The current implementation doesn't allow combining different key types in one router. In your case, the native router redirection is not used. The redirection allows to redirect a client connection to another target broker. In your case, the connection router is used to reject connections that don't match the local-target-filter and it works for all clients.
Domenico On Fri, 18 Apr 2025 at 13:14, Vilius Šumskas <vilius.sums...@rivile.lt.invalid> wrote: > Thank you. It is working very well! Couple more questions: > * Is it possible to combine different key types in one router? For > example, have connections checked for USER_NAME or ROLE_NAME if user name > is not found? > * Documentation mentions that native router redirection works for specific > clients. Do these clients need to be of a particular version, or is native > redirection implemented using native protocol specification. E.g. any AMQP > 0.9 client will work? > > -- > Vilius > > -----Original Message----- > From: Domenico Francesco Bruscino <bruscin...@gmail.com> > Sent: Thursday, April 17, 2025 4:25 PM > To: users@activemq.apache.org > Subject: Re: IP address whitelisting for Artemis users > > In my previous example there is an error, I meant: > > <connection-router name="allow-privileged-users"> > <key-type>USER_NAME</key-type> > <local-target-filter>^(foo|too)$</local-target-filter> > </connection-router> > > <connection-router name="deny-privileged-users"> > <key-type>USER_NAME</key-type> > <local-target-filter>^(?!foo$|too$).*$</local-target-filter> > </connection-router> > > <acceptor name="internal">tcp:// > 10.0.0.1:61616?router=allow-privileged-users. > <http://10.0.0.1:61616/?router=allow-privileged-users.>.. > > <acceptor name="external">tcp:// > 0.0.0.0:61616?router=deny-privileged-users. > <http://0.0.0.0:61616/?router=deny-privileged-users.>.. > > Domenico > > On Thu, 17 Apr 2025 at 15:24, Domenico Francesco Bruscino < > bruscin...@gmail.com> wrote: > > > Yes, you can use a connection-router to allow only the connections > > that match the local-target-filter, i.e. > > > > <connection-router name="allow-privileged-users"> > > <key-type>USER_NAME</key-type> > > <local-target-filter>^(foo|too)$</local-target-filter> > > </connection-router> > > > > <connection-router name="deny-privileged-users"> > > <key-type>SOURCE_IP</key-type> > > <local-target-filter>^(?!foo$|too$).*$</local-target-filter> > > </connection-router> > > > > <acceptor name="internal">tcp:// > > 10.0.0.1:61616?router=allow-privileged-users... > > > > <acceptor name="external">tcp:// > > 0.0.0.0:61616?router=deny-privileged-users... > > > > Domenico > > > > > > > > On Thu, 17 Apr 2025 at 13:55, Vilius Šumskas > > <vilius.sums...@rivile.lt.invalid> wrote: > > > >> I'm trying to wrap my head around how connection router functionality > >> works. > >> > >> In my case, I already have two acceptors. SSL protected and > >> externally exposed one, which should be used only by the external > >> unprivileged users, and internal one on different AMQP port, which > >> should be used by the privileged internal users. If I understand > >> correctly, that external acceptor should be configured in such a way, > >> that it allow all users, except for few privileged ones. Since we are > >> using ActiveMQBasicSecurityManager I probably cannot use security > >> domain here, but looking through documentation, I should be able to > >> use redirection on a specific acceptor with key-type USER_NAME, right? > >> > >> -- > >> Vilius > >> > >> -----Original Message----- > >> From: Domenico Francesco Bruscino <bruscin...@gmail.com> > >> Sent: Wednesday, April 16, 2025 9:27 AM > >> To: users@activemq.apache.org > >> Subject: Re: IP address whitelisting for Artemis users > >> > >> Hi Villus, > >> > >> you can create an acceptor that allows only connections from specific > >> users by setting a per-acceptor security domain[1] and a connection > >> router[2] to reject connections with a source IP address that doesn't > >> match your filter, i.e. > >> > >> <connection-router name="privileged-ip-filter"> > >> <key-type>SOURCE_IP</key-type> > >> > >> > >> > <local-target-filter>^192\.168\.10\.1|192\.168\.10\.2$</local-target-filter> > >> </connection-router> > >> > >> [1] > >> > >> https://activemq.apache.org/components/artemis/documentation/latest/s > >> ecurity.html#per-acceptor-security-domains > >> [2] > >> > >> https://activemq.apache.org/components/artemis/documentation/latest/c > >> onnection-routers.html#connection-routers > >> > >> Regards, > >> Domenico > >> > >> > >> On Tue, 15 Apr 2025 at 22:24, Vilius Šumskas > >> <vilius.sums...@rivile.lt.invalid> > >> wrote: > >> > >> > Hi, > >> > > >> > is there a way to somehow limit which IP Artemis user is allowed to > >> > connect from? We had instances where privileged user dedicated to > >> > internal usage only was used in externalized Java services. I want > >> > to protect these users from being used where they should not be. > >> > > >> > -- > >> > Best Regards, > >> > Vilius > >> > > >> > > >> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@activemq.apache.org > For additional commands, e-mail: users-h...@activemq.apache.org > For further information, visit: https://activemq.apache.org/contact > >
