@rivile.lt.invalid>
> wrote:
>
> > Hi,
> >
> > is there a way to somehow limit which IP Artemis user is allowed to
> > connect from? We had instances where privileged user dedicated to
> > internal usage only was used in externalized Java services. I want to
> > protect these users from being used where they should not be.
> >
> > --
> > Best Regards,
> > Vilius
> >
> >
>
