You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by The_real_Ulf <ra...@gmx.de> on 2006/07/04 16:11:40 UTC
JAAS authorizationEntry for temporary Queue
Hi,
I'm using the JAAS-Plugin with ActiveMQ. It works fine so far. But the
proplem is, that I don't know how to set an authorizationEntry in the
activemq.xml for a temporary Queue. The aim is to allow a group to read from
their own temporary Queue.
I have this in my activemq.xml:
<plugins>
<!-- use JAAS to authenticate using the login.config file on the
classpath to configure JAAS -->
<jaasAuthenticationPlugin configuration="activemq-domain" />
<!-- lets configure a destination based authorization mechanism -->
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry queue=">" read="managers" write="managers"
admin="managers" />
<authorizationEntry queue="manage" read="managers"
write="clients" admin="managers,clients" />
<authorizationEntry queue="clients.>" read="clients" write="managers"
admin="managers" />
<authorizationEntry topic=">" read="managers" write="managers"
admin="managers" />
<authorizationEntry topic="ActiveMQ.Advisory.>" read="managers,clients"
write="managers,clients" admin="managers,clients"/>
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
</plugins>
With my client i create a TemporaryQueue via:
tempQueue = inSession.createTemporaryQueue();
this works, but if i want to create a consumer for the queue I get an error:
MessageConsumer tempConsumer = inSession.createConsumer(tempQueue);
Error: javax.jms.JMSException: User client is not authorized to read from:
temp-queue://ID:windowspc-2300-1152021141855-0:0:1
So the question is, how to tell him that any user "client" from group
"clients" is allowed to consume it's own temporaryQueue?
--
View this message in context: http://www.nabble.com/JAAS-authorizationEntry-for-temporary-Queue-tf1890080.html#a5167829
Sent from the ActiveMQ - User forum at Nabble.com.
Re: JAAS authorizationEntry for temporary Queue
Posted by James Strachan <ja...@gmail.com>.
On 7/4/06, The_real_Ulf <ra...@gmx.de> wrote:
> James.Strachan wrote:
> >
> > This sounds like a bug - I wonder could you raise a JIRA for this please?
> >
> Sorry, I'm new to this, was my first post here and I don't know how to raise
> a JIRA. Maybe someone could tell me or do that for me?
Sorry about that :)
Details here...
http://incubator.apache.org/activemq/support.html
I've gone ahead and done it for you
http://issues.apache.org/activemq/browse/AMQ-795
--
James
-------
http://radio.weblogs.com/0112098/
Re: JAAS authorizationEntry for temporary Queue
Posted by The_real_Ulf <ra...@gmx.de>.
James.Strachan wrote:
>
> This sounds like a bug - I wonder could you raise a JIRA for this please?
>
Sorry, I'm new to this, was my first post here and I don't know how to raise
a JIRA. Maybe someone could tell me or do that for me?
Thx
--
View this message in context: http://www.nabble.com/JAAS-authorizationEntry-for-temporary-Queue-tf1890080.html#a5171195
Sent from the ActiveMQ - User forum at Nabble.com.
Re: JAAS authorizationEntry for temporary Queue
Posted by James Strachan <ja...@gmail.com>.
On 7/4/06, Hiram Chirino <hi...@hiramchirino.com> wrote:
> On 7/4/06, James Strachan <ja...@gmail.com> wrote:
> >
> > On 7/4/06, The_real_Ulf <ra...@gmx.de> wrote:
> > >
> > > Hi,
> > > I'm using the JAAS-Plugin with ActiveMQ. It works fine so far. But the
> > > proplem is, that I don't know how to set an authorizationEntry in the
> > > activemq.xml for a temporary Queue. The aim is to allow a group to read
> > from
> > > their own temporary Queue.
> > > I have this in my activemq.xml:
> > >
> > > <plugins>
> > > <!-- use JAAS to authenticate using the login.config file on the
> > > classpath to configure JAAS -->
> > > <jaasAuthenticationPlugin configuration="activemq-domain" />
> > >
> > > <!-- lets configure a destination based authorization mechanism
> > -->
> > > <authorizationPlugin>
> > > <map>
> > > <authorizationMap>
> > > <authorizationEntries>
> > > <authorizationEntry queue=">" read="managers"
> > write="managers"
> > > admin="managers" />
> > > <authorizationEntry queue="manage" read="managers"
> > > write="clients" admin="managers,clients" />
> > > <authorizationEntry queue="clients.>" read="clients"
> > write="managers"
> > > admin="managers" />
> > > <authorizationEntry topic=">" read="managers"
> > write="managers"
> > > admin="managers" />
> > > <authorizationEntry topic="ActiveMQ.Advisory.>"
> > read="managers,clients"
> > > write="managers,clients" admin="managers,clients"/>
> > > </authorizationEntries>
> > > </authorizationMap>
> > > </map>
> > > </authorizationPlugin>
> > > </plugins>
> > >
> > > With my client i create a TemporaryQueue via:
> > >
> > > tempQueue = inSession.createTemporaryQueue();
> > >
> > > this works, but if i want to create a consumer for the queue I get an
> > error:
> > >
> > > MessageConsumer tempConsumer = inSession.createConsumer(tempQueue);
> > >
> > > Error: javax.jms.JMSException: User client is not authorized to read
> > from:
> > > temp-queue://ID:windowspc-2300-1152021141855-0:0:1
> > >
> > > So the question is, how to tell him that any user "client" from group
> > > "clients" is allowed to consume it's own temporaryQueue?
> >
> > This sounds like a bug - I wonder could you raise a JIRA for this please?
>
>
> agreed.
>
> Generally the only people capable of consuming from a temporary
> > destination should be the connection which created it; so I'm not sure
> > we should even use the security plugin to authorize read access to
>
>
> agreed.
