You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by Garry Watkins <ca...@me.com> on 2013/07/08 18:51:18 UTC
Is it possible to use Client Certs for Authentication/Authorization
for Apollo?
Is it possible to use Client Certs for Authentication/Authorization for Apollo?
Re: Is it possible to use Client Certs for Authentication/Authorization
for Apollo?
Posted by Christian Posta <ch...@gmail.com>.
You could take a look at this page:
http://activemq.apache.org/apollo/documentation/extending-guide.html
Then take a look at using a RouterListenerFactory for when destinations are
created:
http://activemq.apache.org/apollo/documentation/api/apollo-broker/index.html#org.apache.activemq.apollo.broker.RouterListenerFactory
Though, i'm not sure I understand your requirements completely. You want to
create a queue with the same name as the user? And do that when the user
connects? Or when?
You could also take a look at protocol filtering for the protocol you're
using (stomp?) and create a filter that creates the queue when a user
connects:
Take a look here since protocol filtering still seems to be undocumented:
http://activemq.2283324.n4.nabble.com/Does-apollo-support-anything-like-interceptors-td4470806.html#a4478870
And use this filter:
/**
* A Protocol filter can filter frames being sent/received to and from a
client. It can modify
* the frame or even drop it.
*/
@deprecated(message="Please use the ProtocolFilter3 interface instead",
since="1.7")
abstract class ProtocolFilter2 {
/**
* Filters a command frame received from a client.
* returns None if the filter wants to drop the frame.
*/
def filter_inbound[T](frame: T):T
/**
* Filters a command frame being sent client.
* returns None if the filter wants to drop the frame.
*/
def filter_outbound[T](frame: T):T
}
On Tue, Jul 9, 2013 at 4:14 PM, Garry Watkins <ca...@icloud.com> wrote:
> I have been looking at the documentation in the security section.
>
> http://activemq.apache.org/apollo/documentation/user-manual.html#Security
>
> I need to write code that will capture allow a queue to be created with
> the same name as the user. That user may then be allowed to receive and
> consume messages.
>
> Any hints about where i could inject this into the code?
>
> Thanks
>
>
> On Jul 08, 2013, at 02:06 PM, Christian Posta <ch...@gmail.com>
> wrote:
>
> Should be the distinguished name from the X509 cert:
>
>
> http://docs.oracle.com/javase/6/docs/api/javax/security/auth/x500/X500Principal.html
>
>
> On Mon, Jul 8, 2013 at 1:31 PM, Garry Watkins <ca...@me.com> wrote:
>
> Ok, now that I know that I can do that.
>
> How does Apollo assign the username? What I want to do is have another
>
> process create a queue just for that user, and that is the only queue that
>
> user may access.
>
> Thanks for the speedy response.
>
> On Jul 8, 2013, at 1:28 PM, Christian Posta <ch...@gmail.com>
>
> wrote:
>
> > Yep, try adding the following to your ssl connector:
>
> >
>
> > <connector id="default" bind="ssl://0.0.0.0:61614">
>
> >
>
> > *<ssl client_auth="need" />*
>
> >
>
> > </connector>
>
> >
>
> >
>
> > On Mon, Jul 8, 2013 at 12:51 PM, Garry Watkins <ca...@me.com> wrote:
>
> >
>
> >> Is it possible to use Client Certs for Authentication/Authorization for
>
> >> Apollo?
>
> >
>
> >
>
> >
>
> >
>
> > --
>
> > *Christian Posta*
>
> > http://www.christianposta.com/blog
>
> > twitter: @christianposta
>
>
>
> --
> *Christian Posta*
> http://www.christianposta.com/blog
> twitter: @christianposta
>
>
--
*Christian Posta*
http://www.christianposta.com/blog
twitter: @christianposta
Re: Is it possible to use Client Certs for Authentication/Authorization
for Apollo?
Posted by Hiram Chirino <hi...@hiramchirino.com>.
Yeah should be stable. 1.7 is a bit overdue. We really should
consider cutting a never version soon.
On Sat, Jul 13, 2013 at 2:59 PM, Garry Watkins <ca...@me.com> wrote:
> Took a look at it, and it should work for me. Thanks for the ultra fast resolution to the problem.
>
> Is the github version pretty stable for testing? When do you think 1.7 will be released?
>
> Thanks again for doing this so quickly.
> Garry
>
> On Jul 13, 2013, at 2:18 PM, Hiram Chirino <hi...@hiramchirino.com> wrote:
>
>> Hi Garry,
>>
>> This is what I came up with:
>>
>> Firstly you need to implement the SecurityFactory trait. For example:
>>
>> https://github.com/apache/activemq-apollo/blob/trunk/apollo-stomp/src/test/scala/org/apache/activemq/apollo/stomp/test/UserOwnershipSecurityFactory.scala#L29
>>
>> Then you need to set the 'security_factory' attribute of the broker
>> element to the name of the class you implemented it with. For example:
>> https://github.com/apache/activemq-apollo/blob/trunk/apollo-stomp/src/test/resources/apollo-stomp-custom-security.xml#L18
>>
>> This change is being tracked via:
>> https://issues.apache.org/jira/browse/APLO-330#comment-13707807
>>
>> On Fri, Jul 12, 2013 at 11:22 AM, Garry Watkins <ca...@me.com> wrote:
>>> That sounds good. I was searching in the code and that is where i thought I might be able to hook in.
