0

在我的应用程序中,用户可以自由创建一个帐户,并且它需要拥有一个队列(或主题)来在它们之间通信 2 个后端进程。我不想activemq每次有人创建帐户时都必须修改配置。我已经创建了一个jaasAuthenticationPlugin,它工作正常。这是我activemq.xml文件的相关部分:

<plugins>
  <!-- 'activemq-domain' defined in conf/login.conf -->
  <jaasAuthenticationPlugin configuration="activemq-domain" />

  <authorizationPlugin>
    <map>
      <authorizationMap>
        <authorizationEntries>
          <authorizationEntry queue="foobarQueue"
              write="foobarGroup"
              read="foobarGroup"
              admin="foobarGroup"
          />
        </authorizationEntries>
      </authorizationMap>
    </map>
  </authorizationPlugin>
</plugins>

正如您可能推断的那样,身份验证插件正在验证用户(foobar在本例中)并将用户放入foobarGroup组中。AuthorizationEntry授予this的权限read和权限。这工作得很好,但现在如果我创建一个新用户,我必须来到这个文件并添加一个新的. 是否可以使用简单的配置行来执行以下操作:writeadminfoobarQueuefoobarGroupAuthorizationEntryactivemq.xml

<authorizationEntry
    queue="<% Username %>"
    write="<% Username %>"
    read="<% Username %>"
    admin="<% Username %>"
/>

或者我应该写一些 JAAS 授权类来做到这一点?

4

1 回答 1

3

最后我写了一个类来处理授权部分。这有点困难,因为很难找到文档,而且我找不到任何好的例子。挖掘默认源代码LDAPAuthorizationMap是关键。无论如何,任何感兴趣的人的来源:

package com.example.activemq;


import org.apache.activemq.advisory.AdvisorySupport;
import org.apache.activemq.command.ActiveMQDestination;
import org.apache.activemq.jaas.GroupPrincipal;
import org.apache.activemq.security.AuthorizationMap;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

import java.util.HashSet;
import java.util.Set;

public class OwnedUserQueueAuthorizator implements AuthorizationMap {
    private static final Log log =
            LogFactory.getLog(OwnedUserQueueAuthorizator.class);
    private boolean debug = false;

    // the Destination will be the name of the user, and we should return that
    // the group with user name has read,write and admin privileges to the
    // topic/queue named like the username


    // for temporary destinations, if null is returned, then everybody has
    // permission.

    public Set<GroupPrincipal> getTempDestinationAdminACLs() {
        return null;
    }

    public Set<GroupPrincipal> getTempDestinationReadACLs() {
        return null;
    }

    public Set<GroupPrincipal> getTempDestinationWriteACLs() {
        return null;
    }

    // for persistent destinations

    public Set<GroupPrincipal> getAdminACLs(ActiveMQDestination destination) {
        if (debug) {
            log.debug("getAdminACLs: " + destination.getPhysicalName());
        }
        return getACLs(destination);
    }

    public Set<GroupPrincipal> getReadACLs(ActiveMQDestination destination) {
        if (debug) {
            log.debug("getReadACLs: " + destination.getPhysicalName());
        }
        return getACLs(destination);
    }

    public Set<GroupPrincipal> getWriteACLs(ActiveMQDestination destination) {
        if (debug) {
            log.debug("getwriteACLs: " + destination.getPhysicalName());
        }
        return getACLs(destination);
    }

    private Set<GroupPrincipal> getACLs(ActiveMQDestination destination) {
        Set<GroupPrincipal> result;

        if (AdvisorySupport.isAdvisoryTopic(destination)) {
            result = getACLsForAdvisory();
        } else {
            result = new HashSet<GroupPrincipal>();
            // Destination should be something like UUID or UUID.whatever...,
            // so we must add only the first component as the group principal
            result.add(new GroupPrincipal(
                    destination.getDestinationPaths()[0])
            );
        }

        if (debug) {
            String s = "";
            for (GroupPrincipal gp : result) {
                s += ", " + gp.getName();
            }
            log.debug("groupPrincipals: " + "[" + s.substring(2) + "]");
        }
        return result;
    }

    private Set<GroupPrincipal> getACLsForAdvisory() {
        Set<GroupPrincipal> result = new HashSet<GroupPrincipal>();
        GroupPrincipal g = new GroupPrincipal("advisories");
        result.add(g);
        return result;
    }

    // Properties
    // -------------------------------------------------------------------------

    // if the <bean> definition in the activemq.xml has some
    // <property name="foo" value="..." />
    // defined, they will call this.setFoo($value), so, even if these get/set
    // methods aren't called from here, they are really needed.

    public void setDebug(String debug) {
        this.debug = "true".equalsIgnoreCase(debug);
    }

    public String getDebug() {
        return String.valueOf(debug);
    }
}

conf/activemq.xml文件:

<beans ...>
    ...
    <broker ...>
    ...
        <plugins>                                                               
            <!-- 'activemq-domain' defined in conf/login.conf -->               
            <jaasAuthenticationPlugin configuration="activemq-domain" />        

            <authorizationPlugin>                                               
                <map>                                                           
                    <bean id="OwnedUserQueueAuthorizationMap"                            
                        class="com.example.activemq.OwnedUserQueueAuthorizator"   
                        xmlns="http://www.springframework.org/schema/beans">    
                        <property name="debug" value="false"/>                   
                    </bean>                                                     
                </map>                                                          
            </authorizationPlugin>                                              
        </plugins>   
        ...
    </broker>
    ...
</beans>
于 2013-09-16T07:58:20.357 回答