You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@activemq.apache.org by "Justin Bertram (Jira)" <ji...@apache.org> on 2022/10/21 18:56:00 UTC

[jira] [Commented] (ARTEMIS-4059) ActiveMQSecurityManager5 authorize should include remoting connection

    [ https://issues.apache.org/jira/browse/ARTEMIS-4059?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17622419#comment-17622419 ] 

Justin Bertram commented on ARTEMIS-4059:
-----------------------------------------

In previous incarnations of the security manager both authentication and authorization operations would hit the underlying security repository. This was changed via ARTEMIS-2886 a few years back. Here's more details about that from one of the relevant commit messages:

bq. Both authentication and authorization will hit the underlying security repository (e.g. files, LDAP, etc.). For example, creating a JMS connection and a consumer will result in 2 hits with the *same* authentication request. This can cause unwanted (and unnecessary) resource utilization, especially in the case of networked configuration like LDAP.

Given this change, the authorization operation no longer had any direct need for the {{RemotingConnection}} therefore it was removed.

I think you can accomplish your goal with the existing {{ActiveMQSecurityManager5}} interface, although you've not provided many details so it's hard to say for sure. I believe all you need to do is add a new {{Principal}} to the {{Subject}} returned by {{org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager5#authenticate}} which represents the user's client ID. Then you can retrieve that {{Principal}} from the {{Subject}} when it is passed to {{org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager5#authorize}} and perform any additional checks you need. I did a quick proof-of-concept locally and it's relatively straight-forward.

Will this work for you?

> ActiveMQSecurityManager5 authorize should include remoting connection
> ---------------------------------------------------------------------
>
>                 Key: ARTEMIS-4059
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-4059
>             Project: ActiveMQ Artemis
>          Issue Type: Wish
>          Components: Broker
>    Affects Versions: 2.26.0
>            Reporter: Rich T
>            Priority: Major
>
> It seems that for ActiveMQSecurityManager5 the RemotingConnection parameter was dropped but in our use case we need this so we can verify the clientID matches the address as we require MQTT clients to include their client ID in their topics.
>  
> We currently have to try and find the session from the subject which is error prone when the same user has multiple connections.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)