>>>
>>> Why not add an authorizer attribute which is the class name of the custom authorizer.
>>>
>>> <access_rule allow="*" action="create destroy send" authorizer="MyCustomAuthorizer"/>
>>> <access_rule allow="*" action="connect receive consume" authorizer="MyCustomAuthorizer2"/>
>>>
>>> On Jul 12, 2013, at 11:01 AM, Hiram Chirino <hi...@hiramchirino.com> wrote:
>>>
>>>> Ok then it seems like you will need to implement a custom Authorizer.
>>>> The interface of an Authorizer is quite simple. It looks like:
>>>>
>>>> trait Authorizer {
>>>> def can(ctx:SecurityContext, action:String, resource:SecuredResource):Boolean;
>>>> }
>>>>
>>>> Basically the ctx will have the user info including the security
>>>> subject/cert info. The action is stuff like "send", and the resource
>>>> will be an instance of a virtualhost, queue, topic (etc.) that the
>>>> user is trying to perform the action against. The method just need
>>>> return true if it's allowed.
>>>>
>>>> The only problem is there does not yet exist a way to configure a
>>>> custom authorizer. Let me see if add support for that in the apollo
>>>> configuration.
>>>>
>>>>
>>>> On Wed, Jul 10, 2013 at 6:38 PM, Garry Watkins <ca...@me.com> wrote:
>>>>> Yes, the users will be unknown at the time of connection.
>>>>>
>>>>> On Jul 10, 2013, at 3:00 PM, Hiram Chirino <hi...@hiramchirino.com> wrote:
>>>>>
>>>>>> An the user names are dynamic? You don't know them ahead of time?
>>>>>>
>>>>>> On Tue, Jul 9, 2013 at 4:14 PM, Garry Watkins <ca...@icloud.com> wrote:
>>>>>>> I have been looking at the documentation in the security section.
>>>>>>>
>>>>>>> http://activemq.apache.org/apollo/documentation/user-manual.html#Security
>>>>>>>
>>>>>>> I need to write code that will capture allow a queue to be created with the
>>>>>>> same name as the user. That user may then be allowed to receive and consume
>>>>>>> messages.
>>>>>>>
>>>>>>> Any hints about where i could inject this into the code?
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>>
>>>>>>> On Jul 08, 2013, at 02:06 PM, Christian Posta <ch...@gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>> Should be the distinguished name from the X509 cert:
>>>>>>>
>>>>>>> http://docs.oracle.com/javase/6/docs/api/javax/security/auth/x500/X500Principal.html
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Jul 8, 2013 at 1:31 PM, Garry Watkins <ca...@me.com> wrote:
>>>>>>>
>>>>>>> Ok, now that I know that I can do that.
>>>>>>>
>>>>>>> How does Apollo assign the username? What I want to do is have another
>>>>>>>
>>>>>>> process create a queue just for that user, and that is the only queue that
>>>>>>>
>>>>>>> user may access.
>>>>>>>
>>>>>>> Thanks for the speedy response.
>>>>>>>
>>>>>>> On Jul 8, 2013, at 1:28 PM, Christian Posta <ch...@gmail.com>
>>>>>>>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Yep, try adding the following to your ssl connector:
>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>> <connector id="default" bind="ssl://0.0.0.0:61614">
>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>> *<ssl client_auth="need" />*
>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>> </connector>
>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>> On Mon, Jul 8, 2013 at 12:51 PM, Garry Watkins <ca...@me.com> wrote:
>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>>> Is it possible to use Client Certs for Authentication/Authorization for
>>>>>>>
>>>>>>>>> Apollo?
>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>> --
>>>>>>>
>>>>>>>> *Christian Posta*
>>>>>>>
>>>>>>>> http://www.christianposta.com/blog
>>>>>>>
>>>>>>>> twitter: @christianposta
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> *Christian Posta*
>>>>>>> http://www.christianposta.com/blog
>>>>>>> twitter: @christianposta
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Hiram Chirino
>>>>>>
>>>>>> Engineering | Red Hat, Inc.
>>>>>>
>>>>>> hchirino@redhat.com | fusesource.com | redhat.com
>>>>>>
>>>>>> skype: hiramchirino | twitter: @hiramchirino
>>>>>>
>>>>>> blog: Hiram Chirino's Bit Mojo
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Hiram Chirino
>>>>
>>>> Engineering | Red Hat, Inc.
>>>>
>>>> hchirino@redhat.com | fusesource.com | redhat.com
>>>>
>>>> skype: hiramchirino | twitter: @hiramchirino
>>>>
>>>> blog: Hiram Chirino's Bit Mojo
>>>
>>
>>
>>
>> --
>> Hiram Chirino
>>
>> Engineering | Red Hat, Inc.
>>
>> hchirino@redhat.com | fusesource.com | redhat.com
>>
>> skype: hiramchirino | twitter: @hiramchirino
>>
>> blog: Hiram Chirino's Bit Mojo
>
--
Hiram Chirino
Engineering | Red Hat, Inc.
hchirino@redhat.com | fusesource.com | redhat.com
skype: hiramchirino | twitter: @hiramchirino
blog: Hiram Chirino's Bit Mojo
Re: Is it possible to use Client Certs for
Authentication/Authorization for Apollo?
