You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@activemq.apache.org by ngcutura <ng...@gmail.com> on 2006/06/26 23:47:36 UTC
LDAP Authorization
Hi,
I am working on LDAPAuthorizationMap to enable use of LDAP for storing
access privilege information. The project I am engaged in requires dynamic
creation of destinations and users so external source of authentication and
authorization information is crucial.
I checked out code from SVN and managed to build it with Maven and Eclipse.
Thanks to Hiram and James for instructions. :-) The idea of
LDAPAuthorizationMap is simple: there is hierarchy like this one:
destinations
topic
topicA
read: role1
read: role2
write: role3
admin: role2
queue
queue1
read: roleA
write: roleB
write: roleC
admin: roleD
It is quite easy to obtain read, write and admin ACLs from this hierarchy.
However, looking at the code of DefaultAthorizationMap, AuthorizationEntry,
DestinationMap and DestinationMapEntry I cannot clearly differentiate
between default behaviour of AuthorizationMap (except for the interface) and
implementation specifics of authorization map defined in AMQ config file.
My questions (that I believe will clear something out for me):
- how are authorization data from AMQ config file passed to the code? I
believe it is DefaultAuthorizationMap or SimpleAuthorizationMap.
- how should I specify LDAP configuration in AMQ config? These config
information are similar to those of LDAPLoginModule which are specified in
java VM login policy file.
- AuthorizationMap is supposed to return Set of privileged Principals.
DefaultAuthorizationMap relies on AuthorizationEntry that seems specific to
AMQ config file (parseACLs(String) method parses String from config file).
Am I supposed to create a subclass of AuthorizationEntry that will return
information parsed from LDAP server?
I would really appreciate some guidance.
Regards,
NGC
--
View this message in context: http://www.nabble.com/LDAP-Authorization-t1851705.html#a5055596
Sent from the ActiveMQ - Dev forum at Nabble.com.
Re: LDAP Authorization
Posted by James Strachan <ja...@gmail.com>.
On 7/21/06, ngcutura <ng...@gmail.com> wrote:
>
> (hyperlinked file below)
> http://www.nabble.com/user-files/72/LdapAuth.zip LdapAuth.zip
>
> This is the best I could come up with. Please take a look at
> LDAPAuthorizationMap.java and LDAPAuthorizationMap.xml. If they seem OK
> please tell em the next steps to actually use it in AMQ.
I'll take a look
> I was not able to use JIRA to upload this archive. It says that more
> operations are available if I were logged in. How do I (should I) log in to
> JIRA?
So you need to register and login to JIRA then you are able to report
new issues, comment on issues or attach patches/files to issues etc
--
James
-------
http://radio.weblogs.com/0112098/
Re: LDAP Authorization
Posted by ngcutura <ng...@gmail.com>.
(hyperlinked file below)
http://www.nabble.com/user-files/72/LdapAuth.zip LdapAuth.zip
This is the best I could come up with. Please take a look at
LDAPAuthorizationMap.java and LDAPAuthorizationMap.xml. If they seem OK
please tell em the next steps to actually use it in AMQ.
I was not able to use JIRA to upload this archive. It says that more
operations are available if I were logged in. How do I (should I) log in to
JIRA?
Regards,
NGC
--
View this message in context: http://www.nabble.com/LDAP-Authorization-tf1851705.html#a5440827
Sent from the ActiveMQ - Dev forum at Nabble.com.
Re: LDAP Authorization
Posted by James Strachan <ja...@gmail.com>.
On 7/17/06, ngcutura <ng...@gmail.com> wrote:
>
> Thanks!
>
> The patch is not coomplete yet. I still need help with integration into AMQ
> (Spring style properties) to be able to use it.
>
> (copied from previous post)
> I am not familiar with Spring and I was not able to deduce how to specify
> module properties in AMQ XML config file. I need help with this and I would
> very much appreciate the following:
> - given the LDAPAuthorizationMap.properties file produce XML file
> - given the LDAPAuthorizationMap.java add code changes to accept properties
> from XML file above
>
> Is there any documentation on this that I can read?
