For authentication you'll almost certainly want to implement a LoginModule. You can find reference implementations here [1].
For authorization I think your best bet will be to implement a SecuritySettingsPlugin [2]. There is an LDAP implementation you can reference here [3]. That should hopefully provide you all the flexibility you need. Justin [1] https://github.com/apache/activemq-artemis/tree/master/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas [2] https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/SecuritySettingPlugin.java [3] https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/LegacyLDAPSecuritySettingPlugin.java On Sun, May 12, 2019 at 1:58 AM anishm <an...@govimana.com> wrote: > Hello everyone, > I just started writing some spikes to evaluate Artemis for a PoC and one of > the use cases that the setup should saitsfy is to accept authenticated > mqtt+wss connections to allow posting to a wildcard of topics specific to a > user. > This means that a user will have permissions to publish to a wildcard topic > expression, for example: A user `userfoo` will have permissions to publish > to `stuff/userfoo/#`. > The list of users is dynamic and a database holds the authentication > information. The end goal is for Artemis to authenticate and authorize > based > on the information in the database without having to restart the broker on > changes. > I realise that there are few ways to do this. The common step being to set > UserPrinicpal and RolePrinciple using a class implementing the LoginModule. > For authorization, > 1. An MQTTInterceptor that gets the destination address, gets the subject's > principals, and allows only matches to pass through. (Do i throw a > SecurityException if match is not found?) > 2. Implement a SecuritySetting with HierarchicalRepository that listens to > changes and updates the SecuritySettings map: This method looks way too > complicated for a simple AuthZ rule that I mentioned earlier. However I'd > prefer to have the AuthN and AuthZ fully integrated in the Artemis system > so > that the Security is done using the core. > What could be a better way to implement this? > > > > -- > Sent from: > http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html >