You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@activemq.apache.org by Jeff Mesnil <jm...@gmail.com> on 2016/06/03 12:52:07 UTC

Container-managed security in Artemis Resource Adapter

Hi,

I'm working on providing Container-managed security in Artemis
resource adapter for our app server.

Artemis RA has been coded to support it already. If there is a
security domain specified for its resource adapter, Artemis
ManagedConnection will use the security's Subject for its
authentication on the broker side.

However there is one use case that I'm not sure about.
When the user specifies credentials when calling the RA's
ConnectionFactory methods, Artemis discards them if there is a subject
from the SecurityDomain[1].
I would have expected the opposite: credential parameters from the
ConnectionRequestInfo should have precedence over the Subject's from
the security domain.

What do you think about changing that behaviour?

If there are credentials from the ConnectionRequestInfo, use them
else if there is a Subject, use it
else raise an exception.



[1] https://github.com/apache/activemq-artemis/blob/master/artemis-ra/src/main/java/org/apache/activemq/artemis/ra/ActiveMQRACredential.java#L122
-- 
Jeff Mesnil
jmesnil@gmail.com
http://jmesnil.net/weblog/

Re: Container-managed security in Artemis Resource Adapter

Posted by Andy Taylor <an...@gmail.com>.

makes sense to me.

On 3 June 2016 at 13:52, Jeff Mesnil <jm...@gmail.com> wrote:

> Hi,
>
> I'm working on providing Container-managed security in Artemis
> resource adapter for our app server.
>
> Artemis RA has been coded to support it already. If there is a
> security domain specified for its resource adapter, Artemis
> ManagedConnection will use the security's Subject for its
> authentication on the broker side.
>
> However there is one use case that I'm not sure about.
> When the user specifies credentials when calling the RA's
> ConnectionFactory methods, Artemis discards them if there is a subject
> from the SecurityDomain[1].
> I would have expected the opposite: credential parameters from the
> ConnectionRequestInfo should have precedence over the Subject's from
> the security domain.
>
> What do you think about changing that behaviour?
>
> If there are credentials from the ConnectionRequestInfo, use them
> else if there is a Subject, use it
> else raise an exception.
>
>
>
> [1]
> https://github.com/apache/activemq-artemis/blob/master/artemis-ra/src/main/java/org/apache/activemq/artemis/ra/ActiveMQRACredential.java#L122
> --
> Jeff Mesnil
> jmesnil@gmail.com
> http://jmesnil.net/weblog/
>