You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@activemq.apache.org by "Pat Fox (JIRA)" <ji...@apache.org> on 2013/02/01 16:08:12 UTC
[jira] [Commented] (AMQ-908) Authorization plugin should have
configurable principal classes
[ https://issues.apache.org/jira/browse/AMQ-908?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13568781#comment-13568781 ]
Pat Fox commented on AMQ-908:
-----------------------------
Just an FYI:
To get this working I had to modify the config as follows:
{code}
<plugins>
<jaasAuthenticationPlugin configuration="karaf" />
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry queue=">" read="admin" write="admin" admin="admin" groupClass="org.apache.karaf.jaas.boot.principal.RolePrincipal" init-method="afterPropertiesSet" />
<authorizationEntry topic=">" read="admin" write="admin" admin="admin" groupClass="org.apache.karaf.jaas.boot.principal.RolePrincipal" init-method="afterPropertiesSet" />
<authorizationEntry topic="ActiveMQ.Advisory.>" read="admin" write="admin" admin="admin" groupClass="org.apache.karaf.jaas.boot.principal.RolePrincipal" init-method="afterPropertiesSet"/>
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
{code}
If afterPropertiesSet() is not configured then the principals could be placed on the ACL in the default principal class ( org.apache.activemq.jaas.GroupPrincipal) and some principals using the configured groupClass depending on the order Spring sets the properties.A downside of introducing afterPropertiesSet() is that you will have the Principals on the ACL lists *twice*. This is probably not ideal if your iterating through the list
The javax.annotation.PostConstruct is used for the "AuthorizationEntry.afterPropertiesSet()" method but the activemq config does not seem to include <context:annotation-config /> so it did not seem to be invoked by Spring.
> Authorization plugin should have configurable principal classes
> ---------------------------------------------------------------
>
> Key: AMQ-908
> URL: https://issues.apache.org/jira/browse/AMQ-908
> Project: ActiveMQ
> Issue Type: Improvement
> Components: Broker
> Affects Versions: 4.0.1
> Reporter: Aaron Mulder
> Assignee: Jonas Lim
> Fix For: 5.0.0
>
> Attachments: ASF.LICENSE.NOT.GRANTED--authorizationPlugin.patch, authorizationPlugin.patch, AuthorizationPlugin.patch, AuthorizationPlugin.patch
>
>
> Currently, if you configure the authorization plugin, it assumes that all principals listed should be of type {{org.apache.activemq.jaas.GroupPrincipal}}. This is OK if you're using ActiveMQ LoginModules, but since there's a fairly small supply of those, it would be great if you could use arbitrary login modules and tell the authorization plugin which principal classes to use. For example, {{groupClass="weblogic.security.principal.WLSGroupImpl}} or something like that. A good first step would be to let you change the group class. A good second step would be to let you specify user and group classes and then somehow indicate which names are which (e.g. {{admin="administrators,user:aaron,user:bob"}} or whatever). Someday maybe it will be nice to support any arbitrary combination of principal classes but that seems far away.
> When instantiating the principal classes, I imagine we should use a constructor with a single String argument if available, or else a default constructor plus a "setName" method, or else I guess bail.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira