Hello, Thank you for an answer. I have problems even with starting, since from what I see security was completely changed from what was available in ActiveMQ. First thing is that there is no SecurityContext object attached to the client so to say, so I don't really know where I should store information read from certificate and access permissions. It seems that e.g. BrokerMessageAuthorizationPlugin gets it from reference to server (that it gets from its "registered" callback) by getting its securityStore() and from that ServerSession and from that Subject. It seems that I could do the same, *but* I can't find any way to put my own information there. It seems that to do it I'd have to go the hard route and implement my own securityManager (as it is used when creating securityStore in ActiveMQServerImpl) at least and probably some other classes. This is why I thought about using JAAS - this way "all" I'd have to do is to reimplement "CertificateLoginModule" used by "ActiveMQJAASSecurityManager". It takes care of reading certificate and parsing it, but
a) make different assumptions about which field from certificate will be used, b) from what I understand uses properties file to get roles for users. I use OID "0.9.2342.19200300.100.1.1" which contains data in format "ROLE/UUID", where "UUID" is client's UUID which serves as both its identifier and name of queue for messages sent to client, and "ROLE" is more or less a predefined set of permissions that controls what queues (by name) this client can read from, write to and create. This is one problem. Another is how I should check whether a client can create a queue. I wrote simple SpringBoot based program that embeds Artemis, installs my plugin and then sends message to "QUEUEDEF" (sorry my naming sense). It seems that from the plugin's perspective the flow of the process of client connecting and sending single message is as follows: CALLING: beforeCreateSession CALLING: beforeMessageRoute CALLING: afterMessageRoute CALLING: afterCreateSession CALLING: beforeAddBinding CALLING: beforeMessageRoute CALLING: afterMessageRoute CALLING: afterAddBinding CALLING: afterCreateQueue CALLING: beforeSend CALLING: beforeMessageRoute CALLING: afterMessageRoute CALLING: afterSend I don't know why but "beforeCreateQueue" is not called - not that it is important since I can't do anything with it as I have no access to ServerSession in this callback. What I am interested in is whether I am correctly assuming that basically the only place I can check anything is "beforeSend" callback. Unfortunately it is called after "afterCreateQueue" (and as I wrote "beforeCreateQueue" is not called), so I can't prevent queue creation in this case - there is not enough data passed to the callback. Also it seems that "canAccept" is called only when a message is about to be sent to the consumer, and it makes me wonder what is the reason for lack of other "canDoSomething" methods, e.g. "canCreateQueue()" :) To sum up: 1. I can't see a way to attach my own data to client's session and the only way to do it seems to be write JAAS plugin/login module. 2. I can't see a way to prevent client from creating arbitrary queues. TIA, Jędrzej Dudkiewicz On Thu, Jan 5, 2023 at 4:31 AM Justin Bertram <jbert...@apache.org> wrote: > > Can you elaborate on what exactly you haven't been able to translate into > Artemis' plugin architecture? As Gary mentioned, there's a fairly rich set > of integration points with the various plugins and the fact that the > security manager is pluggable as well. Examples of most of these are > shipped with the broker to help you get going. You shouldn't need to > implement your own JAAS login module as far as I can tell from your > description. > > That said, right now you'll have to jump through a few hoops to get details > from the SSL certificate into the authorization method as the > RemotingConnection is no longer passed into it [1]. See ARTEMIS-4059 [2] > for additional discussion on that point. > > Ultimately there's no set of classes which will give you a 1 to 1 > translation for migrating plugins since the internal broker architectures > are so different. However, the basic concepts should translate such that > just about anything you could do in "Classic" you should be able to do in > Artemis. If not, we'll implement those abilities where it makes sense. > > > Justin > > [1] > https://activemq.apache.org/components/artemis/documentation/javadocs/javadoc-latest/org/apache/activemq/artemis/spi/core/security/ActiveMQSecurityManager5.html > [2] https://issues.apache.org/jira/browse/ARTEMIS-4059 > > On Wed, Dec 28, 2022 at 4:45 AM Jędrzej Dudkiewicz < > jedrzej.dudkiew...@gmail.com> wrote: > > > Hello, > > > > I wrote to this group earlier > > (https://www.mail-archive.com/dev@activemq.apache.org/msg67666.html) > > and got a response regarding migrating plugin from AMQ to Artemis. But > > honestly even after reading links provided by Garry Tully I can't > > figure out how I should proceed. My plugin extends BrokerFilter > > (import org.apache.activemq.broker.BrokerFilter) and uses most/all > > available methods: start(), addConnection(), removeConnection(), > > addConsumer(), removeConsumer(), addDestination(), > > addDestinationInfo(), removeDestination(), removeDestinationInfo(), > > addProducer() and send(). > > > > My first problem is that the first thing I want to do is to retrieve > > the certificate from connection (so probably getTransportConnection() > > from RemotingConnection in Artemis should be used?), parse it, read > > few fields and store proper information in SecurityContext associated > > with this connection. Later this info is used to determine whether a > > connected client can create, delete or send messages to specific > > destinations (queues/topics?). Plugin also sends information about > > connecting/disconnecting clients and so on to predefined queue. > > > > I tried to figure out how the JAAS plugin can be used for this, but > > JAAS as a whole seems to be overly complicated and I'd rather > > reimplement everything from scratch than try to figure out how to use > > such umm... well regarded and mature solution. > > > > Is there some set of classes allowing for 1 to 1 translation of > > ActiveMQ to Artemis plugins? > > > > TIA, > > -- > > Jędrzej Dudkiewicz > > > > I really hate this damn machine, I wish that they would sell it. > > It never does just what I want, but only what I tell it. > > > > -- Jędrzej Dudkiewicz I really hate this damn machine, I wish that they would sell it. It never does just what I want, but only what I tell it.
