> In few word what I’d like to achieve is to let Artemis instantiate and use a custom ActiveMQSecurityManager provided through a configuration parameter. Is there a way or I must patch the Artemis code to allow the ActiveMQSecurityManager pluggability?
Currently there is no way to use a custom ActiveMQSecurityManager implementation via the XML configuration. The broker would need to be modified to allow this behavior (and I think that would be a valid enhancement). For what it's worth, using a custom ActiveMQSecurityManager implementation is a trivial matter for embedded use-cases. Justin On Wed, Sep 11, 2019 at 9:28 AM Modanese, Riccardo <riccardo.modan...@eurotech.com.invalid> wrote: > Hi, unfortunately I cannot rely on a security repository and the users and > ACLs profiles could be thousands. > > My idea is to replace the ActiveMQJAASSecurityManager with my own custom > ActiveMQSecurityManager implementation. > But I didn’t find a way. > It seems that there is no other way than specifying a jaas-security tag in > the bootstrap.xml configuration file (<jaas-security domain="activemq"/>). > If I remove the tag, or I try to change the DTO instance (with the > appropriate annotation in the new DTO file itself), I get a xml validation > schema error. > From my attempts there is no way to remove the jaas-security tag. > > In few word what I’d like to achieve is to let Artemis instantiate and use > a custom ActiveMQSecurityManager provided through a configuration parameter. > Is there a way or I must patch the Artemis code to allow the > ActiveMQSecurityManager pluggability? > > > Il giorno 28 ago 2019, alle ore 05:23, yw yw <wy96...@gmail.com<mailto: > wy96...@gmail.com>> ha scritto: > > Yes, it would check every time a client publishes a message or subscribes > an address. > > From my understanding, SecuritySettingPlugin should meet your requirements. > You can save the "securityRepository" passed by "SecuritySettingPlugin:: > setSecurityRepository" in your custom SecuritySettingPlugin. When you > receive a notification that user is added/removed, you can call > securityRepository::addMatch/removeMatch/swap to change ACL in matching > address. > > > Modanese, Riccardo <riccardo.modan...@eurotech.com.invalid<mailto: > riccardo.modan...@eurotech.com.invalid>> 于2019年8月27日周二 > 下午11:12写道: > > I think the SecuritySettingPlugin will not solve my issue but an > ActiveMQSecurityManager3 custom implementation could be. > > So I tried to plug an ActiveMQSecurityManager3 implementation but without > any success. > From my understanding this plugin should be defined into bootstrap.xml but > unfortunately I found no way to replace the jaas-security tag with another > one pointing to my configuration DTO (the xsd doesn’t provide alternative > tag to jaas-security) > > Anyway, just to be sure if the ActiveMQSecurityManager3 api could fit my > needs, is the method validateUserAndRole called before every > publish/subscribe? > > Il giorno 26 ago 2019, alle ore 18:00, Christopher Shannon < > christopher.l.shan...@gmail.com<mailto:christopher.l.shan...@gmail.com>> > ha scritto: > > You might need to write some custom code to do what you want and you > could > try a custom Security plugin. > See the API and Java docs for the security setting plugin: > > > https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/SecuritySettingPlugin.java > > If you need even more control you can create your own SecurityManager and > register it with the broker. The interface to extend is: > > > https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQSecurityManager3.java > > The validateUserAndRole() method is where you do your ACL checks > > A default implementation that delegates to a JAAS module is including in > the broker already which you can use as an example or to extend: > > > https://github.com/apache/activemq-artemis/blob/master/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQJAASSecurityManager.java > > On Mon, Aug 26, 2019 at 8:01 AM Modanese, Riccardo > <riccardo.modan...@eurotech.com.invalid> wrote: > > I already read this page and I wasn’t able to find any helpful > information. > In our use case each user has ACL depending on the username itself. > Moreover a user can be added at runtime and the broker must be able to > create and handle correctly the ACL also for the new created user. > > So, at the end, what I need is the capability of creating ACL > programmatically and keep them in a session in order to be used every > time > a client publishes a message or subscribes an address. > In ActiveMQ 5 this was possible ( [1] - [2] ) by creating a > DefaultAuthorizationMap object, but I cannot find a similar object in > Artemis > > [1] > > > https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/plugin/KapuaSecurityBrokerFilter.java#L683 > [2] > > > https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/plugin/KapuaSecurityBrokerFilter.java#L557 > > > Il giorno 26 ago 2019, alle ore 13:43, Christopher Shannon < > christopher.l.shan...@gmail.com<mailto:christopher.l.shan...@gmail.com > > ha scritto: > > All of the info you should need to get started should be here: > > > > https://activemq.apache.org/components/artemis/documentation/latest/security.html > > On Mon, Aug 26, 2019 at 6:24 AM Modanese, Riccardo > <riccardo.modan...@eurotech.com.invalid> wrote: > > Hello, > In our ActiveMQ 5.x security plugin code we are enforcing ACL > programmatically so I’m investigating how to migrate our current ACL > from > ActiveMQ 5.x to Artemis. > > I took a look into Artemis source code and I didn’t find any similar > object to those present in ActiveMQ 5.x (E.g. > org.apache.activemq.security.AuthorizationMap, > org.apache.activemq.security.AuthorizationEntry, ...) > > Can you point me to the right direction? > > > > > > >
