On 6/26/06, ngcutura <[EMAIL PROTECTED]> wrote:
Hi,
I am working on LDAPAuthorizationMap to enable use of LDAP for storing
access privilege information. The project I am engaged in requires dynamic
creation of destinations and users so external source of authentication and
authorization information is crucial.
I checked out code from SVN and managed to build it with Maven and Eclipse.
Thanks to Hiram and James for instructions. :-) The idea of
LDAPAuthorizationMap is simple: there is hierarchy like this one:
destinations
topic
topicA
read: role1
read: role2
write: role3
admin: role2
queue
queue1
read: roleA
write: roleB
write: roleC
admin: roleD
It is quite easy to obtain read, write and admin ACLs from this hierarchy.
However, looking at the code of DefaultAthorizationMap, AuthorizationEntry,
DestinationMap and DestinationMapEntry I cannot clearly differentiate
between default behaviour of AuthorizationMap (except for the interface) and
implementation specifics of authorization map defined in AMQ config file.
So the AuthorizationMap interface can be implemented however you wish.
The DefaultAuthorizationMap derives from the DestinationMap to be able
to associate wildcards with 'entries' where an entry is an
AuthorizationEntry which defines the set of ACLs for read/write/admin
roles. This allows you to associate a single entry (set of ACLs) with
a destination or wildcard.
Now if you want to go to LDAP each time and are not too worried about
wildcard support, you could just implement the AuthorizationMap
interface directory and for each of the methods, just walk JNDI/LDAP
to find the set of ACLs for read, write, admin for the given
destination.
My questions (that I believe will clear something out for me):
- how are authorization data from AMQ config file passed to the code? I
believe it is DefaultAuthorizationMap or SimpleAuthorizationMap.
Any implementation of AuthorizationMap is passed into the
AuthorizationPlugin via its "map" property using introspection. See
http://incubator.apache.org/activemq/security.html for an example. You
could add your own using Spring stufff...
<broker xmlns="http://activemq.org/config/1.0";>
<plugins>
<authorizationPlugin>
<map>
<bean class="com.acme.MyAuthorizationMap" xmlns=""> ...
- how should I specify LDAP configuration in AMQ config?
Via properties on your POJO then we can use Spring / XBean to wire
them all up. e.g. can you specify properties on your POJO then we can
use dependency injection to wire them in.
These config
information are similar to those of LDAPLoginModule which are specified in
java VM login policy file.
- AuthorizationMap is supposed to return Set of privileged Principals.
DefaultAuthorizationMap relies on AuthorizationEntry that seems specific to
AMQ config file (parseACLs(String) method parses String from config file).
Am I supposed to create a subclass of AuthorizationEntry that will return
information parsed from LDAP server?
The AuthorizationEntry just makes a set of GroupPrincipal objects (a
little helper class). Maybe you could just reuse it as the element
inside the Set of groups - you just need to give it a String
constructor?
--
James
-------
http://radio.weblogs.com/0112098/
