One of the new features of the proposed connector (j2ca) 1.6 spec is
the SecurityImportContext that allows inbound connectors (to mdbs) to
supply the security identity that the mdb will run under. I started
writing support for this in the geronimo j2ca component and have been
wondering how amq might take advantage of this new capability.
From my limited research I think that amq security currently only
directly supports authenticating and authorizing access to connections
and destinations, but not messages. This doesn't seem too interesting
for the j2ca security import context since the only identity available
is the one configured to get the connection the inbound messages are
delivered over. Since this is configured on the receiving server, you
might just as well configure the unauthenticated subject for the mdb
directly and skip the import step.
Lets back up a bit and consider the identities that might be
associated with a message....
1. the message was originally sent by someone.
2. At each step of message processing there's a server that is sending
the message and a server that is receiving the message.
2.a when the message is originally created (1) and (2) might be the
same identity. Similarly when the message is finally consumed they
might be the same identity.
As I mentioned, IIUC currently amq security only considers (2) and
discards (1) as soon as the message gets to the first broker. I think
the security inflow is only going to be interesting if (1) is used as
the source of the imported security identity; this would require
including some info about the identity with the message.
Does this analysis make sense?
Would anyone find this useful if it was implemented and easy to use?
How would I go about implementing this?
Just in case the above is a bit too abstract to actually understand
what I'm thinking about :-)...
Lets suppose there are a bunch of clients that originate messages, and
each are supplied with a certificate identifying themselves. Messages
would get the certificate attached (I'm sidestepping the question of
how at the moment) so after going through a routing network of 15 or
20 brokers the mdb that finally consumed the message would have the
original client authenticated automatically by the framework and use
this identity for authorization. (of course the brokers could also
use this info.... but unless they are using mdbs I'm not concerned at
the moment about how).
many thanks
david jencks
