That sounds good. I was searching in the code and that is where i thought I
might be able to hook in.
Why not add an authorizer attribute which is the class name of the custom
authorizer.
<access_rule allow="*" action="create destroy send"
authorizer="MyCustomAuthorizer"/>
<access_rule allow="*" action="connect receive consume"
authorizer="MyCustomAuthorizer2"/>
On Jul 12, 2013, at 11:01 AM, Hiram Chirino <hi...@hiramchirino.com> wrote:
> Ok then it seems like you will need to implement a custom Authorizer.
> The interface of an Authorizer is quite simple. It looks like:
>
> trait Authorizer {
> def can(ctx:SecurityContext, action:String,
> resource:SecuredResource):Boolean;
> }
>
> Basically the ctx will have the user info including the security
> subject/cert info. The action is stuff like "send", and the resource
> will be an instance of a virtualhost, queue, topic (etc.) that the
> user is trying to perform the action against. The method just need
> return true if it's allowed.
>
> The only problem is there does not yet exist a way to configure a
> custom authorizer. Let me see if add support for that in the apollo
> configuration.
>
>
> On Wed, Jul 10, 2013 at 6:38 PM, Garry Watkins <cats...@me.com> wrote:
>> Yes, the users will be unknown at the time of connection.
>>
>> On Jul 10, 2013, at 3:00 PM, Hiram Chirino <hi...@hiramchirino.com> wrote:
>>
>>> An the user names are dynamic? You don't know them ahead of time?
>>>
>>> On Tue, Jul 9, 2013 at 4:14 PM, Garry Watkins <cats...@icloud.com> wrote:
>>>> I have been looking at the documentation in the security section.
>>>>
>>>> http://activemq.apache.org/apollo/documentation/user-manual.html#Security
>>>>
>>>> I need to write code that will capture allow a queue to be created with the
>>>> same name as the user. That user may then be allowed to receive and
>>>> consume
>>>> messages.
>>>>
>>>> Any hints about where i could inject this into the code?
>>>>
>>>> Thanks
>>>>
>>>>
>>>> On Jul 08, 2013, at 02:06 PM, Christian Posta <christian.po...@gmail.com>
>>>> wrote:
>>>>
>>>> Should be the distinguished name from the X509 cert:
>>>>
>>>> http://docs.oracle.com/javase/6/docs/api/javax/security/auth/x500/X500Principal.html
>>>>
>>>>
>>>> On Mon, Jul 8, 2013 at 1:31 PM, Garry Watkins <cats...@me.com> wrote:
>>>>
>>>> Ok, now that I know that I can do that.
>>>>
>>>> How does Apollo assign the username? What I want to do is have another
>>>>
>>>> process create a queue just for that user, and that is the only queue that
>>>>
>>>> user may access.
>>>>
>>>> Thanks for the speedy response.
>>>>
>>>> On Jul 8, 2013, at 1:28 PM, Christian Posta <christian.po...@gmail.com>
>>>>
>>>> wrote:
>>>>
>>>>> Yep, try adding the following to your ssl connector:
>>>>
>>>>>
>>>>
>>>>> <connector id="default" bind="ssl://0.0.0.0:61614">
>>>>
>>>>>
>>>>
>>>>> *<ssl client_auth="need" />*
>>>>
>>>>>
>>>>
>>>>> </connector>
>>>>
>>>>>
>>>>
>>>>>
>>>>
>>>>> On Mon, Jul 8, 2013 at 12:51 PM, Garry Watkins <cats...@me.com> wrote:
>>>>
>>>>>
>>>>
>>>>>> Is it possible to use Client Certs for Authentication/Authorization for
>>>>
>>>>>> Apollo?
>>>>
>>>>>
>>>>
>>>>>
>>>>
>>>>>
>>>>
>>>>>
>>>>
>>>>> --
>>>>
>>>>> *Christian Posta*
>>>>
>>>>> http://www.christianposta.com/blog
>>>>
>>>>> twitter: @christianposta
>>>>
>>>>
>>>>
>>>> --
>>>> *Christian Posta*
>>>> http://www.christianposta.com/blog
>>>> twitter: @christianposta
>>>
>>>
>>>
>>> --
>>> Hiram Chirino
>>>
>>> Engineering | Red Hat, Inc.
>>>
>>> hchir...@redhat.com | fusesource.com | redhat.com
>>>
>>> skype: hiramchirino | twitter: @hiramchirino
>>>
>>> blog: Hiram Chirino's Bit Mojo
>>
>
>
>
> --
> Hiram Chirino
>
> Engineering | Red Hat, Inc.
>
> hchir...@redhat.com | fusesource.com | redhat.com
>
> skype: hiramchirino | twitter: @hiramchirino
>
> blog: Hiram Chirino's Bit Mojo