Up until now no there wasn't a whole lot of documentation on this
area. I've just created a little guide on configuring things in
ActiveMQ which hopefully will help some...
http://activemq.org/site/developing-plugins.html
--
James
-------
http://radio.weblogs.com/0112098/
Re: LDAP Authorization
Posted by ngcutura <ng...@gmail.com>.
Thanks!
The patch is not coomplete yet. I still need help with integration into AMQ
(Spring style properties) to be able to use it.
(copied from previous post)
I am not familiar with Spring and I was not able to deduce how to specify
module properties in AMQ XML config file. I need help with this and I would
very much appreciate the following:
- given the LDAPAuthorizationMap.properties file produce XML file
- given the LDAPAuthorizationMap.java add code changes to accept properties
from XML file above
Is there any documentation on this that I can read?
Thanks and regards,
NGC
James.Strachan wrote:
>
> On 7/17/06, James Strachan <ja...@gmail.com> wrote:
>> On 7/17/06, ngcutura <ng...@gmail.com> wrote:
>> > > I saw an entry in JIRA "AMQ-376". Would this be appropriate or
>> another one
>> > > is required?
>> > > Can I create entry in JIRA as unprivileged user? I didn't try, to be
>> > > honest, I thought that someone from the development team is
>> authorized to
>> > > manage entries in JIRA. :-)Anyone who registers with JIRA can create
>> new JIRA issues.
>>
>> Anyone can create JIRA issues...
>>
>> http://incubator.apache.org/activemq/support.html
>>
>> Though we need to assign karma to you if someone wants to assign an
>> issue to themselves
>>
>> http://incubator.apache.org/activemq/contributing.html
>
> I've created a JIRA for you so we can track the patch's progress etc.
>
> http://issues.apache.org/activemq/browse/AMQ-826
>
> --
>
> James
> -------
> http://radio.weblogs.com/0112098/
>
>
--
View this message in context: http://www.nabble.com/LDAP-Authorization-tf1851705.html#a5367147
Sent from the ActiveMQ - Dev forum at Nabble.com.
Re: LDAP Authorization
Posted by James Strachan <ja...@gmail.com>.
On 7/17/06, James Strachan <ja...@gmail.com> wrote:
> On 7/17/06, ngcutura <ng...@gmail.com> wrote:
> > > I saw an entry in JIRA "AMQ-376". Would this be appropriate or another one
> > > is required?
> > > Can I create entry in JIRA as unprivileged user? I didn't try, to be
> > > honest, I thought that someone from the development team is authorized to
> > > manage entries in JIRA. :-)Anyone who registers with JIRA can create new JIRA issues.
>
> Anyone can create JIRA issues...
>
> http://incubator.apache.org/activemq/support.html
>
> Though we need to assign karma to you if someone wants to assign an
> issue to themselves
>
> http://incubator.apache.org/activemq/contributing.html
I've created a JIRA for you so we can track the patch's progress etc.
http://issues.apache.org/activemq/browse/AMQ-826
--
James
-------
http://radio.weblogs.com/0112098/
Re: LDAP Authorization
Posted by James Strachan <ja...@gmail.com>.
On 7/17/06, ngcutura <ng...@gmail.com> wrote:
>
>
> James.Strachan wrote:
> >
> >> Sounds great! I didn't see an attachment - I wonder it might be easier
> >> if you raised a JIRA and attached your zip to the JIRA issue?
> >
> >
> > Attachment is hyperlinked below sentnece "Attached is a zip archive with 4
> > files:" in original post.
> > ("LdapAuth.zip" is hyperlinked; clicking this link opens file download.)
Ah - it seems to have got stripped from the emails (or at least gmail
stripped it) but its visible on nabble.com.
> > I saw an entry in JIRA "AMQ-376". Would this be appropriate or another one
> > is required?
