Hi Shiv, I confirm the connection router processes the incoming secure connections after the SSL handshake. You could use the trust store to reject incoming secure connections during the SSL handshake. I mean your trust store could include only the certificates to trust the allowed-ssl-users.
Regards, Domenico On Wed, 7 May 2025 at 17:28, Shiv Kumar Dixit <shivkumar.di...@it.eurofinseu.com.invalid> wrote: > Hi Domenico, > Thanks for information and raising JIRA. > > I tried using ROLE_NAME (of authenticated cert-based users) with latest > artemis 2.41.0 and it works fine. It was not working earlier with 2.237.0 > due to bug which got fixed in 2.41.0. > > One quick question regarding USRE_NAME/ROLE_NAME - both keys only work for > the authenticated users right? > > Is there any way to first check if the incoming connection is using valid > certificate or not by matching against static certificate values defined in > cert-users.properties? If they are present, then broker initiates SSL > authentication process else they are rejected? I am looking for some sort > of pre-authentication process to avoid SSL handshake error from misbehaving > clients. > > Best Regards > Shiv > > -----Original Message----- > From: Domenico Francesco Bruscino <bruscin...@gmail.com> > Sent: 07 May 2025 08:31 PM > To: users@activemq.apache.org > Subject: Re: Connection router for filtering certificate based users > > > > Unverified Sender: The sender of this email has not been verified. Review > the content of the message carefully and verify the identity of the sender > before acting on this email: replying, opening attachments or clicking > links. > > > Hi Shiv, > > the connection router doesn't resolve the USER_NAME key when the > connection is authenticated with the TextFileCertificateLoginModule, this > is a bug, I created the following issue: > https://issues.apache.org/jira/browse/ARTEMIS-5465 > > Regards, > Domenico > > On Tue, 6 May 2025 at 16:22, Shiv Kumar Dixit > <shivkumar.di...@it.eurofinseu.com.invalid> wrote: > > > Hi Domenico > > I am exploring how to restrict users (specially certificate based) for > > connecting based on certain conditions. I came across > > https://list/ > > s.apache.org%2Fthread%2Fnot2kzq23vx60zjvsl9ffrx7rfps6wzs&data=05%7C02% > > 7C%7C503260782dfc4c7d847e08dd8d781255%7C1a1dce2021b14beaa9d2130e9f1f6e > > > 2f%7C0%7C0%7C638822269015650737%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=5r2NLnUe%2Bn%2BAGp9cIo1QjWOfl0LtiNXaarpol%2FthIO0%3D&reserved=0. > I tried to use USER_NAME key for filtering and it worked fine for basic > authentication users. Can we use this USER_NAME key also to filter > certificate-based users as well? > > > > We define the certificate username and role in e.g. > > cert-users.properties and cert-roles.properties. Can we use username > > defined in cert-users.properties file E.g. user1=CN=My_Test_App in > connection router? > > > > <connection-routers> > > <connection-router name="allowed-ssl-users"> > > <key-type>USER_NAME</key-type> > > > > <local-target-filter>user1</local-target-filter> > > </connection-router> > > </connection-routers> > > > > <acceptor > > name="ssl">tcp://0.0.0.0:9876?.........;router=allowed-ssl-users > > </acceptor> > > > > Thanks > > Shiv > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@activemq.apache.org > For additional commands, e-mail: users-h...@activemq.apache.org > For further information, visit: https://activemq.apache.org/contact > > >
