To follow up: I have attached my test project. To send message to the queue, simply call
wget 'http://localhost:8080/send?msg=napis' from the command line. All calls to the plugin's methods are logged using a custom aspect. Note that only methods that are overrode are logged, so e.g. methods used for bridging or federation are not there as I omitted them from the plugin (also bridging and federation are not used). I hope this will help someone somehow. Regards, Jędrzej Dudkiewicz On Thu, Jan 5, 2023 at 10:32 AM Jędrzej Dudkiewicz <jedrzej.dudkiew...@gmail.com> wrote: > > Hello, > > Thank you for an answer. I have problems even with starting, since > from what I see security was completely changed from what was > available in ActiveMQ. First thing is that there is no SecurityContext > object attached to the client so to say, so I don't really know where > I should store information read from certificate and access > permissions. It seems that e.g. BrokerMessageAuthorizationPlugin gets > it from reference to server (that it gets from its "registered" > callback) by getting its securityStore() and from that ServerSession > and from that Subject. It seems that I could do the same, *but* I > can't find any way to put my own information there. It seems that to > do it I'd have to go the hard route and implement my own > securityManager (as it is used when creating securityStore in > ActiveMQServerImpl) at least and probably some other classes. This is > why I thought about using JAAS - this way "all" I'd have to do is to > reimplement "CertificateLoginModule" used by > "ActiveMQJAASSecurityManager". It takes care of reading certificate > and parsing it, but > > a) make different assumptions about which field from certificate will be used, > b) from what I understand uses properties file to get roles for users. > > I use OID "0.9.2342.19200300.100.1.1" which contains data in format > "ROLE/UUID", where "UUID" is client's UUID which serves as both its > identifier and name of queue for messages sent to client, and "ROLE" > is more or less a predefined set of permissions that controls what > queues (by name) this client can read from, write to and create. > > This is one problem. Another is how I should check whether a client > can create a queue. I wrote simple SpringBoot based program that > embeds Artemis, installs my plugin and then sends message to > "QUEUEDEF" (sorry my naming sense). It seems that from the plugin's > perspective the flow of the process of client connecting and sending > single message is as follows: > > CALLING: beforeCreateSession > CALLING: beforeMessageRoute > CALLING: afterMessageRoute > CALLING: afterCreateSession > CALLING: beforeAddBinding > CALLING: beforeMessageRoute > CALLING: afterMessageRoute > CALLING: afterAddBinding > CALLING: afterCreateQueue > CALLING: beforeSend > CALLING: beforeMessageRoute > CALLING: afterMessageRoute > CALLING: afterSend > > I don't know why but "beforeCreateQueue" is not called - not that it > is important since I can't do anything with it as I have no access to > ServerSession in this callback. > What I am interested in is whether I am correctly assuming that > basically the only place I can check anything is "beforeSend" > callback. Unfortunately it is called after "afterCreateQueue" (and as > I wrote "beforeCreateQueue" is not called), so I can't prevent queue > creation in this case - there is not enough data passed to the > callback. > Also it seems that "canAccept" is called only when a message is about > to be sent to the consumer, and it makes me wonder what is the reason > for lack of other "canDoSomething" methods, e.g. "canCreateQueue()" :) > > To sum up: > > 1. I can't see a way to attach my own data to client's session and the > only way to do it seems to be write JAAS plugin/login module. > 2. I can't see a way to prevent client from creating arbitrary queues. > > TIA, > Jędrzej Dudkiewicz > > > On Thu, Jan 5, 2023 at 4:31 AM Justin Bertram <jbert...@apache.org> wrote: > > > > Can you elaborate on what exactly you haven't been able to translate into > > Artemis' plugin architecture? As Gary mentioned, there's a fairly rich set > > of integration points with the various plugins and the fact that the > > security manager is pluggable as well. Examples of most of these are > > shipped with the broker to help you get going. You shouldn't need to > > implement your own JAAS login module as far as I can tell from your > > description. > > > > That said, right now you'll have to jump through a few hoops to get details > > from the SSL certificate into the authorization method as the > > RemotingConnection is no longer passed into it [1]. See ARTEMIS-4059 [2] > > for additional discussion on that point. > > > > Ultimately there's no set of classes which will give you a 1 to 1 > > translation for migrating plugins since the internal broker architectures > > are so different. However, the basic concepts should translate such that > > just about anything you could do in "Classic" you should be able to do in > > Artemis. If not, we'll implement those abilities where it makes sense. > > > > > > Justin > > > > [1] > > https://activemq.apache.org/components/artemis/documentation/javadocs/javadoc-latest/org/apache/activemq/artemis/spi/core/security/ActiveMQSecurityManager5.html > > [2] https://issues.apache.org/jira/browse/ARTEMIS-4059 > > > > On Wed, Dec 28, 2022 at 4:45 AM Jędrzej Dudkiewicz < > > jedrzej.dudkiew...@gmail.com> wrote: > > > > > Hello, > > > > > > I wrote to this group earlier > > > (https://www.mail-archive.com/dev@activemq.apache.org/msg67666.html) > > > and got a response regarding migrating plugin from AMQ to Artemis. But > > > honestly even after reading links provided by Garry Tully I can't > > > figure out how I should proceed. My plugin extends BrokerFilter > > > (import org.apache.activemq.broker.BrokerFilter) and uses most/all > > > available methods: start(), addConnection(), removeConnection(), > > > addConsumer(), removeConsumer(), addDestination(), > > > addDestinationInfo(), removeDestination(), removeDestinationInfo(), > > > addProducer() and send(). > > > > > > My first problem is that the first thing I want to do is to retrieve > > > the certificate from connection (so probably getTransportConnection() > > > from RemotingConnection in Artemis should be used?), parse it, read > > > few fields and store proper information in SecurityContext associated > > > with this connection. Later this info is used to determine whether a > > > connected client can create, delete or send messages to specific > > > destinations (queues/topics?). Plugin also sends information about > > > connecting/disconnecting clients and so on to predefined queue. > > > > > > I tried to figure out how the JAAS plugin can be used for this, but > > > JAAS as a whole seems to be overly complicated and I'd rather > > > reimplement everything from scratch than try to figure out how to use > > > such umm... well regarded and mature solution. > > > > > > Is there some set of classes allowing for 1 to 1 translation of > > > ActiveMQ to Artemis plugins? > > > > > > TIA, > > > -- > > > Jędrzej Dudkiewicz > > > > > > I really hate this damn machine, I wish that they would sell it. > > > It never does just what I want, but only what I tell it. > > > > > > > > > > -- > Jędrzej Dudkiewicz > > I really hate this damn machine, I wish that they would sell it. > It never does just what I want, but only what I tell it. -- Jędrzej Dudkiewicz I really hate this damn machine, I wish that they would sell it. It never does just what I want, but only what I tell it.
<<attachment: artemis-test.zip>>