> > Can I create entry in JIRA as unprivileged user? I didn't try, to be
> > honest, I thought that someone from the development team is authorized to
> > manage entries in JIRA. :-)Anyone who registers with JIRA can create new JIRA issues.
Anyone can create JIRA issues...
http://incubator.apache.org/activemq/support.html
Though we need to assign karma to you if someone wants to assign an
issue to themselves
http://incubator.apache.org/activemq/contributing.html
--
James
-------
http://radio.weblogs.com/0112098/
Re: LDAP Authorization
Posted by ngcutura <ng...@gmail.com>.
James.Strachan wrote:
>
>> Sounds great! I didn't see an attachment - I wonder it might be easier
>> if you raised a JIRA and attached your zip to the JIRA issue?
>
>
> Attachment is hyperlinked below sentnece "Attached is a zip archive with 4
> files:" in original post.
> ("LdapAuth.zip" is hyperlinked; clicking this link opens file download.)
>
> I saw an entry in JIRA "AMQ-376". Would this be appropriate or another one
> is required?
> Can I create entry in JIRA as unprivileged user? I didn't try, to be
> honest, I thought that someone from the development team is authorized to
> manage entries in JIRA. :-)
>
> Regards,
> NGC
>
> On 7/15/06, ngcutura <ng...@gmail.com> wrote:
>>
>> Hi all,
>>
>> I followed James' advice and created simple LDAPAuthorizationMap. It has
>> no
>> support for wildcards or composite destinations at the moment.
>>
>> Attached is a zip archive with 4 files:
>> LdapAuth.zip
>> - LDAPAuthorizationMap.java (module code)
>> - LDAPAuthorizationMapTest.java (module test)
>> - LDAPAuthorizationMap.properties (list of module properties)
>> - AMQAuth.ldif (sample directory used for testing)
>>
>> Module works through JUnit tests. To run the tests you need to setup a
>> directory. I used ApacheDS; export of my sample directory is in the file
>> AMQAuth.ldif. Contents of this file is also present in
>> LDAPAuthorizationMapTest.java.
>>
>> I am not familiar with Spring and I was not able to deduce how to specify
>> module properties in AMQ XML config file. I need help with this and I
>> would
>> very much appreciate the following:
>> - given the LDAPAuthorizationMap.properties file produce XML file
>> - given the LDAPAuthorizationMap.java add code changes to accept
>> properties
>> from XML file above
>>
>> I am pretty much sure that my choice of constructor taking Map as
>> argument
>> is inappropraite but having no knowledge of Spring one choice was as good
>> as
>> another for me.
>>
>> Regards,
>> NGC
>>
>> James.Strachan wrote:
>> >
>> > On 6/29/06, ngcutura <ng...@gmail.com> wrote:
>> >>
>> >> Thank you for reply.
>> >>
>> >> There is no <bean class="com.acme..." ... > in security example but
>> this
>> >> is
>> >> quite important.
>> >
>> > Thats just a way to instantiate some JavaBean using regular Spring
>> style
>> > syntax.
>> >
>> >> Is there some default class like DefaultAuthorizationMap?
>> >
>> > Yes - by all means derive from that if you want.
>> >
>> >> What would this declaration be exactly for the security example you
>> >> referred
>> >> to?
>> >>
>> >> I think I can manage AuthorizationEntry by subclassing it or adding
>> >> another
>> >> parse() method.
>> >
>> > You could ignore the DefaultAuthorizationMap/AuthorizationEntry
>> > entirely and just walk JNDI/LDAP and create a set of GroupPrincipal
>> > POJOs for each group for a given role & destination). It might be
>> > simpler than trying to understand how the DefaultAuthorizationMap.
>> >
>> > Note that DefaultAuthorizationMap is essentially an in-memory cache of
>> > the results; you probably want to look at JNDI/LDAP at runtime to
>> > ensure up to date values.
