Hi Domenico, Thanks for information and raising JIRA. I tried using ROLE_NAME (of authenticated cert-based users) with latest artemis 2.41.0 and it works fine. It was not working earlier with 2.237.0 due to bug which got fixed in 2.41.0.
One quick question regarding USRE_NAME/ROLE_NAME - both keys only work for the authenticated users right? Is there any way to first check if the incoming connection is using valid certificate or not by matching against static certificate values defined in cert-users.properties? If they are present, then broker initiates SSL authentication process else they are rejected? I am looking for some sort of pre-authentication process to avoid SSL handshake error from misbehaving clients. Best Regards Shiv -----Original Message----- From: Domenico Francesco Bruscino <bruscin...@gmail.com> Sent: 07 May 2025 08:31 PM To: users@activemq.apache.org Subject: Re: Connection router for filtering certificate based users Unverified Sender: The sender of this email has not been verified. Review the content of the message carefully and verify the identity of the sender before acting on this email: replying, opening attachments or clicking links. Hi Shiv, the connection router doesn't resolve the USER_NAME key when the connection is authenticated with the TextFileCertificateLoginModule, this is a bug, I created the following issue: https://issues.apache.org/jira/browse/ARTEMIS-5465 Regards, Domenico On Tue, 6 May 2025 at 16:22, Shiv Kumar Dixit <shivkumar.di...@it.eurofinseu.com.invalid> wrote: > Hi Domenico > I am exploring how to restrict users (specially certificate based) for > connecting based on certain conditions. I came across > https://list/ > s.apache.org%2Fthread%2Fnot2kzq23vx60zjvsl9ffrx7rfps6wzs&data=05%7C02% > 7C%7C503260782dfc4c7d847e08dd8d781255%7C1a1dce2021b14beaa9d2130e9f1f6e > 2f%7C0%7C0%7C638822269015650737%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=5r2NLnUe%2Bn%2BAGp9cIo1QjWOfl0LtiNXaarpol%2FthIO0%3D&reserved=0. > I tried to use USER_NAME key for filtering and it worked fine for basic > authentication users. Can we use this USER_NAME key also to filter > certificate-based users as well? > > We define the certificate username and role in e.g. > cert-users.properties and cert-roles.properties. Can we use username > defined in cert-users.properties file E.g. user1=CN=My_Test_App in connection > router? > > <connection-routers> > <connection-router name="allowed-ssl-users"> > <key-type>USER_NAME</key-type> > > <local-target-filter>user1</local-target-filter> > </connection-router> > </connection-routers> > > <acceptor > name="ssl">tcp://0.0.0.0:9876?.........;router=allowed-ssl-users > </acceptor> > > Thanks > Shiv > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@activemq.apache.org For additional commands, e-mail: users-h...@activemq.apache.org For further information, visit: https://activemq.apache.org/contact
