[
https://issues.apache.org/jira/browse/AMQ-908?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13568781#comment-13568781
]
Pat Fox commented on AMQ-908:
-----------------------------
Just an FYI:
To get this working I had to modify the config as follows:
{code}
<plugins>
<jaasAuthenticationPlugin configuration="karaf" />
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry queue=">" read="admin" write="admin"
admin="admin" groupClass="org.apache.karaf.jaas.boot.principal.RolePrincipal"
init-method="afterPropertiesSet" />
<authorizationEntry topic=">" read="admin" write="admin"
admin="admin" groupClass="org.apache.karaf.jaas.boot.principal.RolePrincipal"
init-method="afterPropertiesSet" />
<authorizationEntry topic="ActiveMQ.Advisory.>" read="admin"
write="admin" admin="admin"
groupClass="org.apache.karaf.jaas.boot.principal.RolePrincipal"
init-method="afterPropertiesSet"/>
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
{code}
If afterPropertiesSet() is not configured then the principals could be placed
on the ACL in the default principal class (
org.apache.activemq.jaas.GroupPrincipal) and some principals using the
configured groupClass depending on the order Spring sets the properties.A
downside of introducing afterPropertiesSet() is that you will have the
Principals on the ACL lists *twice*. This is probably not ideal if your
iterating through the list
The javax.annotation.PostConstruct is used for the
"AuthorizationEntry.afterPropertiesSet()" method but the activemq config does
not seem to include <context:annotation-config /> so it did not seem to be
invoked by Spring.
> Authorization plugin should have configurable principal classes
> ---------------------------------------------------------------
>
> Key: AMQ-908
> URL: https://issues.apache.org/jira/browse/AMQ-908
> Project: ActiveMQ
> Issue Type: Improvement
> Components: Broker
> Affects Versions: 4.0.1
> Reporter: Aaron Mulder
> Assignee: Jonas Lim
> Fix For: 5.0.0
>
> Attachments: ASF.LICENSE.NOT.GRANTED--authorizationPlugin.patch,
> authorizationPlugin.patch, AuthorizationPlugin.patch,
> AuthorizationPlugin.patch
>
>
> Currently, if you configure the authorization plugin, it assumes that all
> principals listed should be of type
> {{org.apache.activemq.jaas.GroupPrincipal}}. This is OK if you're using
> ActiveMQ LoginModules, but since there's a fairly small supply of those, it
> would be great if you could use arbitrary login modules and tell the
> authorization plugin which principal classes to use. For example,
> {{groupClass="weblogic.security.principal.WLSGroupImpl}} or something like
> that. A good first step would be to let you change the group class. A good
> second step would be to let you specify user and group classes and then
> somehow indicate which names are which (e.g.
> {{admin="administrators,user:aaron,user:bob"}} or whatever). Someday maybe
> it will be nice to support any arbitrary combination of principal classes but
> that seems far away.
> When instantiating the principal classes, I imagine we should use a
> constructor with a single String argument if available, or else a default
> constructor plus a "setName" method, or else I guess bail.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
