You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@activemq.apache.org by artnaseef <Ar...@Ticketmaster.com> on 2010/12/14 00:29:02 UTC
BrokerFilter securing addBroker() via SSL certs?
For my custom security solution using BrokerFilter, I'm trying to secure the
addBroker() operation to prevent unauthorized brokers from connecting.
Authorization will use the SSL client certificate of the broker connection.
Looking through the Connection and BrokerInfo arguments to addBroker(),
there does not appear to be a way to get to the SSL certificate information.
Is that correct?
--
View this message in context: http://activemq.2283324.n4.nabble.com/BrokerFilter-securing-addBroker-via-SSL-certs-tp3086239p3086239.html
Sent from the ActiveMQ - Dev mailing list archive at Nabble.com.
Re: BrokerFilter securing addBroker() via SSL certs?
Posted by artnaseef <Ar...@Ticketmaster.com>.
Added a JIRA with an attached patch that can be used to solve this problem.
As noted in the JIRA report, I'm hoping to get feedback on the fit of the
solution, and I am willing to work on an alternate solution as-needed.
https://issues.apache.org/jira/browse/AMQ-3154 AMQ-3154
--
View this message in context: http://activemq.2283324.n4.nabble.com/BrokerFilter-securing-addBroker-via-SSL-certs-tp3086239p3309457.html
Sent from the ActiveMQ - Dev mailing list archive at Nabble.com.
Re: BrokerFilter securing addBroker() via SSL certs?
Posted by artnaseef <Ar...@Ticketmaster.com>.
Looking at this more carefully, I have a couple of questions.
First, I am not seeing any way to distinguish brokers from regular clients.
We have a specific need to authenticate brokers in a different manner than
clients. We want our brokers to accept connections from end clients but
prevent those clients from connecting their own brokers to the network - in
part to prevent bypass of our custom security.
Second, looking at broker-to-broker connections, is there any potential
security hole with the timing of security placed in a BrokerFilter? Looking
at TransportConnection's processBrokerInfo(), several steps are taken to
establish additional connections to slave brokers and duplex connections
before BrokerFilter's addBroker() is called. Even if these are disposed
promptly on denying the broker access, I'm concerned there is time for such
a broker to gain unauthorized access to data.
--
View this message in context: http://activemq.2283324.n4.nabble.com/BrokerFilter-securing-addBroker-via-SSL-certs-tp3086239p3230476.html
Sent from the ActiveMQ - Dev mailing list archive at Nabble.com.
Re: BrokerFilter securing addBroker() via SSL certs?
Posted by Dejan Bosanac <de...@nighttale.net>.
Your case is supported. You need to authenticate both your brokers and
clients in the same way and then give them different privileges (using
authorization).
See http://activemq.apache.org/security.html for more information.
In the example I sent you earlier, there are no usernames and
passwords as the brokers are authenticated using their certificates (I
thought that's what you're trying to do).
Cheers
--
Dejan Bosanac
-----------------
FuseSource - The experts in open source integration and messaging.
Email: dejanb@fusesource.com
Web: http://fusesource.com
Twitter: http://twitter.com/dejanb
ActiveMQ in Action - http://www.manning.com/snyder/
Blog - http://www.nighttale.net
On Tue, Dec 14, 2010 at 6:55 PM, artnaseef
<Ar...@ticketmaster.com> wrote:
>
> Can this solution meet all of my needs? Let me clarify the needs.
>
> Authorized brokers must be distinguished from end-clients. For example,
> some clients will be limited in which queues and topics they are allowed to
> access, which messages they may receive, and more. On the other hand,
> authorized brokers connected to the network will always be allowed to access
> all queues and topics (at least, in the current design).
>
> In addition, a separate system maintains the end-client permissions based on
> information in the SSL certificate (DN).
>
> Are user/password credentials applied to distinguish brokers? I'm not
> seeing user/password credentials in the test.
>
> If the JAAS plugin can meet my needs, that would be great.
> --
> View this message in context: http://activemq.2283324.n4.nabble.com/BrokerFilter-securing-addBroker-via-SSL-certs-tp3086239p3087621.html
> Sent from the ActiveMQ - Dev mailing list archive at Nabble.com.
>
Re: BrokerFilter securing addBroker() via SSL certs?
Posted by artnaseef <Ar...@Ticketmaster.com>.
Can this solution meet all of my needs? Let me clarify the needs.
Authorized brokers must be distinguished from end-clients. For example,
some clients will be limited in which queues and topics they are allowed to
access, which messages they may receive, and more. On the other hand,
authorized brokers connected to the network will always be allowed to access
all queues and topics (at least, in the current design).
In addition, a separate system maintains the end-client permissions based on
information in the SSL certificate (DN).
Are user/password credentials applied to distinguish brokers? I'm not
seeing user/password credentials in the test.
If the JAAS plugin can meet my needs, that would be great.
--
View this message in context: http://activemq.2283324.n4.nabble.com/BrokerFilter-securing-addBroker-via-SSL-certs-tp3086239p3087621.html
Sent from the ActiveMQ - Dev mailing list archive at Nabble.com.
Re: BrokerFilter securing addBroker() via SSL certs?
Posted by Dejan Bosanac <de...@nighttale.net>.
Hi,
broker to broker authentication using ssl is already implemented in
activemq. Take a look at the following test case
https://fisheye6.atlassian.com/browse/activemq/trunk/activemq-core/src/test/java/org/apache/activemq/security/JaasNetworkTest.java?r=HEAD
and especially the configuration files:
https://fisheye6.atlassian.com/browse/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/broker1.xml?r=HEAD
https://fisheye6.atlassian.com/browse/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/broker2.xml?r=HEAD
Cheers
--
Dejan Bosanac
-----------------
FuseSource - The experts in open source integration and messaging.
Email: dejanb@fusesource.com
Web: http://fusesource.com
Twitter: http://twitter.com/dejanb
ActiveMQ in Action - http://www.manning.com/snyder/
Blog - http://www.nighttale.net
On Tue, Dec 14, 2010 at 12:29 AM, artnaseef
<Ar...@ticketmaster.com> wrote:
>
> For my custom security solution using BrokerFilter, I'm trying to secure the
> addBroker() operation to prevent unauthorized brokers from connecting.
>
> Authorization will use the SSL client certificate of the broker connection.
>
> Looking through the Connection and BrokerInfo arguments to addBroker(),
> there does not appear to be a way to get to the SSL certificate information.
> Is that correct?
>
> --
> View this message in context: http://activemq.2283324.n4.nabble.com/BrokerFilter-securing-addBroker-via-SSL-certs-tp3086239p3086239.html
> Sent from the ActiveMQ - Dev mailing list archive at Nabble.com.
>