>> >
>> >> I'll be on vacation next week but I'll continue with the work after
>> the
>> >> WC
>> >> finals. ;-)
>> >
>> > Great! :)
>> >
>> > (Here's hoping England actually start playing football soon... :-)
>> >
>> >
>> > --
>> >
>> > James
>> > -------
>> > http://radio.weblogs.com/0112098/
>> >
>> >
>> --
>> View this message in context:
>> http://www.nabble.com/LDAP-Authorization-tf1851705.html#a5344494
>> Sent from the ActiveMQ - Dev forum at Nabble.com.
>>
>>
>
>
> --
>
> James
> -------
> http://radio.weblogs.com/0112098/
>
>
--
View this message in context: http://www.nabble.com/LDAP-Authorization-tf1851705.html#a5359733
Sent from the ActiveMQ - Dev forum at Nabble.com.
Re: LDAP Authorization
Posted by James Strachan <ja...@gmail.com>.
Sounds great! I didn't see an attachment - I wonder it might be easier
if you raised a JIRA and attached your zip to the JIRA issue?
On 7/15/06, ngcutura <ng...@gmail.com> wrote:
>
> Hi all,
>
> I followed James' advice and created simple LDAPAuthorizationMap. It has no
> support for wildcards or composite destinations at the moment.
>
> Attached is a zip archive with 4 files:
> LdapAuth.zip
> - LDAPAuthorizationMap.java (module code)
> - LDAPAuthorizationMapTest.java (module test)
> - LDAPAuthorizationMap.properties (list of module properties)
> - AMQAuth.ldif (sample directory used for testing)
>
> Module works through JUnit tests. To run the tests you need to setup a
> directory. I used ApacheDS; export of my sample directory is in the file
> AMQAuth.ldif. Contents of this file is also present in
> LDAPAuthorizationMapTest.java.
>
> I am not familiar with Spring and I was not able to deduce how to specify
> module properties in AMQ XML config file. I need help with this and I would
> very much appreciate the following:
> - given the LDAPAuthorizationMap.properties file produce XML file
> - given the LDAPAuthorizationMap.java add code changes to accept properties
> from XML file above
>
> I am pretty much sure that my choice of constructor taking Map as argument
> is inappropraite but having no knowledge of Spring one choice was as good as
> another for me.
>
> Regards,
> NGC
>
> James.Strachan wrote:
> >
> > On 6/29/06, ngcutura <ng...@gmail.com> wrote:
> >>
> >> Thank you for reply.
> >>
> >> There is no <bean class="com.acme..." ... > in security example but this
> >> is
> >> quite important.
> >
> > Thats just a way to instantiate some JavaBean using regular Spring style
> > syntax.
> >
> >> Is there some default class like DefaultAuthorizationMap?
> >
> > Yes - by all means derive from that if you want.
> >
> >> What would this declaration be exactly for the security example you
> >> referred
> >> to?
> >>
> >> I think I can manage AuthorizationEntry by subclassing it or adding
> >> another
> >> parse() method.
> >
> > You could ignore the DefaultAuthorizationMap/AuthorizationEntry
> > entirely and just walk JNDI/LDAP and create a set of GroupPrincipal
> > POJOs for each group for a given role & destination). It might be
> > simpler than trying to understand how the DefaultAuthorizationMap.
> >
> > Note that DefaultAuthorizationMap is essentially an in-memory cache of
> > the results; you probably want to look at JNDI/LDAP at runtime to
> > ensure up to date values.
> >
> >> I'll be on vacation next week but I'll continue with the work after the
> >> WC
> >> finals. ;-)
> >
> > Great! :)
> >
> > (Here's hoping England actually start playing football soon... :-)
> >
> >
> > --
> >
> > James
> > -------
> > http://radio.weblogs.com/0112098/
> >
> >
> --
> View this message in context: http://www.nabble.com/LDAP-Authorization-tf1851705.html#a5344494
> Sent from the ActiveMQ - Dev forum at Nabble.com.
