I'm trying to wrap my head around how connection router functionality works.
In my case, I already have two acceptors. SSL protected and externally exposed
one, which should be used only by the external unprivileged users, and internal
one on different AMQP port, which should be used by the privileged internal
users. If I understand correctly, that external acceptor should be configured
in such a way, that it allow all users, except for few privileged ones. Since
we are using ActiveMQBasicSecurityManager I probably cannot use security domain
here, but looking through documentation, I should be able to use redirection on
a specific acceptor with key-type USER_NAME, right?
--
Vilius
-----Original Message-----
From: Domenico Francesco Bruscino <[email protected]>
Sent: Wednesday, April 16, 2025 9:27 AM
To: [email protected]
Subject: Re: IP address whitelisting for Artemis users
Hi Villus,
you can create an acceptor that allows only connections from specific users by
setting a per-acceptor security domain[1] and a connection router[2] to reject
connections with a source IP address that doesn't match your filter, i.e.
<connection-router name="privileged-ip-filter">
<key-type>SOURCE_IP</key-type>
<local-target-filter>^192\.168\.10\.1|192\.168\.10\.2$</local-target-filter>
</connection-router>
[1]
https://activemq.apache.org/components/artemis/documentation/latest/security.html#per-acceptor-security-domains
[2]
https://activemq.apache.org/components/artemis/documentation/latest/connection-routers.html#connection-routers
Regards,
Domenico
On Tue, 15 Apr 2025 at 22:24, Vilius Šumskas <[email protected]>
wrote:
> Hi,
>
> is there a way to somehow limit which IP Artemis user is allowed to
> connect from? We had instances where privileged user dedicated to
> internal usage only was used in externalized Java services. I want to
> protect these users from being used where they should not be.
>
> --
> Best Regards,
> Vilius
>
>