Posted by Garry Watkins <ca...@me.com>.
Took a look at it, and it should work for me. Thanks for the ultra fast resolution to the problem.
Is the github version pretty stable for testing? When do you think 1.7 will be released?
Thanks again for doing this so quickly.
Garry
On Jul 13, 2013, at 2:18 PM, Hiram Chirino <hi...@hiramchirino.com> wrote:
> Hi Garry,
>
> This is what I came up with:
>
> Firstly you need to implement the SecurityFactory trait. For example:
>
> https://github.com/apache/activemq-apollo/blob/trunk/apollo-stomp/src/test/scala/org/apache/activemq/apollo/stomp/test/UserOwnershipSecurityFactory.scala#L29
>
> Then you need to set the 'security_factory' attribute of the broker
> element to the name of the class you implemented it with. For example:
> https://github.com/apache/activemq-apollo/blob/trunk/apollo-stomp/src/test/resources/apollo-stomp-custom-security.xml#L18
>
> This change is being tracked via:
> https://issues.apache.org/jira/browse/APLO-330#comment-13707807
>
> On Fri, Jul 12, 2013 at 11:22 AM, Garry Watkins <ca...@me.com> wrote:
>> That sounds good. I was searching in the code and that is where i thought I might be able to hook in.
>>
>> Why not add an authorizer attribute which is the class name of the custom authorizer.
>>
>> <access_rule allow="*" action="create destroy send" authorizer="MyCustomAuthorizer"/>
>> <access_rule allow="*" action="connect receive consume" authorizer="MyCustomAuthorizer2"/>
>>
>> On Jul 12, 2013, at 11:01 AM, Hiram Chirino <hi...@hiramchirino.com> wrote:
>>
>>> Ok then it seems like you will need to implement a custom Authorizer.
>>> The interface of an Authorizer is quite simple. It looks like:
>>>
>>> trait Authorizer {
>>> def can(ctx:SecurityContext, action:String, resource:SecuredResource):Boolean;
>>> }
>>>
>>> Basically the ctx will have the user info including the security
>>> subject/cert info. The action is stuff like "send", and the resource
>>> will be an instance of a virtualhost, queue, topic (etc.) that the
>>> user is trying to perform the action against. The method just need
>>> return true if it's allowed.
>>>
>>> The only problem is there does not yet exist a way to configure a
>>> custom authorizer. Let me see if add support for that in the apollo
>>> configuration.
>>>
>>>
>>> On Wed, Jul 10, 2013 at 6:38 PM, Garry Watkins <ca...@me.com> wrote:
>>>> Yes, the users will be unknown at the time of connection.
>>>>
>>>> On Jul 10, 2013, at 3:00 PM, Hiram Chirino <hi...@hiramchirino.com> wrote:
>>>>
>>>>> An the user names are dynamic? You don't know them ahead of time?
>>>>>
>>>>> On Tue, Jul 9, 2013 at 4:14 PM, Garry Watkins <ca...@icloud.com> wrote:
>>>>>> I have been looking at the documentation in the security section.
>>>>>>
>>>>>> http://activemq.apache.org/apollo/documentation/user-manual.html#Security
>>>>>>
>>>>>> I need to write code that will capture allow a queue to be created with the
>>>>>> same name as the user. That user may then be allowed to receive and consume
>>>>>> messages.
>>>>>>
>>>>>> Any hints about where i could inject this into the code?
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>>
>>>>>> On Jul 08, 2013, at 02:06 PM, Christian Posta <ch...@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>> Should be the distinguished name from the X509 cert:
>>>>>>
>>>>>> http://docs.oracle.com/javase/6/docs/api/javax/security/auth/x500/X500Principal.html
>>>>>>
>>>>>>
>>>>>> On Mon, Jul 8, 2013 at 1:31 PM, Garry Watkins <ca...@me.com> wrote:
>>>>>>
>>>>>> Ok, now that I know that I can do that.
>>>>>>
>>>>>> How does Apollo assign the username? What I want to do is have another
>>>>>>
>>>>>> process create a queue just for that user, and that is the only queue that
>>>>>>
>>>>>> user may access.
>>>>>>
>>>>>> Thanks for the speedy response.
>>>>>>
>>>>>> On Jul 8, 2013, at 1:28 PM, Christian Posta <ch...@gmail.com>
>>>>>>
>>>>>> wrote:
>>>>>>
>>>>>>> Yep, try adding the following to your ssl connector:
>>>>>>
>>>>>>>
>>>>>>
>>>>>>> <connector id="default" bind="ssl://0.0.0.0:61614">
>>>>>>
>>>>>>>
>>>>>>
>>>>>>> *<ssl client_auth="need" />*
>>>>>>
>>>>>>>
>>>>>>
>>>>>>> </connector>
>>>>>>
>>>>>>>
>>>>>>
>>>>>>>
>>>>>>
>>>>>>> On Mon, Jul 8, 2013 at 12:51 PM, Garry Watkins <ca...@me.com> wrote:
>>>>>>
>>>>>>>
>>>>>>
>>>>>>>> Is it possible to use Client Certs for Authentication/Authorization for
>>>>>>
>>>>>>>> Apollo?