>
>
--
James
-------
http://radio.weblogs.com/0112098/
Re: LDAP Authorization
Posted by ngcutura <ng...@gmail.com>.
Hi all,
I followed James' advice and created simple LDAPAuthorizationMap. It has no
support for wildcards or composite destinations at the moment.
Attached is a zip archive with 4 files:
LdapAuth.zip
- LDAPAuthorizationMap.java (module code)
- LDAPAuthorizationMapTest.java (module test)
- LDAPAuthorizationMap.properties (list of module properties)
- AMQAuth.ldif (sample directory used for testing)
Module works through JUnit tests. To run the tests you need to setup a
directory. I used ApacheDS; export of my sample directory is in the file
AMQAuth.ldif. Contents of this file is also present in
LDAPAuthorizationMapTest.java.
I am not familiar with Spring and I was not able to deduce how to specify
module properties in AMQ XML config file. I need help with this and I would
very much appreciate the following:
- given the LDAPAuthorizationMap.properties file produce XML file
- given the LDAPAuthorizationMap.java add code changes to accept properties
from XML file above
I am pretty much sure that my choice of constructor taking Map as argument
is inappropraite but having no knowledge of Spring one choice was as good as
another for me.
Regards,
NGC
James.Strachan wrote:
>
> On 6/29/06, ngcutura <ng...@gmail.com> wrote:
>>
>> Thank you for reply.
>>
>> There is no <bean class="com.acme..." ... > in security example but this
>> is
>> quite important.
>
> Thats just a way to instantiate some JavaBean using regular Spring style
> syntax.
>
>> Is there some default class like DefaultAuthorizationMap?
>
> Yes - by all means derive from that if you want.
>
>> What would this declaration be exactly for the security example you
>> referred
>> to?
>>
>> I think I can manage AuthorizationEntry by subclassing it or adding
>> another
>> parse() method.
>
> You could ignore the DefaultAuthorizationMap/AuthorizationEntry
> entirely and just walk JNDI/LDAP and create a set of GroupPrincipal
> POJOs for each group for a given role & destination). It might be
> simpler than trying to understand how the DefaultAuthorizationMap.
>
> Note that DefaultAuthorizationMap is essentially an in-memory cache of
> the results; you probably want to look at JNDI/LDAP at runtime to
> ensure up to date values.
>
>> I'll be on vacation next week but I'll continue with the work after the
>> WC
>> finals. ;-)
>
> Great! :)
>
> (Here's hoping England actually start playing football soon... :-)
>
>
> --
>
> James
> -------
> http://radio.weblogs.com/0112098/
>
>
--
View this message in context: http://www.nabble.com/LDAP-Authorization-tf1851705.html#a5344494
Sent from the ActiveMQ - Dev forum at Nabble.com.
Re: LDAP Authorization
Posted by James Strachan <ja...@gmail.com>.
On 6/29/06, ngcutura <ng...@gmail.com> wrote:
>
> Thank you for reply.
>
> There is no <bean class="com.acme..." ... > in security example but this is
> quite important.
Thats just a way to instantiate some JavaBean using regular Spring style syntax.
> Is there some default class like DefaultAuthorizationMap?
Yes - by all means derive from that if you want.
> What would this declaration be exactly for the security example you referred
> to?
>
> I think I can manage AuthorizationEntry by subclassing it or adding another
> parse() method.
You could ignore the DefaultAuthorizationMap/AuthorizationEntry
entirely and just walk JNDI/LDAP and create a set of GroupPrincipal
POJOs for each group for a given role & destination). It might be
simpler than trying to understand how the DefaultAuthorizationMap.
Note that DefaultAuthorizationMap is essentially an in-memory cache of
the results; you probably want to look at JNDI/LDAP at runtime to
ensure up to date values.
