Authorization/Security Question

[jgunz <sl...@twcny.rr.com>]

I'm having trouble getting my head around some of ActiveMQs authorization
settings. I have a relatively specific use case I'm trying to meet, but
can't quite figure out what the appropriate permission settings are. The
read and write permissions I understand. The admin and temporary destination
permissions I do not.

I securely handle communication from a client side process to the server
side ActiveMQ broker. All communication on the client is considered
potentially malicious. I have two main groups of ActiveMQ users, server
processes, and client processes. An admin group can be used for overall
administration.

Inbound traffic is pretty straight forward. The server processes can have
read+write on all inbound.> topics as well as admin permissions. The client
processes can have write access only to inbound.dirty.> topics. There's no
real need for clients to create or remove any topics for inbound
communication because the server processes.

Outbound traffic is where I get lost. I want to be able to create client
specific topics (that is, topics intended for 1 authorized client that will
have a customized message stream supplied by the server). I was envisioning
having the client create temporary topics, so that they were the only ones
who could consume them, and then sending these to the server to write to.
These channels would live under outbound.private.> topics.

In order to do this though, do I have to give clients admin privileges on
outbound.private.>? This seems funny to me because ultimately I don't want
clients to be able to see each other's private outbound channels and I
certainly don't want them to be able to remove them. So how should I
appropriately permission the outbound topic hierarchy to only allow client
reads, and further restrict certain topics to specific connections?

Any suggestions or comments would be greatly appreciated. Thanks.

-- 
View this message in context: http://www.nabble.com/Authorization-Security-Question-tf4354381s2354.html#a12407601
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Re: Authorization/Security Question

[jgunz <sl...@twcny.rr.com>]

Another fly in the ointment is how should the Advisory destinations be
permissioned for the client group? 
-- 
View this message in context: http://www.nabble.com/Authorization-Security-Question-tf4354381s2354.html#a12407602
Sent from the ActiveMQ - User mailing list archive at Nabble.com.