Daniel Abayev created AMQ-6364:
----------------------------------
Summary: Add a BROWSE role for clients who can browse queues but
can't consume
Key: AMQ-6364
URL: https://issues.apache.org/jira/browse/AMQ-6364
Project: ActiveMQ
Issue Type: New Feature
Affects Versions: 5.x
Reporter: Daniel Abayev
I'm standing a cluster of AMQs, which I will offer in a multi-tenant setup.
Each tenant will have a networkOfBrokers with SSL transports (only) on each
broker. Each broker will have two transports: 1) frontdoor - which is what the
clients will connect to (1-way TLS + LDAP Auth) 2) backdoor - will connect the
network (2-way TLS). The problem is that the broker expects me to also
authenticate via LDAP on the backdoor. This proves troublesome as I would've to
configure, and protect, customers LDAP credentials. I would much rather have
2-Way TLS, as I can have the certificates in a keystore + its key vaulted
somewhere in the host.
I've looked at 1) org.apache.activemq.jaas.TextFileCertificateLoginModule +
org.apache.activemq.security.JaasCertificateAuthenticationPlugin
2) org.apache.activemq.jaas.LDAPLoginModule +
org.apache.activemq.security.JaasAuthenticationPlugin
but, both of these LoginModules handle different callBacks + the
authenticationPlugins expect sequential successes; the way BrokerFilter works,
one can't have a fallback jaasPlugin. What's needed, is an authenticationPlugin
that will use a CertificateCallBackHandler as the primary logon, and a
CredentialsCallBackHandler as a the default, kind of what SSH does (i.e
org.apache.karaf.shell.ssh.KarafJaasAuthenticator)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
