On 7/31/06, ngcutura <[EMAIL PROTECTED]> wrote:
Hi all, I have another requirement in my project (a tough one). Instead of using username/password I want to use only certificate for both authentication and authorization. I see two approaches: 1. As JMS allows only (username, password) in createConnection(), I can export certificate to a String and supply it as a username and develop custom JAAS login module that would convert username String back to the certificate and authenticate (against an LDAP directory). However, I don't like this approach. 2. As I am going to use SSL anyway, I would like to use SSL client authentication as the basis for AMQ authentication. As much as I understood JSSE, certificates are checked against keystore so I can develop custom keystore implementation that checks certificates against LDAP directory. However, I do not know how to make AMQ aware of this process i.e. how to bind the Subject with SSL connection so that AMQ can use this information for authorization. SSL client authentication is invisible to AMQ, as I understood.
So the SSL transport could extract the client certificate/subject and append it to the ConnectionInfo that is received on the broker side (in a transient field) which can then be used by any security plugins later on. On the broker side there is an exchange of Command objects of which ConnectionInfo is the start of a connection & the 'login' part. http://activemq.org/site/code-overview.html To get an idea how all that works try looking at AuthorizationBroker. Incidentally its AbstractConnection.processAddConnection(ConnectionInfo) which processes a new connection calling broker.addConnection(context, info). I've just made a small refactor to make it a little easier to extend ConnectionInfo; I've added a constructor of the ConnectionContext object to allow you to extract new fields from the ConnectionInfo and make them available to the ConnectionContext (which typically holds connection related information like user name, password and you might want to add certificate information to. So you should be able to just work with ConnectionInfo and ConnectionContext and the SSL transport to do what you need I think. -- James ------- http://radio.weblogs.com/0112098/
