Re: JAAS authorizationEntry for temporary Queue

Tue, 04 Jul 2006 07:29:05 -0700 

On 7/4/06, The_real_Ulf <[EMAIL PROTECTED]> wrote:


Hi,
I'm using the JAAS-Plugin with ActiveMQ. It works fine so far. But the
proplem is, that I don't know how to set an authorizationEntry in the
activemq.xml for a temporary Queue. The aim is to allow a group to read from
their own temporary Queue.
I have this in my activemq.xml:

<plugins>
      <!--  use JAAS to authenticate using the login.config file on the
classpath to configure JAAS -->
      <jaasAuthenticationPlugin configuration="activemq-domain" />

      <!--  lets configure a destination based authorization mechanism -->
      <authorizationPlugin>
        <map>
          <authorizationMap>
            <authorizationEntries>
              <authorizationEntry queue=">" read="managers" write="managers"
admin="managers" />
              <authorizationEntry queue="manage" read="managers"
write="clients" admin="managers,clients" />
                  <authorizationEntry queue="clients.>" read="clients" 
write="managers"
admin="managers" />
                  <authorizationEntry topic=">" read="managers" write="managers"
admin="managers" />
                  <authorizationEntry topic="ActiveMQ.Advisory.>" 
read="managers,clients"
write="managers,clients" admin="managers,clients"/>
            </authorizationEntries>
          </authorizationMap>
        </map>
      </authorizationPlugin>
    </plugins>

With my client i create a TemporaryQueue via:

tempQueue = inSession.createTemporaryQueue();

this works, but if i want to create a consumer for the queue I get an error:

MessageConsumer tempConsumer = inSession.createConsumer(tempQueue);

Error: javax.jms.JMSException: User client is not authorized to read from:
temp-queue://ID:windowspc-2300-1152021141855-0:0:1

So the question is, how to tell him that any user "client" from group
"clients" is allowed to consume it's own temporaryQueue?


This sounds like a bug - I wonder could you raise a JIRA for this please?

Generally the only people capable of consuming from a temporary
destination should be the connection which created it; so I'm not sure
we should even use the security plugin to authorize read access to
temporary destinations. I guess we could prevent certain users from
writing to temporary destinations.

--

James
-------
http://radio.weblogs.com/0112098/






















					Reply via email to