>>>>>>
>>>>>>>
>>>>>>
>>>>>>>
>>>>>>
>>>>>>>
>>>>>>
>>>>>>>
>>>>>>
>>>>>>> --
>>>>>>
>>>>>>> *Christian Posta*
>>>>>>
>>>>>>> http://www.christianposta.com/blog
>>>>>>
>>>>>>> twitter: @christianposta
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> *Christian Posta*
>>>>>> http://www.christianposta.com/blog
>>>>>> twitter: @christianposta
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Hiram Chirino
>>>>>
>>>>> Engineering | Red Hat, Inc.
>>>>>
>>>>> hchirino@redhat.com | fusesource.com | redhat.com
>>>>>
>>>>> skype: hiramchirino | twitter: @hiramchirino
>>>>>
>>>>> blog: Hiram Chirino's Bit Mojo
>>>>
>>>
>>>
>>>
>>> --
>>> Hiram Chirino
>>>
>>> Engineering | Red Hat, Inc.
>>>
>>> hchirino@redhat.com | fusesource.com | redhat.com
>>>
>>> skype: hiramchirino | twitter: @hiramchirino
>>>
>>> blog: Hiram Chirino's Bit Mojo
>>
>
>
>
> --
> Hiram Chirino
>
> Engineering | Red Hat, Inc.
>
> hchirino@redhat.com | fusesource.com | redhat.com
>
> skype: hiramchirino | twitter: @hiramchirino
>
> blog: Hiram Chirino's Bit Mojo
Re: Is it possible to use Client Certs for Authentication/Authorization
for Apollo?
Posted by Christian Posta <ch...@gmail.com>.
I just gave it a try, works great.
Did you build from here?
origin : https://github.com/apache/activemq-apollo.git (fetch)
origin : https://github.com/apache/activemq-apollo.git (push)
On Tue, Sep 24, 2013 at 4:48 PM, vatsal12 <va...@gmail.com> wrote:
> Hi Chirino,
>
> I just tried the same Authorizer.
> It is showing me
>
> 2013-09-24 16:13:53,530 | WARN | Broker configuration file failed the
> following validations: |
> 2013-09-24 16:13:53,531 | WARN | |
> 2013-09-24 16:13:53,532 | WARN | fatal error at (18:121):
> cvc-complex-type.3.2.2: Attribute 'security_factory' is not allowed to
> appear in element 'broker'. | '
>
> I built it from github directly.
>
> Thanks
>
>
>
>
>
> --
> View this message in context:
> http://activemq.2283324.n4.nabble.com/Is-it-possible-to-use-Client-Certs-for-Authentication-Authorization-for-Apollo-tp4668985p4671808.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>
--
*Christian Posta*
http://www.christianposta.com/blog
twitter: @christianposta
Re: Is it possible to use Client Certs for
Authentication/Authorization for Apollo?
Posted by vatsal12 <va...@gmail.com>.
Hi Chirino,
I just tried the same Authorizer.
It is showing me
2013-09-24 16:13:53,530 | WARN | Broker configuration file failed the
following validations: |
2013-09-24 16:13:53,531 | WARN | |
2013-09-24 16:13:53,532 | WARN | fatal error at (18:121):
cvc-complex-type.3.2.2: Attribute 'security_factory' is not allowed to
appear in element 'broker'. | '
I built it from github directly.
Thanks
--
View this message in context: http://activemq.2283324.n4.nabble.com/Is-it-possible-to-use-Client-Certs-for-Authentication-Authorization-for-Apollo-tp4668985p4671808.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Is it possible to use Client Certs for Authentication/Authorization
for Apollo?
Posted by Hiram Chirino <hi...@hiramchirino.com>.
Hi Garry,
This is what I came up with:
Firstly you need to implement the SecurityFactory trait. For example:
https://github.com/apache/activemq-apollo/blob/trunk/apollo-stomp/src/test/scala/org/apache/activemq/apollo/stomp/test/UserOwnershipSecurityFactory.scala#L29
Then you need to set the 'security_factory' attribute of the broker
element to the name of the class you implemented it with. For example:
https://github.com/apache/activemq-apollo/blob/trunk/apollo-stomp/src/test/resources/apollo-stomp-custom-security.xml#L18
This change is being tracked via:
https://issues.apache.org/jira/browse/APLO-330#comment-13707807
On Fri, Jul 12, 2013 at 11:22 AM, Garry Watkins <ca...@me.com> wrote:
> That sounds good. I was searching in the code and that is where i thought I might be able to hook in.
>
> Why not add an authorizer attribute which is the class name of the custom authorizer.
>
> <access_rule allow="*" action="create destroy send" authorizer="MyCustomAuthorizer"/>
> <access_rule allow="*" action="connect receive consume" authorizer="MyCustomAuthorizer2"/>
>
> On Jul 12, 2013, at 11:01 AM, Hiram Chirino <hi...@hiramchirino.com> wrote:
>
>> Ok then it seems like you will need to implement a custom Authorizer.
>> The interface of an Authorizer is quite simple. It looks like:
>>
>> trait Authorizer {
>> def can(ctx:SecurityContext, action:String, resource:SecuredResource):Boolean;
>> }
>>
>> Basically the ctx will have the user info including the security
>> subject/cert info. The action is stuff like "send", and the resource
>> will be an instance of a virtualhost, queue, topic (etc.) that the
>> user is trying to perform the action against. The method just need
>> return true if it's allowed.
