To follow up: I have attached my test project. To send message to the
queue, simply call

wget 'http://localhost:8080/send?msg=napis'

from the command line. All calls to the plugin's methods are logged
using a custom aspect. Note that only methods that are overrode are
logged, so e.g. methods used for bridging or federation are not there
as I omitted them from the plugin (also bridging and federation are
not used).

I hope this will help someone somehow.

Regards,
Jędrzej Dudkiewicz

On Thu, Jan 5, 2023 at 10:32 AM Jędrzej Dudkiewicz
<jedrzej.dudkiew...@gmail.com> wrote:
>
> Hello,
>
> Thank you for an answer. I have problems even with starting, since
> from what I see security was completely changed from what was
> available in ActiveMQ. First thing is that there is no SecurityContext
> object attached to the client so to say, so I don't really know where
> I should store information read from certificate and access
> permissions. It seems that e.g. BrokerMessageAuthorizationPlugin gets
> it from reference to server (that it gets from its "registered"
> callback) by getting its securityStore() and from that ServerSession
> and from that Subject. It seems that I could do the same, *but* I
> can't find any way to put my own information there. It seems that to
> do it I'd have to go the hard route and implement my own
> securityManager (as it is used when creating securityStore in
> ActiveMQServerImpl) at least and probably some other classes. This is
> why I thought about using JAAS - this way "all" I'd have to do is to
> reimplement "CertificateLoginModule" used by
> "ActiveMQJAASSecurityManager". It takes care of reading certificate
> and parsing it, but
>
> a) make different assumptions about which field from certificate will be used,
> b) from what I understand uses properties file to get roles for users.
>
> I use OID "0.9.2342.19200300.100.1.1" which contains data in format
> "ROLE/UUID", where "UUID" is client's UUID which serves as both its
> identifier and name of queue for messages sent to client, and "ROLE"
> is more or less a predefined set of permissions that controls what
> queues (by name) this client can read from, write to and create.
>
> This is one problem. Another is how I should check whether a client
> can create a queue. I wrote simple SpringBoot based program that
> embeds Artemis, installs my plugin and then sends message to
> "QUEUEDEF" (sorry my naming sense). It seems that from the plugin's
> perspective  the flow of the process of client connecting and sending
> single message is as follows:
>
> CALLING: beforeCreateSession
> CALLING: beforeMessageRoute
> CALLING: afterMessageRoute
> CALLING: afterCreateSession
> CALLING: beforeAddBinding
> CALLING: beforeMessageRoute
> CALLING: afterMessageRoute
> CALLING: afterAddBinding
> CALLING: afterCreateQueue
> CALLING: beforeSend
> CALLING: beforeMessageRoute
> CALLING: afterMessageRoute
> CALLING: afterSend
>
> I don't know why but "beforeCreateQueue" is not called - not that it
> is important since I can't do anything with it as I have no access to
> ServerSession in this callback.
> What I am interested in is whether I am correctly assuming that
> basically the only place I can check anything is "beforeSend"
> callback. Unfortunately it is called after "afterCreateQueue" (and as
> I wrote "beforeCreateQueue" is not called), so I can't prevent queue
> creation in this case - there is not enough data passed to the
> callback.
> Also it seems that "canAccept" is called only when a message is about
> to be sent to the consumer, and it makes me wonder what is the reason
> for lack of other "canDoSomething" methods, e.g. "canCreateQueue()" :)
>
> To sum up:
>
> 1. I can't see a way to attach my own data to client's session and the
> only way to do it seems to be write JAAS plugin/login module.
> 2. I can't see a way to prevent client from creating arbitrary queues.
>
> TIA,
> Jędrzej Dudkiewicz
>
>
> On Thu, Jan 5, 2023 at 4:31 AM Justin Bertram <jbert...@apache.org> wrote:
> >
> > Can you elaborate on what exactly you haven't been able to translate into
> > Artemis' plugin architecture? As Gary mentioned, there's a fairly rich set
> > of integration points with the various plugins and the fact that the
> > security manager is pluggable as well. Examples of most of these are
> > shipped with the broker to help you get going. You shouldn't need to
> > implement your own JAAS login module as far as I can tell from your
> > description.
> >
> > That said, right now you'll have to jump through a few hoops to get details
> > from the SSL certificate into the authorization method as the
> > RemotingConnection is no longer passed into it [1]. See ARTEMIS-4059 [2]
> > for additional discussion on that point.
> >
> > Ultimately there's no set of classes which will give you a 1 to 1
> > translation for migrating plugins since the internal broker architectures
> > are so different. However, the basic concepts should translate such that
> > just about anything you could do in "Classic" you should be able to do in
> > Artemis. If not, we'll implement those abilities where it makes sense.
> >
> >
> > Justin
> >
> > [1]
> > https://activemq.apache.org/components/artemis/documentation/javadocs/javadoc-latest/org/apache/activemq/artemis/spi/core/security/ActiveMQSecurityManager5.html
> > [2] https://issues.apache.org/jira/browse/ARTEMIS-4059
> >
> > On Wed, Dec 28, 2022 at 4:45 AM Jędrzej Dudkiewicz <
> > jedrzej.dudkiew...@gmail.com> wrote:
> >
> > > Hello,
> > >
> > > I wrote to this group earlier
> > > (https://www.mail-archive.com/dev@activemq.apache.org/msg67666.html)
> > > and got a response regarding migrating plugin from AMQ to Artemis. But
> > > honestly even after reading links provided by Garry Tully I can't
> > > figure out how I should proceed. My plugin extends BrokerFilter
> > > (import org.apache.activemq.broker.BrokerFilter) and uses most/all
> > > available methods: start(), addConnection(), removeConnection(),
> > > addConsumer(), removeConsumer(), addDestination(),
> > > addDestinationInfo(), removeDestination(), removeDestinationInfo(),
> > > addProducer() and send().
> > >
> > > My first problem is that the first thing I want to do is to retrieve
> > > the certificate from connection (so probably getTransportConnection()
> > > from RemotingConnection in Artemis should be used?), parse it, read
> > > few fields and store proper information in SecurityContext associated
> > > with this connection. Later this info is used to determine whether a
> > > connected client can create, delete or send messages to specific
> > > destinations (queues/topics?). Plugin also sends information about
> > > connecting/disconnecting clients and so on to predefined queue.
> > >
> > > I tried to figure out how the JAAS plugin can be used for this, but
> > > JAAS as a whole seems to be overly complicated and I'd rather
> > > reimplement everything from scratch than try to figure out how to use
> > > such umm...  well regarded and mature solution.
> > >
> > > Is there some set of classes allowing for 1 to 1 translation of
> > > ActiveMQ to Artemis plugins?
> > >
> > > TIA,
> > > --
> > > Jędrzej Dudkiewicz
> > >
> > > I really hate this damn machine, I wish that they would sell it.
> > > It never does just what I want, but only what I tell it.
> > >
> > >
>
>
>
> --
> Jędrzej Dudkiewicz
>
> I really hate this damn machine, I wish that they would sell it.
> It never does just what I want, but only what I tell it.



-- 
Jędrzej Dudkiewicz

I really hate this damn machine, I wish that they would sell it.
It never does just what I want, but only what I tell it.

<<attachment: artemis-test.zip>>

Reply via email to