You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by huntc <hu...@mac.com> on 2009/04/13 09:40:41 UTC
Determining the client's AMQ interface within a JAAS login module
Hi there,
Does anyone know if it is possible to determine what interface a connection
came in on while inside a JAAS plugin? I would like to know if the client
has connected from within a local machine and, if so, assume authorisation.
However if the client has connected from an outside address, or via SSL then
I would like to take other authorisation action.
Any ideas?
Kind regards,
Christopher
--
View this message in context: http://www.nabble.com/Determining-the-client%27s-AMQ-interface-within-a-JAAS-login-module-tp23018992p23018992.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Determining the client's AMQ interface within a JAAS login
module
Posted by huntc <hu...@mac.com>.
I have looked into this further and determined that my previous post was not
complete.
I have now written an extension of the JaasCertificateAuthenticationBroker
so that it only authenticates against an SSL certificate if an SSL transport
is being used. You can browse the class
http://code.google.com/p/jaasloginmodules/source/browse/tags/JAAS%20Login%20Modules-1.2.0/src/main/java/com/classactionpl/jaas/activemq/SslCertificateAuthenticationBroker.java
here .
To use this class you can check the project out from the
http://code.google.com/p/jaasloginmodules/source/browse/tags/JAAS+Login+Modules-1.2.0/
1.2.0 tag .
After building the project using Maven drop the resultant jar file in AMQ's
lib/optional folder and configure activemq.xml like so:
<plugins>
<bean xmlns="http://www.springframework.org/schema/beans"
id="SslCertificateAuthenticationPlugin"
class="com.classactionpl.jaas.activemq.SslCertificateAuthenticationPlugin">
<property name="configuration" value="activemq-domain"/>
<property name="nonsslUsername" value="nonssluser"/>
<property name="nonsslGroups">
<set>
<value>jms-services</value>
<value>activemq-users</value>
</set>
</property>
</bean>
<!-- lets configure a destination based authorization mechanism
-->
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
...
<authorizationEntry topic="ActiveMQ.Advisory.>"
read="activemq-users"
write="activemq-users"
admin="activemq-users" />
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
</plugins>
There is a unit test for the plugin which of course passes and I have tested
it against an application that uses both an SSL transport and a TCP
transport to connect with the broker. FYI the machine that hosts the broker
will only expose the SSL port to the outside world thus preventing anonymous
connections.
I hope that this code is useful to you.
Kind regards,
Christopher
--
View this message in context: http://www.nabble.com/Determining-the-client%27s-AMQ-interface-within-a-JAAS-login-module-tp23018992p23614159.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Determining the client's AMQ interface within a JAAS login
module
Posted by huntc <hu...@mac.com>.
Sorry that I've taken so long to come back to this. However I think I have a
solution.
JaasCertificateAuthenticationBroker presently makes a check at line 73 as to
whether there is a security context:
if (context.getSecurityContext() == null) {
I am wondering if an additional check should be included to ensure that an
SSL transport is being used.
My use case is that I want the client's SSL certificate to be used for
authentication ONLY when SSL is being used as the transport. I do not
believe that it makes sense to look for an SSL certificate otherwise, and it
should be permissible to grant privileged access for other transports.
I propose a patch be made to line 73 along the lines of:
if (context.getConnector().getServer() instanceof SslTransportServer &&
context.getSecurityContext() == null) {
Does anyone agree/disagree?
Kind regards,
Christopher
--
View this message in context: http://www.nabble.com/Determining-the-client%27s-AMQ-interface-within-a-JAAS-login-module-tp23018992p23609154.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Determining the client's AMQ interface within a JAAS login
module
Posted by Joe Fernandez <jo...@ttmsolutions.com>.
You'll probably have an object that implements Broker or extends
BrokerFilter. That object's addConnection() method is passed a reference to
a ConnectionContext object. Use that object's getConnection() method to get
the corresponding Connection object, which has a getRemoteAddress() method
that gives you the connection's source address.
Joe
http://www.ttmsolutions.com
huntc wrote:
>
> Hi there,
>
> Does anyone know if it is possible to determine what interface a
> connection came in on while inside a JAAS plugin? I would like to know if
> the client has connected from within a local machine and, if so, assume
> authorisation. However if the client has connected from an outside
> address, or via SSL then I would like to take other authorisation action.
>
> Any ideas?
>
> Kind regards,
> Christopher
>
--
View this message in context: http://www.nabble.com/Determining-the-client%27s-AMQ-interface-within-a-JAAS-login-module-tp23018992p23020766.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.