On 7/4/06, James Strachan <[EMAIL PROTECTED]> wrote:
On 7/4/06, The_real_Ulf <[EMAIL PROTECTED]> wrote: > > Hi, > I'm using the JAAS-Plugin with ActiveMQ. It works fine so far. But the > proplem is, that I don't know how to set an authorizationEntry in the > activemq.xml for a temporary Queue. The aim is to allow a group to read from > their own temporary Queue. > I have this in my activemq.xml: > > <plugins> > <!-- use JAAS to authenticate using the login.config file on the > classpath to configure JAAS --> > <jaasAuthenticationPlugin configuration="activemq-domain" /> > > <!-- lets configure a destination based authorization mechanism --> > <authorizationPlugin> > <map> > <authorizationMap> > <authorizationEntries> > <authorizationEntry queue=">" read="managers" write="managers" > admin="managers" /> > <authorizationEntry queue="manage" read="managers" > write="clients" admin="managers,clients" /> > <authorizationEntry queue="clients.>" read="clients" write="managers" > admin="managers" /> > <authorizationEntry topic=">" read="managers" write="managers" > admin="managers" /> > <authorizationEntry topic="ActiveMQ.Advisory.>" read="managers,clients" > write="managers,clients" admin="managers,clients"/> > </authorizationEntries> > </authorizationMap> > </map> > </authorizationPlugin> > </plugins> > > With my client i create a TemporaryQueue via: > > tempQueue = inSession.createTemporaryQueue(); > > this works, but if i want to create a consumer for the queue I get an error: > > MessageConsumer tempConsumer = inSession.createConsumer(tempQueue); > > Error: javax.jms.JMSException: User client is not authorized to read from: > temp-queue://ID:windowspc-2300-1152021141855-0:0:1 > > So the question is, how to tell him that any user "client" from group > "clients" is allowed to consume it's own temporaryQueue? This sounds like a bug - I wonder could you raise a JIRA for this please?
agreed. Generally the only people capable of consuming from a temporary
destination should be the connection which created it; so I'm not sure we should even use the security plugin to authorize read access to
agreed. temporary destinations. I guess we could prevent certain users from
writing to temporary destinations.
The question is how would plugin be able to figure out who can write to a temporary queue? Temporary queue names are dynamic so it would be hard to implement rules that authorize against the queue name. --
James ------- http://radio.weblogs.com/0112098/
-- Regards, Hiram Blog: http://hiramchirino.com