>
>
> temporary destinations. I guess we could prevent certain users from
> > writing to temporary destinations.
>
>
> The question is how would plugin be able to figure out who can write to a
> temporary queue? Temporary queue names are dynamic so it would be hard to
> implement rules that authorize against the queue name.
Agreed - I guess I was thinking; either you are allowed to send to all
of them or none of them. i.e. there is a read/write/admin role for
'temporaryQueue' and 'temoraryTopic'? Maybe thats as granular as we
can get.
--
James
-------
http://radio.weblogs.com/0112098/
Re: JAAS authorizationEntry for temporary Queue
Posted by Hiram Chirino <hi...@hiramchirino.com>.
On 7/4/06, James Strachan <ja...@gmail.com> wrote:
>
> On 7/4/06, The_real_Ulf <ra...@gmx.de> wrote:
> >
> > Hi,
> > I'm using the JAAS-Plugin with ActiveMQ. It works fine so far. But the
> > proplem is, that I don't know how to set an authorizationEntry in the
> > activemq.xml for a temporary Queue. The aim is to allow a group to read
> from
> > their own temporary Queue.
> > I have this in my activemq.xml:
> >
> > <plugins>
> > <!-- use JAAS to authenticate using the login.config file on the
> > classpath to configure JAAS -->
> > <jaasAuthenticationPlugin configuration="activemq-domain" />
> >
> > <!-- lets configure a destination based authorization mechanism
> -->
> > <authorizationPlugin>
> > <map>
> > <authorizationMap>
> > <authorizationEntries>
> > <authorizationEntry queue=">" read="managers"
> write="managers"
> > admin="managers" />
> > <authorizationEntry queue="manage" read="managers"
> > write="clients" admin="managers,clients" />
> > <authorizationEntry queue="clients.>" read="clients"
> write="managers"
> > admin="managers" />
> > <authorizationEntry topic=">" read="managers"
> write="managers"
> > admin="managers" />
> > <authorizationEntry topic="ActiveMQ.Advisory.>"
> read="managers,clients"
> > write="managers,clients" admin="managers,clients"/>
> > </authorizationEntries>
> > </authorizationMap>
> > </map>
> > </authorizationPlugin>
> > </plugins>
> >
> > With my client i create a TemporaryQueue via:
> >
> > tempQueue = inSession.createTemporaryQueue();
> >
> > this works, but if i want to create a consumer for the queue I get an
> error:
> >
> > MessageConsumer tempConsumer = inSession.createConsumer(tempQueue);
> >
> > Error: javax.jms.JMSException: User client is not authorized to read
> from:
> > temp-queue://ID:windowspc-2300-1152021141855-0:0:1
> >
> > So the question is, how to tell him that any user "client" from group
> > "clients" is allowed to consume it's own temporaryQueue?
>
> This sounds like a bug - I wonder could you raise a JIRA for this please?
agreed.
Generally the only people capable of consuming from a temporary
> destination should be the connection which created it; so I'm not sure
> we should even use the security plugin to authorize read access to
agreed.
temporary destinations. I guess we could prevent certain users from
> writing to temporary destinations.
The question is how would plugin be able to figure out who can write to a
temporary queue? Temporary queue names are dynamic so it would be hard to
implement rules that authorize against the queue name.
--
>
> James
> -------
> http://radio.weblogs.com/0112098/
>
--
Regards,
Hiram
Blog: http://hiramchirino.com
Re: JAAS authorizationEntry for temporary Queue
Posted by James Strachan <ja...@gmail.com>.
On 7/4/06, The_real_Ulf <ra...@gmx.de> wrote:
>
> Hi,
> I'm using the JAAS-Plugin with ActiveMQ. It works fine so far. But the
> proplem is, that I don't know how to set an authorizationEntry in the
> activemq.xml for a temporary Queue. The aim is to allow a group to read from
> their own temporary Queue.
> I have this in my activemq.xml:
>
> <plugins>
> <!-- use JAAS to authenticate using the login.config file on the
> classpath to configure JAAS -->
> <jaasAuthenticationPlugin configuration="activemq-domain" />
>
> <!-- lets configure a destination based authorization mechanism -->
> <authorizationPlugin>
> <map>
> <authorizationMap>
> <authorizationEntries>
> <authorizationEntry queue=">" read="managers" write="managers"
> admin="managers" />
> <authorizationEntry queue="manage" read="managers"
> write="clients" admin="managers,clients" />
> <authorizationEntry queue="clients.>" read="clients" write="managers"
> admin="managers" />
> <authorizationEntry topic=">" read="managers" write="managers"
> admin="managers" />
> <authorizationEntry topic="ActiveMQ.Advisory.>" read="managers,clients"
> write="managers,clients" admin="managers,clients"/>
> </authorizationEntries>
> </authorizationMap>
> </map>
> </authorizationPlugin>
> </plugins>
>
> With my client i create a TemporaryQueue via:
>
> tempQueue = inSession.createTemporaryQueue();
>
> this works, but if i want to create a consumer for the queue I get an error:
>
> MessageConsumer tempConsumer = inSession.createConsumer(tempQueue);
>
> Error: javax.jms.JMSException: User client is not authorized to read from:
> temp-queue://ID:windowspc-2300-1152021141855-0:0:1
>
> So the question is, how to tell him that any user "client" from group
> "clients" is allowed to consume it's own temporaryQueue?
This sounds like a bug - I wonder could you raise a JIRA for this please?
Generally the only people capable of consuming from a temporary
destination should be the connection which created it; so I'm not sure
we should even use the security plugin to authorize read access to
temporary destinations. I guess we could prevent certain users from
writing to temporary destinations.
--
James
-------
http://radio.weblogs.com/0112098/