Took a look at it, and it should work for me. Thanks for the ultra fast resolution to the problem.
Is the github version pretty stable for testing? When do you think 1.7 will be released? Thanks again for doing this so quickly. Garry On Jul 13, 2013, at 2:18 PM, Hiram Chirino <hi...@hiramchirino.com> wrote: > Hi Garry, > > This is what I came up with: > > Firstly you need to implement the SecurityFactory trait. For example: > > https://github.com/apache/activemq-apollo/blob/trunk/apollo-stomp/src/test/scala/org/apache/activemq/apollo/stomp/test/UserOwnershipSecurityFactory.scala#L29 > > Then you need to set the 'security_factory' attribute of the broker > element to the name of the class you implemented it with. For example: > https://github.com/apache/activemq-apollo/blob/trunk/apollo-stomp/src/test/resources/apollo-stomp-custom-security.xml#L18 > > This change is being tracked via: > https://issues.apache.org/jira/browse/APLO-330#comment-13707807 > > On Fri, Jul 12, 2013 at 11:22 AM, Garry Watkins <cats...@me.com> wrote: >> That sounds good. I was searching in the code and that is where i thought I >> might be able to hook in. >> >> Why not add an authorizer attribute which is the class name of the custom >> authorizer. >> >> <access_rule allow="*" action="create destroy send" >> authorizer="MyCustomAuthorizer"/> >> <access_rule allow="*" action="connect receive consume" >> authorizer="MyCustomAuthorizer2"/> >> >> On Jul 12, 2013, at 11:01 AM, Hiram Chirino <hi...@hiramchirino.com> wrote: >> >>> Ok then it seems like you will need to implement a custom Authorizer. >>> The interface of an Authorizer is quite simple. It looks like: >>> >>> trait Authorizer { >>> def can(ctx:SecurityContext, action:String, >>> resource:SecuredResource):Boolean; >>> } >>> >>> Basically the ctx will have the user info including the security >>> subject/cert info. The action is stuff like "send", and the resource >>> will be an instance of a virtualhost, queue, topic (etc.) that the >>> user is trying to perform the action against. The method just need >>> return true if it's allowed. >>> >>> The only problem is there does not yet exist a way to configure a >>> custom authorizer. Let me see if add support for that in the apollo >>> configuration. >>> >>> >>> On Wed, Jul 10, 2013 at 6:38 PM, Garry Watkins <cats...@me.com> wrote: >>>> Yes, the users will be unknown at the time of connection. >>>> >>>> On Jul 10, 2013, at 3:00 PM, Hiram Chirino <hi...@hiramchirino.com> wrote: >>>> >>>>> An the user names are dynamic? You don't know them ahead of time? >>>>> >>>>> On Tue, Jul 9, 2013 at 4:14 PM, Garry Watkins <cats...@icloud.com> wrote: >>>>>> I have been looking at the documentation in the security section. >>>>>> >>>>>> http://activemq.apache.org/apollo/documentation/user-manual.html#Security >>>>>> >>>>>> I need to write code that will capture allow a queue to be created with >>>>>> the >>>>>> same name as the user. That user may then be allowed to receive and >>>>>> consume >>>>>> messages. >>>>>> >>>>>> Any hints about where i could inject this into the code? >>>>>> >>>>>> Thanks >>>>>> >>>>>> >>>>>> On Jul 08, 2013, at 02:06 PM, Christian Posta <christian.po...@gmail.com> >>>>>> wrote: >>>>>> >>>>>> Should be the distinguished name from the X509 cert: >>>>>> >>>>>> http://docs.oracle.com/javase/6/docs/api/javax/security/auth/x500/X500Principal.html >>>>>> >>>>>> >>>>>> On Mon, Jul 8, 2013 at 1:31 PM, Garry Watkins <cats...@me.com> wrote: >>>>>> >>>>>> Ok, now that I know that I can do that. >>>>>> >>>>>> How does Apollo assign the username? What I want to do is have another >>>>>> >>>>>> process create a queue just for that user, and that is the only queue >>>>>> that >>>>>> >>>>>> user may access. >>>>>> >>>>>> Thanks for the speedy response. >>>>>> >>>>>> On Jul 8, 2013, at 1:28 PM, Christian Posta <christian.po...@gmail.com> >>>>>> >>>>>> wrote: >>>>>> >>>>>>> Yep, try adding the following to your ssl connector: >>>>>> >>>>>>> >>>>>> >>>>>>> <connector id="default" bind="ssl://0.0.0.0:61614"> >>>>>> >>>>>>> >>>>>> >>>>>>> *<ssl client_auth="need" />* >>>>>> >>>>>>> >>>>>> >>>>>>> </connector> >>>>>> >>>>>>> >>>>>> >>>>>>> >>>>>> >>>>>>> On Mon, Jul 8, 2013 at 12:51 PM, Garry Watkins <cats...@me.com> wrote: >>>>>> >>>>>>> >>>>>> >>>>>>>> Is it possible to use Client Certs for Authentication/Authorization for >>>>>> >>>>>>>> Apollo? >>>>>> >>>>>>> >>>>>> >>>>>>> >>>>>> >>>>>>> >>>>>> >>>>>>> >>>>>> >>>>>>> -- >>>>>> >>>>>>> *Christian Posta* >>>>>> >>>>>>> http://www.christianposta.com/blog >>>>>> >>>>>>> twitter: @christianposta >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Christian Posta* >>>>>> http://www.christianposta.com/blog >>>>>> twitter: @christianposta >>>>> >>>>> >>>>> >>>>> -- >>>>> Hiram Chirino >>>>> >>>>> Engineering | Red Hat, Inc. >>>>> >>>>> hchir...@redhat.com | fusesource.com | redhat.com >>>>> >>>>> skype: hiramchirino | twitter: @hiramchirino >>>>> >>>>> blog: Hiram Chirino's Bit Mojo >>>> >>> >>> >>> >>> -- >>> Hiram Chirino >>> >>> Engineering | Red Hat, Inc. >>> >>> hchir...@redhat.com | fusesource.com | redhat.com >>> >>> skype: hiramchirino | twitter: @hiramchirino >>> >>> blog: Hiram Chirino's Bit Mojo >> > > > > -- > Hiram Chirino > > Engineering | Red Hat, Inc. > > hchir...@redhat.com | fusesource.com | redhat.com > > skype: hiramchirino | twitter: @hiramchirino > > blog: Hiram Chirino's Bit Mojo