> I'll be on vacation next week but I'll continue with the work after the WC
> finals. ;-)
Great! :)
(Here's hoping England actually start playing football soon... :-)
--
James
-------
http://radio.weblogs.com/0112098/
Re: LDAP Authorization
Posted by ngcutura <ng...@gmail.com>.
Thank you for reply.
There is no <bean class="com.acme..." ... > in security example but this is
quite important. Is there some default class like DefaultAuthorizationMap?
What would this declaration be exactly for the security example you referred
to?
I think I can manage AuthorizationEntry by subclassing it or adding another
parse() method.
I'll be on vacation next week but I'll continue with the work after the WC
finals. ;-)
Thanks and regards,
NGC
--
View this message in context: http://www.nabble.com/LDAP-Authorization-tf1851705.html#a5103210
Sent from the ActiveMQ - Dev forum at Nabble.com.
Re: LDAP Authorization
Posted by James Strachan <ja...@gmail.com>.
On 6/26/06, ngcutura <ng...@gmail.com> wrote:
>
> Hi,
>
> I am working on LDAPAuthorizationMap to enable use of LDAP for storing
> access privilege information. The project I am engaged in requires dynamic
> creation of destinations and users so external source of authentication and
> authorization information is crucial.
>
> I checked out code from SVN and managed to build it with Maven and Eclipse.
> Thanks to Hiram and James for instructions. :-) The idea of
> LDAPAuthorizationMap is simple: there is hierarchy like this one:
>
> destinations
> topic
> topicA
> read: role1
> read: role2
> write: role3
> admin: role2
> queue
> queue1
> read: roleA
> write: roleB
> write: roleC
> admin: roleD
>
> It is quite easy to obtain read, write and admin ACLs from this hierarchy.
>
> However, looking at the code of DefaultAthorizationMap, AuthorizationEntry,
> DestinationMap and DestinationMapEntry I cannot clearly differentiate
> between default behaviour of AuthorizationMap (except for the interface) and
> implementation specifics of authorization map defined in AMQ config file.
So the AuthorizationMap interface can be implemented however you wish.
The DefaultAuthorizationMap derives from the DestinationMap to be able
to associate wildcards with 'entries' where an entry is an
AuthorizationEntry which defines the set of ACLs for read/write/admin
roles. This allows you to associate a single entry (set of ACLs) with
a destination or wildcard.
Now if you want to go to LDAP each time and are not too worried about
wildcard support, you could just implement the AuthorizationMap
interface directory and for each of the methods, just walk JNDI/LDAP
to find the set of ACLs for read, write, admin for the given
destination.
> My questions (that I believe will clear something out for me):
> - how are authorization data from AMQ config file passed to the code? I
> believe it is DefaultAuthorizationMap or SimpleAuthorizationMap.
Any implementation of AuthorizationMap is passed into the
AuthorizationPlugin via its "map" property using introspection. See
http://incubator.apache.org/activemq/security.html for an example. You
could add your own using Spring stufff...
<broker xmlns="http://activemq.org/config/1.0">
<plugins>
<authorizationPlugin>
<map>
<bean class="com.acme.MyAuthorizationMap" xmlns=""> ...
> - how should I specify LDAP configuration in AMQ config?
Via properties on your POJO then we can use Spring / XBean to wire
them all up. e.g. can you specify properties on your POJO then we can
use dependency injection to wire them in.
> These config
> information are similar to those of LDAPLoginModule which are specified in
> java VM login policy file.
> - AuthorizationMap is supposed to return Set of privileged Principals.
> DefaultAuthorizationMap relies on AuthorizationEntry that seems specific to
> AMQ config file (parseACLs(String) method parses String from config file).
> Am I supposed to create a subclass of AuthorizationEntry that will return
> information parsed from LDAP server?
The AuthorizationEntry just makes a set of GroupPrincipal objects (a
little helper class). Maybe you could just reuse it as the element
inside the Set of groups - you just need to give it a String
constructor?
--
James
-------
http://radio.weblogs.com/0112098/