5 Replies Latest reply on Feb 5, 2013 8:17 AM by akhayo

Topic authentication using Interceptors?

akhayo Feb 3, 2013 5:52 AM

Good morning,

I wish to control who can access/subscribe a certain Topic in my horneq jms server. I took a look the Security subject in the user manual and thought about implenting my own securitymanager. (on a side note the usermanual talks about org.hornetq.core.security.SecurityManager which is missing)

While thinking about this i saw that the securitymanager can only be used to control the general access to the jms server.

After looking around i bumped into interceptors, reading a bit about it in the user manual gave me confirmation that interceptors were flexible enough to implement authentication on Topic level.

Is it wise to implement authentication with Interceptors or is there maybe another way (a better way) to do this? Maybe too much to ask but is there a simple example around?

Kind regards.

1. Re: Topic authentication using Interceptors?

jbertram Feb 3, 2013 11:10 PM (in response to akhayo)

I wish to control who can access/subscribe a certain Topic in my horneq jms server. I took a look the Security subject in the user manual and thought about implenting my own securitymanager. (on a side note the usermanual talks about org.hornetq.core.security.SecurityManager which is missing)
I just sent a pull request to fix the documentation. If hadn't figured it out already the correct interface is org.hornetq.spi.core.security.HornetQSecurityManager.

While thinking about this i saw that the securitymanager can only be used to control the general access to the jms server.
You can do role-based authorization along with authentication. See http://docs.jboss.org/hornetq/2.3.0.CR1/docs/user-manual/html_single/index.html#security.settings.roles. Does that not fit your need? If so, please elaborate as to why not.
1 of 1 people found this helpful
Actions
2. Re: Topic authentication using Interceptors?

akhayo Feb 4, 2013 8:03 AM (in response to jbertram)

Hi Justin,

Thank you for your reply and thoughts on the subject. I took a look at the link you gave and noticed that the definitions of "who may do what" is defined in xml. In my project users and topics are dynamically generated over time, so they are not yet known at the configuration phase. "Who may do what" is defined in a database and can change every minute. That is why my thoughts did go to a interceptor which reads the access rules from the database and checks who accesses what in the jms server. Another possibility would be to check the source of the existing authorisation / authentication classes and replace the xml with a database scheme, but i suspect i would run into trouble when i want to "plugin" my own implementation into hornetq without rebuilding the original hornetq source tree?
Actions
3. Re: Topic authentication using Interceptors?

jbertram Feb 4, 2013 10:21 AM (in response to akhayo)

My recommendation would be to either implement a JAAS login module that would read the information from the database or use JBoss AS7 where you can use the existing JAAS database login module as well as a JCA-based JDBC datasource that is pooled and has a lot of convenient configuration options.
1 of 1 people found this helpful
Actions
4. Re: Topic authentication using Interceptors?

jbertram Feb 4, 2013 10:23 AM (in response to akhayo)

To be clear, I think using interceptors for this functionality is misguided. The security subsystem is pluggable and built explicitly for this purpose. You should use it - either in standalone mode or in AS7.
Actions
5. Re: Topic authentication using Interceptors?

akhayo Feb 5, 2013 8:17 AM (in response to jbertram)

Thank you for the support, i'm going to take a look at the JAAS login module.
Actions

Go to original post