>>
>> The only problem is there does not yet exist a way to configure a
>> custom authorizer. Let me see if add support for that in the apollo
>> configuration.
>>
>>
>> On Wed, Jul 10, 2013 at 6:38 PM, Garry Watkins <ca...@me.com> wrote:
>>> Yes, the users will be unknown at the time of connection.
>>>
>>> On Jul 10, 2013, at 3:00 PM, Hiram Chirino <hi...@hiramchirino.com> wrote:
>>>
>>>> An the user names are dynamic? You don't know them ahead of time?
>>>>
>>>> On Tue, Jul 9, 2013 at 4:14 PM, Garry Watkins <ca...@icloud.com> wrote:
>>>>> I have been looking at the documentation in the security section.
>>>>>
>>>>> http://activemq.apache.org/apollo/documentation/user-manual.html#Security
>>>>>
>>>>> I need to write code that will capture allow a queue to be created with the
>>>>> same name as the user. That user may then be allowed to receive and consume
>>>>> messages.
>>>>>
>>>>> Any hints about where i could inject this into the code?
>>>>>
>>>>> Thanks
>>>>>
>>>>>
>>>>> On Jul 08, 2013, at 02:06 PM, Christian Posta <ch...@gmail.com>
>>>>> wrote:
>>>>>
>>>>> Should be the distinguished name from the X509 cert:
>>>>>
>>>>> http://docs.oracle.com/javase/6/docs/api/javax/security/auth/x500/X500Principal.html
>>>>>
>>>>>
>>>>> On Mon, Jul 8, 2013 at 1:31 PM, Garry Watkins <ca...@me.com> wrote:
>>>>>
>>>>> Ok, now that I know that I can do that.
>>>>>
>>>>> How does Apollo assign the username? What I want to do is have another
>>>>>
>>>>> process create a queue just for that user, and that is the only queue that
>>>>>
>>>>> user may access.
>>>>>
>>>>> Thanks for the speedy response.
>>>>>
>>>>> On Jul 8, 2013, at 1:28 PM, Christian Posta <ch...@gmail.com>
>>>>>
>>>>> wrote:
>>>>>
>>>>>> Yep, try adding the following to your ssl connector:
>>>>>
>>>>>>
>>>>>
>>>>>> <connector id="default" bind="ssl://0.0.0.0:61614">
>>>>>
>>>>>>
>>>>>
>>>>>> *<ssl client_auth="need" />*
>>>>>
>>>>>>
>>>>>
>>>>>> </connector>
>>>>>
>>>>>>
>>>>>
>>>>>>
>>>>>
>>>>>> On Mon, Jul 8, 2013 at 12:51 PM, Garry Watkins <ca...@me.com> wrote:
>>>>>
>>>>>>
>>>>>
>>>>>>> Is it possible to use Client Certs for Authentication/Authorization for
>>>>>
>>>>>>> Apollo?
>>>>>
>>>>>>
>>>>>
>>>>>>
>>>>>
>>>>>>
>>>>>
>>>>>>
>>>>>
>>>>>> --
>>>>>
>>>>>> *Christian Posta*
>>>>>
>>>>>> http://www.christianposta.com/blog
>>>>>
>>>>>> twitter: @christianposta
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> *Christian Posta*
>>>>> http://www.christianposta.com/blog
>>>>> twitter: @christianposta
>>>>
>>>>
>>>>
>>>> --
>>>> Hiram Chirino
>>>>
>>>> Engineering | Red Hat, Inc.
>>>>
>>>> hchirino@redhat.com | fusesource.com | redhat.com
>>>>
>>>> skype: hiramchirino | twitter: @hiramchirino
>>>>
>>>> blog: Hiram Chirino's Bit Mojo
>>>
>>
>>
>>
>> --
>> Hiram Chirino
>>
>> Engineering | Red Hat, Inc.
>>
>> hchirino@redhat.com | fusesource.com | redhat.com
>>
>> skype: hiramchirino | twitter: @hiramchirino
>>
>> blog: Hiram Chirino's Bit Mojo
>
--
Hiram Chirino
Engineering | Red Hat, Inc.
hchirino@redhat.com | fusesource.com | redhat.com
skype: hiramchirino | twitter: @hiramchirino
blog: Hiram Chirino's Bit Mojo
Re: Is it possible to use Client Certs for
Authentication/Authorization for Apollo?
Posted by Garry Watkins <ca...@me.com>.
That sounds good. I was searching in the code and that is where i thought I might be able to hook in.
Why not add an authorizer attribute which is the class name of the custom authorizer.
<access_rule allow="*" action="create destroy send" authorizer="MyCustomAuthorizer"/>
<access_rule allow="*" action="connect receive consume" authorizer="MyCustomAuthorizer2"/>
On Jul 12, 2013, at 11:01 AM, Hiram Chirino <hi...@hiramchirino.com> wrote:
> Ok then it seems like you will need to implement a custom Authorizer.
> The interface of an Authorizer is quite simple. It looks like:
>
> trait Authorizer {
> def can(ctx:SecurityContext, action:String, resource:SecuredResource):Boolean;
> }
>
> Basically the ctx will have the user info including the security
> subject/cert info. The action is stuff like "send", and the resource
> will be an instance of a virtualhost, queue, topic (etc.) that the
> user is trying to perform the action against. The method just need
> return true if it's allowed.
