Github user bhardesty commented on a diff in the pull request:
    --- Diff: doc/new-book/configuration-security.adoc ---
    @@ -412,3 +414,356 @@ listener {
     For more information about these attributes, see 
    +== Authorizing Access to Messaging Resources
    +You can restrict the number of user connections, and control access to 
AMQP messaging resources by configuring _policies_.
    +=== Types of Policies
    +You can configure two different types of policies: _global policies_ and 
_vhost policies_.
    +Global policies::
    +Settings for the router. A global policy defines the maximum number of 
incoming user connections for the router (across all vhost policies), and 
defines how the router should use vhost policies.
    +Vhost policies::
    +Connection and AMQP resource limits for a messaging endpoint (called an 
AMQP virtual host, or _vhost_). A vhost policy defines what a client can access 
on a messaging endpoint over a particular connection.
    +A vhost is typically the name of the host to which the client connection 
is directed. For example, if a client application opens a connection to the 
`amqp://` URL, the vhost would be 
    +The resource limits defined in global and vhost policies are applied to 
user connections only. The limits do not affect inter-router connections or 
router connections that are outbound to waypoints.
    +=== How {RouterName} Applies Policies
    +When a client connects to a router, the router determines whether to 
permit the connection based on the global and vhost policies, and the following 
properties of the connection:
    +* The host to which the connection is directed (the vhost)
    +* The connection's authenticated user name
    +* The host from which the client is connecting (the remote host)
    +If the connection is permitted, then the router applies a vhost policy 
that matches the vhost to which the connection is directed. The vhost policy 
limits are enforced for the lifetime of the connection.
    --- End diff --
    I reworked this section to better account for the nuances of vhost policies.


To unsubscribe, e-mail:
For additional commands, e-mail:

Reply via email to