Great news, thank you!
> Il giorno 11 dic 2019, alle ore 20:48, Justin Bertram <jbert...@apache.org> > ha scritto: > >> Currently there is no way to use a custom ActiveMQSecurityManager > implementation via the XML configuration. > > FYI - I just opened ARTEMIS-2574 [1] and sent a PR [2] to address this. > > > Justin > > [1] https://issues.apache.org/jira/browse/ARTEMIS-2574 > [2] https://github.com/apache/activemq-artemis/pull/2917 > > On Fri, Sep 20, 2019 at 8:34 AM Justin Bertram <jbert...@apache.org> wrote: > >>> In few word what I’d like to achieve is to let Artemis instantiate and >> use a custom ActiveMQSecurityManager provided through a configuration >> parameter. Is there a way or I must patch the Artemis code to allow the >> ActiveMQSecurityManager pluggability? >> >> Currently there is no way to use a custom ActiveMQSecurityManager >> implementation via the XML configuration. The broker would need to be >> modified to allow this behavior (and I think that would be a valid >> enhancement). >> >> For what it's worth, using a custom ActiveMQSecurityManager implementation >> is a trivial matter for embedded use-cases. >> >> >> Justin >> >> On Wed, Sep 11, 2019 at 9:28 AM Modanese, Riccardo >> <riccardo.modan...@eurotech.com.invalid> wrote: >> >>> Hi, unfortunately I cannot rely on a security repository and the users >>> and ACLs profiles could be thousands. >>> >>> My idea is to replace the ActiveMQJAASSecurityManager with my own custom >>> ActiveMQSecurityManager implementation. >>> But I didn’t find a way. >>> It seems that there is no other way than specifying a jaas-security tag >>> in the bootstrap.xml configuration file (<jaas-security >>> domain="activemq"/>). >>> If I remove the tag, or I try to change the DTO instance (with the >>> appropriate annotation in the new DTO file itself), I get a xml validation >>> schema error. >>> From my attempts there is no way to remove the jaas-security tag. >>> >>> In few word what I’d like to achieve is to let Artemis instantiate and >>> use a custom ActiveMQSecurityManager provided through a configuration >>> parameter. >>> Is there a way or I must patch the Artemis code to allow the >>> ActiveMQSecurityManager pluggability? >>> >>> >>> Il giorno 28 ago 2019, alle ore 05:23, yw yw <wy96...@gmail.com<mailto: >>> wy96...@gmail.com>> ha scritto: >>> >>> Yes, it would check every time a client publishes a message or subscribes >>> an address. >>> >>> From my understanding, SecuritySettingPlugin should meet your >>> requirements. >>> You can save the "securityRepository" passed by "SecuritySettingPlugin:: >>> setSecurityRepository" in your custom SecuritySettingPlugin. When you >>> receive a notification that user is added/removed, you can call >>> securityRepository::addMatch/removeMatch/swap to change ACL in matching >>> address. >>> >>> >>> Modanese, Riccardo <riccardo.modan...@eurotech.com.invalid<mailto: >>> riccardo.modan...@eurotech.com.invalid>> 于2019年8月27日周二 >>> 下午11:12写道: >>> >>> I think the SecuritySettingPlugin will not solve my issue but an >>> ActiveMQSecurityManager3 custom implementation could be. >>> >>> So I tried to plug an ActiveMQSecurityManager3 implementation but without >>> any success. >>> From my understanding this plugin should be defined into bootstrap.xml but >>> unfortunately I found no way to replace the jaas-security tag with another >>> one pointing to my configuration DTO (the xsd doesn’t provide alternative >>> tag to jaas-security) >>> >>> Anyway, just to be sure if the ActiveMQSecurityManager3 api could fit my >>> needs, is the method validateUserAndRole called before every >>> publish/subscribe? >>> >>> Il giorno 26 ago 2019, alle ore 18:00, Christopher Shannon < >>> christopher.l.shan...@gmail.com<mailto:christopher.l.shan...@gmail.com>> >>> ha scritto: >>> >>> You might need to write some custom code to do what you want and you >>> could >>> try a custom Security plugin. >>> See the API and Java docs for the security setting plugin: >>> >>> >>> https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/SecuritySettingPlugin.java >>> >>> If you need even more control you can create your own SecurityManager and >>> register it with the broker. The interface to extend is: >>> >>> >>> https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQSecurityManager3.java >>> >>> The validateUserAndRole() method is where you do your ACL checks >>> >>> A default implementation that delegates to a JAAS module is including in >>> the broker already which you can use as an example or to extend: >>> >>> >>> https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQJAASSecurityManager.java >>> >>> On Mon, Aug 26, 2019 at 8:01 AM Modanese, Riccardo >>> <riccardo.modan...@eurotech.com.invalid> wrote: >>> >>> I already read this page and I wasn’t able to find any helpful >>> information. >>> In our use case each user has ACL depending on the username itself. >>> Moreover a user can be added at runtime and the broker must be able to >>> create and handle correctly the ACL also for the new created user. >>> >>> So, at the end, what I need is the capability of creating ACL >>> programmatically and keep them in a session in order to be used every >>> time >>> a client publishes a message or subscribes an address. >>> In ActiveMQ 5 this was possible ( [1] - [2] ) by creating a >>> DefaultAuthorizationMap object, but I cannot find a similar object in >>> Artemis >>> >>> [1] >>> >>> >>> https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/plugin/KapuaSecurityBrokerFilter.java#L683 >>> [2] >>> >>> >>> https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/plugin/KapuaSecurityBrokerFilter.java#L557 >>> >>> >>> Il giorno 26 ago 2019, alle ore 13:43, Christopher Shannon < >>> christopher.l.shan...@gmail.com<mailto:christopher.l.shan...@gmail.com >>> >>> ha scritto: >>> >>> All of the info you should need to get started should be here: >>> >>> >>> >>> https://activemq.apache.org/components/artemis/documentation/latest/security.html >>> >>> On Mon, Aug 26, 2019 at 6:24 AM Modanese, Riccardo >>> <riccardo.modan...@eurotech.com.invalid> wrote: >>> >>> Hello, >>> In our ActiveMQ 5.x security plugin code we are enforcing ACL >>> programmatically so I’m investigating how to migrate our current ACL >>> from >>> ActiveMQ 5.x to Artemis. >>> >>> I took a look into Artemis source code and I didn’t find any similar >>> object to those present in ActiveMQ 5.x (E.g. >>> org.apache.activemq.security.AuthorizationMap, >>> org.apache.activemq.security.AuthorizationEntry, ...) >>> >>> Can you point me to the right direction? >>> >>> >>> >>> >>> >>> >>>