Yes, All authentication is done via JAAS in Apollo. See: http://activemq.apache.org/apollo/documentation/user-manual.html#Authentication
Regards, Hiram FuseSource Web: http://fusesource.com/ Connect at CamelOne May 24-26 The Open Source Integration Conference On Wed, May 18, 2011 at 3:06 PM, Allen Reese <[email protected]> wrote: > Is it possible to control access to the rest interface via JAAS? > We have internal JAAS modules for allowing roles based access. > > Thanks, > > --Allen Reese > >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On Behalf >> Of Hiram Chirino >> Sent: Tuesday, May 17, 2011 5:05 PM >> To: Lionel Cons >> Cc: [email protected] >> Subject: Re: Security of the management interface >> >> Good feedback. Opened some issues to track. Feel free to >> add more as they come to mind. >> >> https://issues.apache.org/jira/browse/APLO-11 >> https://issues.apache.org/jira/browse/APLO-12 >> >> Regards, >> Hiram >> >> FuseSource >> Web: http://fusesource.com/ >> >> Connect at CamelOne May 24-26 >> The Open Source Integration Conference >> >> >> >> On Tue, May 17, 2011 at 2:14 AM, Lionel Cons >> <[email protected]> wrote: >> > Hiram, >> > >> > First of all, thanks for starting to document the management >> > interface. I hope you will add the missing bits (e.g. get/update >> > apollo.xml, shutdown the >> > broker...) soon. >> > >> > Here are some security related comments. >> > >> > Since credentials will be given in clear to the management >> interface >> > (HTTP basic authentication), Apollo should support SSL >> encryption for it. >> > >> > The current authorization scheme (allow users defined in >> broker.admin >> > to do >> > everything) is not fine grain enough. At minimum, there >> should be the >> > possibility to have two different accesses: read-only (only get >> > information without changing the broker state) and >> read-write (such as >> > restarting the broker, changing its configuration, deleting a >> > queue...). Note that the broker configuration is very >> sensitive since >> > it may contain clear text passwords (e.g. <key_storage>) >> and security >> > settings (who is allowed to do what). >> > >> > Maybe the management interface should have its own fine >> grain access >> > control (a bit like httpd) so that one can specify at the >> URL level who can do what? >> > >> > The management interface will probably be extended to >> include what the >> > ActiveMQ web console provides today. If this is the case, >> actions such >> > as browsing a queue, inspecting a message, sending a message, etc. >> > should be controlled by the same per destination ACLs used >> by the STOMP access. >> > >> > Cheers, >> > >> > Lionel >> > >>