>
> The only problem is there does not yet exist a way to configure a
> custom authorizer. Let me see if add support for that in the apollo
> configuration.
>
>
> On Wed, Jul 10, 2013 at 6:38 PM, Garry Watkins <ca...@me.com> wrote:
>> Yes, the users will be unknown at the time of connection.
>>
>> On Jul 10, 2013, at 3:00 PM, Hiram Chirino <hi...@hiramchirino.com> wrote:
>>
>>> An the user names are dynamic? You don't know them ahead of time?
>>>
>>> On Tue, Jul 9, 2013 at 4:14 PM, Garry Watkins <ca...@icloud.com> wrote:
>>>> I have been looking at the documentation in the security section.
>>>>
>>>> http://activemq.apache.org/apollo/documentation/user-manual.html#Security
>>>>
>>>> I need to write code that will capture allow a queue to be created with the
>>>> same name as the user. That user may then be allowed to receive and consume
>>>> messages.
>>>>
>>>> Any hints about where i could inject this into the code?
>>>>
>>>> Thanks
>>>>
>>>>
>>>> On Jul 08, 2013, at 02:06 PM, Christian Posta <ch...@gmail.com>
>>>> wrote:
>>>>
>>>> Should be the distinguished name from the X509 cert:
>>>>
>>>> http://docs.oracle.com/javase/6/docs/api/javax/security/auth/x500/X500Principal.html
>>>>
>>>>
>>>> On Mon, Jul 8, 2013 at 1:31 PM, Garry Watkins <ca...@me.com> wrote:
>>>>
>>>> Ok, now that I know that I can do that.
>>>>
>>>> How does Apollo assign the username? What I want to do is have another
>>>>
>>>> process create a queue just for that user, and that is the only queue that
>>>>
>>>> user may access.
>>>>
>>>> Thanks for the speedy response.
>>>>
>>>> On Jul 8, 2013, at 1:28 PM, Christian Posta <ch...@gmail.com>
>>>>
>>>> wrote:
>>>>
>>>>> Yep, try adding the following to your ssl connector:
>>>>
>>>>>
>>>>
>>>>> <connector id="default" bind="ssl://0.0.0.0:61614">
>>>>
>>>>>
>>>>
>>>>> *<ssl client_auth="need" />*
>>>>
>>>>>
>>>>
>>>>> </connector>
>>>>
>>>>>
>>>>
>>>>>
>>>>
>>>>> On Mon, Jul 8, 2013 at 12:51 PM, Garry Watkins <ca...@me.com> wrote:
>>>>
>>>>>
>>>>
>>>>>> Is it possible to use Client Certs for Authentication/Authorization for
>>>>
>>>>>> Apollo?
>>>>
>>>>>
>>>>
>>>>>
>>>>
>>>>>
>>>>
>>>>>
>>>>
>>>>> --
>>>>
>>>>> *Christian Posta*
>>>>
>>>>> http://www.christianposta.com/blog
>>>>
>>>>> twitter: @christianposta
>>>>
>>>>
>>>>
>>>> --
>>>> *Christian Posta*
>>>> http://www.christianposta.com/blog
>>>> twitter: @christianposta
>>>
>>>
>>>
>>> --
>>> Hiram Chirino
>>>
>>> Engineering | Red Hat, Inc.
>>>
>>> hchirino@redhat.com | fusesource.com | redhat.com
>>>
>>> skype: hiramchirino | twitter: @hiramchirino
>>>
>>> blog: Hiram Chirino's Bit Mojo
>>
>
>
>
> --
> Hiram Chirino
>
> Engineering | Red Hat, Inc.
>
> hchirino@redhat.com | fusesource.com | redhat.com
>
> skype: hiramchirino | twitter: @hiramchirino
>
> blog: Hiram Chirino's Bit Mojo
Re: Is it possible to use Client Certs for Authentication/Authorization
for Apollo?
Posted by Hiram Chirino <hi...@hiramchirino.com>.
Ok then it seems like you will need to implement a custom Authorizer.
The interface of an Authorizer is quite simple. It looks like:
trait Authorizer {
def can(ctx:SecurityContext, action:String, resource:SecuredResource):Boolean;
}
Basically the ctx will have the user info including the security
subject/cert info. The action is stuff like "send", and the resource
will be an instance of a virtualhost, queue, topic (etc.) that the
user is trying to perform the action against. The method just need
return true if it's allowed.
The only problem is there does not yet exist a way to configure a
custom authorizer. Let me see if add support for that in the apollo
configuration.
On Wed, Jul 10, 2013 at 6:38 PM, Garry Watkins <ca...@me.com> wrote:
> Yes, the users will be unknown at the time of connection.
>
> On Jul 10, 2013, at 3:00 PM, Hiram Chirino <hi...@hiramchirino.com> wrote:
>
>> An the user names are dynamic? You don't know them ahead of time?
>>
>> On Tue, Jul 9, 2013 at 4:14 PM, Garry Watkins <ca...@icloud.com> wrote:
>>> I have been looking at the documentation in the security section.
>>>
>>> http://activemq.apache.org/apollo/documentation/user-manual.html#Security
>>>
>>> I need to write code that will capture allow a queue to be created with the
>>> same name as the user. That user may then be allowed to receive and consume
>>> messages.
>>>
>>> Any hints about where i could inject this into the code?
