Hi Garry, This is what I came up with:
Firstly you need to implement the SecurityFactory trait. For example: https://github.com/apache/activemq-apollo/blob/trunk/apollo-stomp/src/test/scala/org/apache/activemq/apollo/stomp/test/UserOwnershipSecurityFactory.scala#L29 Then you need to set the 'security_factory' attribute of the broker element to the name of the class you implemented it with. For example: https://github.com/apache/activemq-apollo/blob/trunk/apollo-stomp/src/test/resources/apollo-stomp-custom-security.xml#L18 This change is being tracked via: https://issues.apache.org/jira/browse/APLO-330#comment-13707807 On Fri, Jul 12, 2013 at 11:22 AM, Garry Watkins <cats...@me.com> wrote: > That sounds good. I was searching in the code and that is where i thought I > might be able to hook in. > > Why not add an authorizer attribute which is the class name of the custom > authorizer. > > <access_rule allow="*" action="create destroy send" > authorizer="MyCustomAuthorizer"/> > <access_rule allow="*" action="connect receive consume" > authorizer="MyCustomAuthorizer2"/> > > On Jul 12, 2013, at 11:01 AM, Hiram Chirino <hi...@hiramchirino.com> wrote: > >> Ok then it seems like you will need to implement a custom Authorizer. >> The interface of an Authorizer is quite simple. It looks like: >> >> trait Authorizer { >> def can(ctx:SecurityContext, action:String, >> resource:SecuredResource):Boolean; >> } >> >> Basically the ctx will have the user info including the security >> subject/cert info. The action is stuff like "send", and the resource >> will be an instance of a virtualhost, queue, topic (etc.) that the >> user is trying to perform the action against. The method just need >> return true if it's allowed. >> >> The only problem is there does not yet exist a way to configure a >> custom authorizer. Let me see if add support for that in the apollo >> configuration. >> >> >> On Wed, Jul 10, 2013 at 6:38 PM, Garry Watkins <cats...@me.com> wrote: >>> Yes, the users will be unknown at the time of connection. >>> >>> On Jul 10, 2013, at 3:00 PM, Hiram Chirino <hi...@hiramchirino.com> wrote: >>> >>>> An the user names are dynamic? You don't know them ahead of time? >>>> >>>> On Tue, Jul 9, 2013 at 4:14 PM, Garry Watkins <cats...@icloud.com> wrote: >>>>> I have been looking at the documentation in the security section. >>>>> >>>>> http://activemq.apache.org/apollo/documentation/user-manual.html#Security >>>>> >>>>> I need to write code that will capture allow a queue to be created with >>>>> the >>>>> same name as the user. That user may then be allowed to receive and >>>>> consume >>>>> messages. >>>>> >>>>> Any hints about where i could inject this into the code? >>>>> >>>>> Thanks >>>>> >>>>> >>>>> On Jul 08, 2013, at 02:06 PM, Christian Posta <christian.po...@gmail.com> >>>>> wrote: >>>>> >>>>> Should be the distinguished name from the X509 cert: >>>>> >>>>> http://docs.oracle.com/javase/6/docs/api/javax/security/auth/x500/X500Principal.html >>>>> >>>>> >>>>> On Mon, Jul 8, 2013 at 1:31 PM, Garry Watkins <cats...@me.com> wrote: >>>>> >>>>> Ok, now that I know that I can do that. >>>>> >>>>> How does Apollo assign the username? What I want to do is have another >>>>> >>>>> process create a queue just for that user, and that is the only queue that >>>>> >>>>> user may access. >>>>> >>>>> Thanks for the speedy response. >>>>> >>>>> On Jul 8, 2013, at 1:28 PM, Christian Posta <christian.po...@gmail.com> >>>>> >>>>> wrote: >>>>> >>>>>> Yep, try adding the following to your ssl connector: >>>>> >>>>>> >>>>> >>>>>> <connector id="default" bind="ssl://0.0.0.0:61614"> >>>>> >>>>>> >>>>> >>>>>> *<ssl client_auth="need" />* >>>>> >>>>>> >>>>> >>>>>> </connector> >>>>> >>>>>> >>>>> >>>>>> >>>>> >>>>>> On Mon, Jul 8, 2013 at 12:51 PM, Garry Watkins <cats...@me.com> wrote: >>>>> >>>>>> >>>>> >>>>>>> Is it possible to use Client Certs for Authentication/Authorization for >>>>> >>>>>>> Apollo? >>>>> >>>>>> >>>>> >>>>>> >>>>> >>>>>> >>>>> >>>>>> >>>>> >>>>>> -- >>>>> >>>>>> *Christian Posta* >>>>> >>>>>> http://www.christianposta.com/blog >>>>> >>>>>> twitter: @christianposta >>>>> >>>>> >>>>> >>>>> -- >>>>> *Christian Posta* >>>>> http://www.christianposta.com/blog >>>>> twitter: @christianposta >>>> >>>> >>>> >>>> -- >>>> Hiram Chirino >>>> >>>> Engineering | Red Hat, Inc. >>>> >>>> hchir...@redhat.com | fusesource.com | redhat.com >>>> >>>> skype: hiramchirino | twitter: @hiramchirino >>>> >>>> blog: Hiram Chirino's Bit Mojo >>> >> >> >> >> -- >> Hiram Chirino >> >> Engineering | Red Hat, Inc. >> >> hchir...@redhat.com | fusesource.com | redhat.com >> >> skype: hiramchirino | twitter: @hiramchirino >> >> blog: Hiram Chirino's Bit Mojo > -- Hiram Chirino Engineering | Red Hat, Inc. hchir...@redhat.com | fusesource.com | redhat.com skype: hiramchirino | twitter: @hiramchirino blog: Hiram Chirino's Bit Mojo
