You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by magellings <ma...@qg.com> on 2009/10/29 21:18:50 UTC
Re: Dynamically setting activemq username password when logging
into web console
>From what I can tell even with JMX properly set up you still can't maintain
seperate privs. One user/password is hard-coded/configured to be used by
the web console at start up to connect to the broker. I want to be able to
configure separate user/passwords to connect to the broker grabbed when the
user logs into the web console. I already have the web console configured
for BASIC authentication with two different user/passwords (based on the
link in my original post) I just need to somehow use those to then connect
to the broker.
It's possible to configure different roles to be used when logging into the
web console. But it is not possible to control the rights the user has
based on this. Example:
web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>adminRealm</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>guest</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>adminRealm</realm-name>
</login-config>
realm.properties
admin: MD5:6990a54322d9232390a784c5c9247dd6,admin
guest: MD5:084e0343a0486ff05530df6c705c8bb4,guest
With the above config I can log on as either admin or guest successfully
when entering the appropriate password at the basic authentication prompt.
I'd like guest to have read privs (see messages on queues, etc.), and admin
to have read/write privs (see messages on queues, delete messages, delete
queues, etc.). In our scenario guest is producing a message and just wants
to verify the message has been created successfully on the queue. Admin
owns the queue and the broker as they are on a separate development team
than user guest. They do not want guest to be able to delete
messages/queues etc. Right now we have no way to let guest see for
themselves that the message is on the queue unless we give them the admin
user/password for the basic authentication prompt when using the web
console. If we give that out, we give out read/write privs to guest which
we don't want to do.
I think for this to be possible two separate connections would need to be
maintained to the broker, one for guest and one for admin so as the
simpleAuthenticationPlugin and authorizationPlugin can be used based on the
user/password used to log on. Ideally the user/password entered during a
basic authentication prompt could be mapped to the same user/password used
to connect to the broker. Maybe this isn't possible if the web console only
maintains one connection to the broker. Maybe the web console would need to
be enhanced with a user/group security section to control what privs in the
web console the logged on user has. An admin could then control whether a
user has the right to delete a message, a queue, etc. and the web console
has the smarts to display the delete link or not based on the privs of the
logged on user.
Not sure if this was ever discussed. Maybe a jira should be created and the
functionality request backlogged???
--
View this message in context: http://www.nabble.com/Dynamically-setting-activemq-username-password-when-logging-into-web-console-tp26118677p26120009.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Dynamically setting activemq username password when logging into
web console
Posted by Dejan Bosanac <de...@nighttale.net>.
Hi,
web console doesn't support fine-grained authorization at the moment. The
jira would be great for starters, if you can provide a patch it'd be even
better.
Cheers
--
Dejan Bosanac - http://twitter.com/dejanb
Open Source Integration - http://fusesource.com/
ActiveMQ in Action - http://www.manning.com/snyder/
Blog - http://www.nighttale.net
On Thu, Oct 29, 2009 at 9:18 PM, magellings <ma...@qg.com> wrote:
>
> From what I can tell even with JMX properly set up you still can't maintain
> seperate privs. One user/password is hard-coded/configured to be used by
> the web console at start up to connect to the broker. I want to be able to
> configure separate user/passwords to connect to the broker grabbed when the
> user logs into the web console. I already have the web console configured
> for BASIC authentication with two different user/passwords (based on the
> link in my original post) I just need to somehow use those to then connect
> to the broker.
>
> It's possible to configure different roles to be used when logging into the
> web console. But it is not possible to control the rights the user has
> based on this. Example:
>
> web.xml
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>adminRealm</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>admin</role-name>
> <role-name>guest</role-name>
> </auth-constraint>
> </security-constraint>
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>adminRealm</realm-name>
> </login-config>
>
> realm.properties
>
> admin: MD5:6990a54322d9232390a784c5c9247dd6,admin
> guest: MD5:084e0343a0486ff05530df6c705c8bb4,guest
>
> With the above config I can log on as either admin or guest successfully
> when entering the appropriate password at the basic authentication prompt.
>
> I'd like guest to have read privs (see messages on queues, etc.), and admin
> to have read/write privs (see messages on queues, delete messages, delete
> queues, etc.). In our scenario guest is producing a message and just wants
> to verify the message has been created successfully on the queue. Admin
> owns the queue and the broker as they are on a separate development team
> than user guest. They do not want guest to be able to delete
> messages/queues etc. Right now we have no way to let guest see for
> themselves that the message is on the queue unless we give them the admin
> user/password for the basic authentication prompt when using the web
> console. If we give that out, we give out read/write privs to guest which
> we don't want to do.
>
> I think for this to be possible two separate connections would need to be
> maintained to the broker, one for guest and one for admin so as the
> simpleAuthenticationPlugin and authorizationPlugin can be used based on the
> user/password used to log on. Ideally the user/password entered during a
> basic authentication prompt could be mapped to the same user/password used
> to connect to the broker. Maybe this isn't possible if the web console
> only
> maintains one connection to the broker. Maybe the web console would need
> to
> be enhanced with a user/group security section to control what privs in the
> web console the logged on user has. An admin could then control whether a
> user has the right to delete a message, a queue, etc. and the web console
> has the smarts to display the delete link or not based on the privs of the
> logged on user.
>
> Not sure if this was ever discussed. Maybe a jira should be created and
> the
> functionality request backlogged???
>
> --
> View this message in context:
> http://www.nabble.com/Dynamically-setting-activemq-username-password-when-logging-into-web-console-tp26118677p26120009.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>
>