>>>
>>> Thanks
>>>
>>>
>>> On Jul 08, 2013, at 02:06 PM, Christian Posta <ch...@gmail.com>
>>> wrote:
>>>
>>> Should be the distinguished name from the X509 cert:
>>>
>>> http://docs.oracle.com/javase/6/docs/api/javax/security/auth/x500/X500Principal.html
>>>
>>>
>>> On Mon, Jul 8, 2013 at 1:31 PM, Garry Watkins <ca...@me.com> wrote:
>>>
>>> Ok, now that I know that I can do that.
>>>
>>> How does Apollo assign the username? What I want to do is have another
>>>
>>> process create a queue just for that user, and that is the only queue that
>>>
>>> user may access.
>>>
>>> Thanks for the speedy response.
>>>
>>> On Jul 8, 2013, at 1:28 PM, Christian Posta <ch...@gmail.com>
>>>
>>> wrote:
>>>
>>>> Yep, try adding the following to your ssl connector:
>>>
>>>>
>>>
>>>> <connector id="default" bind="ssl://0.0.0.0:61614">
>>>
>>>>
>>>
>>>> *<ssl client_auth="need" />*
>>>
>>>>
>>>
>>>> </connector>
>>>
>>>>
>>>
>>>>
>>>
>>>> On Mon, Jul 8, 2013 at 12:51 PM, Garry Watkins <ca...@me.com> wrote:
>>>
>>>>
>>>
>>>>> Is it possible to use Client Certs for Authentication/Authorization for
>>>
>>>>> Apollo?
>>>
>>>>
>>>
>>>>
>>>
>>>>
>>>
>>>>
>>>
>>>> --
>>>
>>>> *Christian Posta*
>>>
>>>> http://www.christianposta.com/blog
>>>
>>>> twitter: @christianposta
>>>
>>>
>>>
>>> --
>>> *Christian Posta*
>>> http://www.christianposta.com/blog
>>> twitter: @christianposta
>>
>>
>>
>> --
>> Hiram Chirino
>>
>> Engineering | Red Hat, Inc.
>>
>> hchirino@redhat.com | fusesource.com | redhat.com
>>
>> skype: hiramchirino | twitter: @hiramchirino
>>
>> blog: Hiram Chirino's Bit Mojo
>
--
Hiram Chirino
Engineering | Red Hat, Inc.
hchirino@redhat.com | fusesource.com | redhat.com
skype: hiramchirino | twitter: @hiramchirino
blog: Hiram Chirino's Bit Mojo
Re: Is it possible to use Client Certs for
Authentication/Authorization for Apollo?
Posted by Garry Watkins <ca...@me.com>.
Yes, the users will be unknown at the time of connection.
On Jul 10, 2013, at 3:00 PM, Hiram Chirino <hi...@hiramchirino.com> wrote:
> An the user names are dynamic? You don't know them ahead of time?
>
> On Tue, Jul 9, 2013 at 4:14 PM, Garry Watkins <ca...@icloud.com> wrote:
>> I have been looking at the documentation in the security section.
>>
>> http://activemq.apache.org/apollo/documentation/user-manual.html#Security
>>
>> I need to write code that will capture allow a queue to be created with the
>> same name as the user. That user may then be allowed to receive and consume
>> messages.
>>
>> Any hints about where i could inject this into the code?
>>
>> Thanks
>>
>>
>> On Jul 08, 2013, at 02:06 PM, Christian Posta <ch...@gmail.com>
>> wrote:
>>
>> Should be the distinguished name from the X509 cert:
>>
>> http://docs.oracle.com/javase/6/docs/api/javax/security/auth/x500/X500Principal.html
>>
>>
>> On Mon, Jul 8, 2013 at 1:31 PM, Garry Watkins <ca...@me.com> wrote:
>>
>> Ok, now that I know that I can do that.
>>
>> How does Apollo assign the username? What I want to do is have another
>>
>> process create a queue just for that user, and that is the only queue that
>>
>> user may access.
>>
>> Thanks for the speedy response.
>>
>> On Jul 8, 2013, at 1:28 PM, Christian Posta <ch...@gmail.com>
>>
>> wrote:
>>
>>> Yep, try adding the following to your ssl connector:
>>
>>>
>>
>>> <connector id="default" bind="ssl://0.0.0.0:61614">
>>
>>>
>>
>>> *<ssl client_auth="need" />*
>>
>>>
>>
>>> </connector>
>>
>>>
>>
>>>
>>
>>> On Mon, Jul 8, 2013 at 12:51 PM, Garry Watkins <ca...@me.com> wrote:
>>
>>>
>>
>>>> Is it possible to use Client Certs for Authentication/Authorization for
>>
>>>> Apollo?
>>
>>>
>>
>>>
>>
>>>
>>
>>>
>>
>>> --
>>
>>> *Christian Posta*
>>
>>> http://www.christianposta.com/blog
>>
>>> twitter: @christianposta
>>
>>
>>
>> --
>> *Christian Posta*
>> http://www.christianposta.com/blog
>> twitter: @christianposta
>
>
>
> --
> Hiram Chirino
>
> Engineering | Red Hat, Inc.
>
> hchirino@redhat.com | fusesource.com | redhat.com
>
> skype: hiramchirino | twitter: @hiramchirino
>
> blog: Hiram Chirino's Bit Mojo
Re: Is it possible to use Client Certs for Authentication/Authorization
for Apollo?
