That sounds good. I was searching in the code and that is where i thought I might be able to hook in.
Why not add an authorizer attribute which is the class name of the custom authorizer. <access_rule allow="*" action="create destroy send" authorizer="MyCustomAuthorizer"/> <access_rule allow="*" action="connect receive consume" authorizer="MyCustomAuthorizer2"/> On Jul 12, 2013, at 11:01 AM, Hiram Chirino <hi...@hiramchirino.com> wrote: > Ok then it seems like you will need to implement a custom Authorizer. > The interface of an Authorizer is quite simple. It looks like: > > trait Authorizer { > def can(ctx:SecurityContext, action:String, > resource:SecuredResource):Boolean; > } > > Basically the ctx will have the user info including the security > subject/cert info. The action is stuff like "send", and the resource > will be an instance of a virtualhost, queue, topic (etc.) that the > user is trying to perform the action against. The method just need > return true if it's allowed. > > The only problem is there does not yet exist a way to configure a > custom authorizer. Let me see if add support for that in the apollo > configuration. > > > On Wed, Jul 10, 2013 at 6:38 PM, Garry Watkins <cats...@me.com> wrote: >> Yes, the users will be unknown at the time of connection. >> >> On Jul 10, 2013, at 3:00 PM, Hiram Chirino <hi...@hiramchirino.com> wrote: >> >>> An the user names are dynamic? You don't know them ahead of time? >>> >>> On Tue, Jul 9, 2013 at 4:14 PM, Garry Watkins <cats...@icloud.com> wrote: >>>> I have been looking at the documentation in the security section. >>>> >>>> http://activemq.apache.org/apollo/documentation/user-manual.html#Security >>>> >>>> I need to write code that will capture allow a queue to be created with the >>>> same name as the user. That user may then be allowed to receive and >>>> consume >>>> messages. >>>> >>>> Any hints about where i could inject this into the code? >>>> >>>> Thanks >>>> >>>> >>>> On Jul 08, 2013, at 02:06 PM, Christian Posta <christian.po...@gmail.com> >>>> wrote: >>>> >>>> Should be the distinguished name from the X509 cert: >>>> >>>> http://docs.oracle.com/javase/6/docs/api/javax/security/auth/x500/X500Principal.html >>>> >>>> >>>> On Mon, Jul 8, 2013 at 1:31 PM, Garry Watkins <cats...@me.com> wrote: >>>> >>>> Ok, now that I know that I can do that. >>>> >>>> How does Apollo assign the username? What I want to do is have another >>>> >>>> process create a queue just for that user, and that is the only queue that >>>> >>>> user may access. >>>> >>>> Thanks for the speedy response. >>>> >>>> On Jul 8, 2013, at 1:28 PM, Christian Posta <christian.po...@gmail.com> >>>> >>>> wrote: >>>> >>>>> Yep, try adding the following to your ssl connector: >>>> >>>>> >>>> >>>>> <connector id="default" bind="ssl://0.0.0.0:61614"> >>>> >>>>> >>>> >>>>> *<ssl client_auth="need" />* >>>> >>>>> >>>> >>>>> </connector> >>>> >>>>> >>>> >>>>> >>>> >>>>> On Mon, Jul 8, 2013 at 12:51 PM, Garry Watkins <cats...@me.com> wrote: >>>> >>>>> >>>> >>>>>> Is it possible to use Client Certs for Authentication/Authorization for >>>> >>>>>> Apollo? >>>> >>>>> >>>> >>>>> >>>> >>>>> >>>> >>>>> >>>> >>>>> -- >>>> >>>>> *Christian Posta* >>>> >>>>> http://www.christianposta.com/blog >>>> >>>>> twitter: @christianposta >>>> >>>> >>>> >>>> -- >>>> *Christian Posta* >>>> http://www.christianposta.com/blog >>>> twitter: @christianposta >>> >>> >>> >>> -- >>> Hiram Chirino >>> >>> Engineering | Red Hat, Inc. >>> >>> hchir...@redhat.com | fusesource.com | redhat.com >>> >>> skype: hiramchirino | twitter: @hiramchirino >>> >>> blog: Hiram Chirino's Bit Mojo >> > > > > -- > Hiram Chirino > > Engineering | Red Hat, Inc. > > hchir...@redhat.com | fusesource.com | redhat.com > > skype: hiramchirino | twitter: @hiramchirino > > blog: Hiram Chirino's Bit Mojo