[jira] [Updated] (AMQ-6364) Add a BROWSE role for clients who can browse queues but can't consume

Mon, 18 Jul 2016 12:54:18 -0700 

     [ 
https://issues.apache.org/jira/browse/AMQ-6364?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Daniel Abayev updated AMQ-6364:
-------------------------------
    Description: Add a BROWSE role for clients who can browse queues but can't 
consume.  (was: I'm standing a cluster of AMQs, which I will offer in a 
multi-tenant setup. Each tenant will have a networkOfBrokers with SSL 
transports (only) on each broker. Each broker will have two transports: 1) 
frontdoor - which is what the clients will connect to (1-way TLS + LDAP Auth) 
2) backdoor - will connect the network (2-way TLS). The problem is that the 
broker expects me to also authenticate via LDAP on the backdoor. This proves 
troublesome as I would've to configure, and protect, customers LDAP 
credentials. I would much rather have 2-Way TLS, as I can have the certificates 
in a keystore + its key vaulted somewhere in the host.
I've looked at 1) org.apache.activemq.jaas.TextFileCertificateLoginModule + 
org.apache.activemq.security.JaasCertificateAuthenticationPlugin
2) org.apache.activemq.jaas.LDAPLoginModule + 
org.apache.activemq.security.JaasAuthenticationPlugin
but, both of these LoginModules handle different callBacks + the 
authenticationPlugins expect sequential successes; the way BrokerFilter works, 
one can't have a fallback jaasPlugin. What's needed, is an authenticationPlugin 
that will use a CertificateCallBackHandler as the primary logon, and a 
CredentialsCallBackHandler as a the default, kind of what SSH does (i.e 
org.apache.karaf.shell.ssh.KarafJaasAuthenticator))

> Add a BROWSE role for clients who can browse queues but can't consume
> ---------------------------------------------------------------------
>
>                 Key: AMQ-6364
>                 URL: https://issues.apache.org/jira/browse/AMQ-6364
>             Project: ActiveMQ
>          Issue Type: New Feature
>    Affects Versions: 5.x
>            Reporter: Daniel Abayev
>              Labels: ActiveMQ, BrokerFilter, JaasAuthenticationPlugin
>
> Add a BROWSE role for clients who can browse queues but can't consume.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to