Posted by Hiram Chirino <hi...@hiramchirino.com>.
An the user names are dynamic? You don't know them ahead of time?
On Tue, Jul 9, 2013 at 4:14 PM, Garry Watkins <ca...@icloud.com> wrote:
> I have been looking at the documentation in the security section.
>
> http://activemq.apache.org/apollo/documentation/user-manual.html#Security
>
> I need to write code that will capture allow a queue to be created with the
> same name as the user. That user may then be allowed to receive and consume
> messages.
>
> Any hints about where i could inject this into the code?
>
> Thanks
>
>
> On Jul 08, 2013, at 02:06 PM, Christian Posta <ch...@gmail.com>
> wrote:
>
> Should be the distinguished name from the X509 cert:
>
> http://docs.oracle.com/javase/6/docs/api/javax/security/auth/x500/X500Principal.html
>
>
> On Mon, Jul 8, 2013 at 1:31 PM, Garry Watkins <ca...@me.com> wrote:
>
> Ok, now that I know that I can do that.
>
> How does Apollo assign the username? What I want to do is have another
>
> process create a queue just for that user, and that is the only queue that
>
> user may access.
>
> Thanks for the speedy response.
>
> On Jul 8, 2013, at 1:28 PM, Christian Posta <ch...@gmail.com>
>
> wrote:
>
>> Yep, try adding the following to your ssl connector:
>
>>
>
>> <connector id="default" bind="ssl://0.0.0.0:61614">
>
>>
>
>> *<ssl client_auth="need" />*
>
>>
>
>> </connector>
>
>>
>
>>
>
>> On Mon, Jul 8, 2013 at 12:51 PM, Garry Watkins <ca...@me.com> wrote:
>
>>
>
>>> Is it possible to use Client Certs for Authentication/Authorization for
>
>>> Apollo?
>
>>
>
>>
>
>>
>
>>
>
>> --
>
>> *Christian Posta*
>
>> http://www.christianposta.com/blog
>
>> twitter: @christianposta
>
>
>
> --
> *Christian Posta*
> http://www.christianposta.com/blog
> twitter: @christianposta
--
Hiram Chirino
Engineering | Red Hat, Inc.
hchirino@redhat.com | fusesource.com | redhat.com
skype: hiramchirino | twitter: @hiramchirino
blog: Hiram Chirino's Bit Mojo
Re: Is it possible to use Client Certs for Authentication/Authorization
for Apollo?
Posted by Christian Posta <ch...@gmail.com>.
Should be the distinguished name from the X509 cert:
http://docs.oracle.com/javase/6/docs/api/javax/security/auth/x500/X500Principal.html
On Mon, Jul 8, 2013 at 1:31 PM, Garry Watkins <ca...@me.com> wrote:
> Ok, now that I know that I can do that.
>
> How does Apollo assign the username? What I want to do is have another
> process create a queue just for that user, and that is the only queue that
> user may access.
>
> Thanks for the speedy response.
>
> On Jul 8, 2013, at 1:28 PM, Christian Posta <ch...@gmail.com>
> wrote:
>
> > Yep, try adding the following to your ssl connector:
> >
> > <connector id="default" bind="ssl://0.0.0.0:61614">
> >
> > *<ssl client_auth="need" />*
> >
> > </connector>
> >
> >
> > On Mon, Jul 8, 2013 at 12:51 PM, Garry Watkins <ca...@me.com> wrote:
> >
> >> Is it possible to use Client Certs for Authentication/Authorization for
> >> Apollo?
> >
> >
> >
> >
> > --
> > *Christian Posta*
> > http://www.christianposta.com/blog
> > twitter: @christianposta
>
>
--
*Christian Posta*
http://www.christianposta.com/blog
twitter: @christianposta
Re: Is it possible to use Client Certs for
Authentication/Authorization for Apollo?
Posted by Garry Watkins <ca...@me.com>.
Ok, now that I know that I can do that.
How does Apollo assign the username? What I want to do is have another process create a queue just for that user, and that is the only queue that user may access.
Thanks for the speedy response.
On Jul 8, 2013, at 1:28 PM, Christian Posta <ch...@gmail.com> wrote:
> Yep, try adding the following to your ssl connector:
>
> <connector id="default" bind="ssl://0.0.0.0:61614">
>
> *<ssl client_auth="need" />*
>
> </connector>
>
>
> On Mon, Jul 8, 2013 at 12:51 PM, Garry Watkins <ca...@me.com> wrote:
>
>> Is it possible to use Client Certs for Authentication/Authorization for
>> Apollo?
>
>
>
>
> --
> *Christian Posta*
> http://www.christianposta.com/blog
> twitter: @christianposta
Re: Is it possible to use Client Certs for Authentication/Authorization
for Apollo?
Posted by Christian Posta <ch...@gmail.com>.
Yep, try adding the following to your ssl connector:
<connector id="default" bind="ssl://0.0.0.0:61614">
*<ssl client_auth="need" />*
</connector>
On Mon, Jul 8, 2013 at 12:51 PM, Garry Watkins <ca...@me.com> wrote:
> Is it possible to use Client Certs for Authentication/Authorization for
> Apollo?
--
*Christian Posta*
http://www.christianposta.com/blog
twitter: @christianposta