On 7/17/06, Sepand M <[EMAIL PROTECTED]> wrote:
Hi,
I'm trying to modify ActiveMQ so it can handle SSL connections
FWIW we already support SSL connections...
http://incubator.apache.org/activemq/configuring-transports.html
in particular...
http://incubator.apache.org/activemq/ssl-transport-reference.html
and
authorize access to different queues based on client IDs.
We have a security plugin to perform authentication and authorization
on specific destinations, details here...
http://incubator.apache.org/activemq/security.html
I've been looking at your "JMSXUserID support" (
http://incubator.apache.org/activemq/jmsxuserid.html) to see if it
could be used for authentication once the connection has been
established.
So the purpose of the JMSXUserID feature is to be able to add a header
to all JMS messages that leave a broker so that consumers receiving
the message can know the authenticated user ID who sent the message.
i.e. it means that a producer cannot spoof its userID when sending a
message.
JMSXUserID does not perform the actual authentication/authorization -
thats a feature of the security plugin I mentioned above.
From what I see, using the BrokerService.setPopulateJMSXUserID(true);
causes the BrokerService to use a UserIDBroker, which in turn uses the
ConnectionContext to retreive the userID.
The problem I see is that the connection context is set in
AbstractConnection.processMessage, which uses the producerId received
from the message, which has been send by the producer (and is not
validated by the server).
This, to me, means that if the producer manages to guess a correct
producerId, it will have impersonated another producer.
Is this true?
The clientID is the thing we use; something the client can generate
itself. Though we ensure that only 1 connection that is active has a
single clientID value at any point in time (so no client can pretend
to be another one - its also required by the JMS spec). So I don't
think it matters too much what the producerId is - unless I've
misunderstood your point
--
James
-------
http://radio.weblogs.com/0112098/
