Show Table of Contents
8.4. Programming Message-Level Authorization
Overview
In the preceding examples, the authorization step is performed at the time of connection creation and access is applied at the destination level of granularity. That is, the authorization step grants or denies access to particular queues or topics. It is conceivable, though, that in some systems you might want to grant or deny access at the level of individual messages, rather than at the level of destinations. For example, you might want to grant permission to all users to read from a certain queue, but some messages published to this queue should be accessible to administrators only.
You can achieve message-level authorization by configuring a message authorization policy in the broker configuration file. To implement this policy, you need to write some Java code.
Implement the MessageAuthorizationPolicy interface
Example 8.5, “Implementation of MessageAuthorizationPolicy” shows an example of a message authorization policy that allows messages from the
WebServer application to reach only the admin user, with all other users blocked from reading these messages. This example presupposes that the WebServer application is configured to set the JMSXAppID property in the message's JMS header.
Example 8.5. Implementation of MessageAuthorizationPolicy
package com.acme;
...
public class MsgAuthzPolicy implements MessageAuthorizationPolicy {
public boolean isAllowedToConsume(ConnectionContext context, Message message)
{
if (message.getProperty("JMSXAppID").equals("WebServer")) {
if (context.getUserName().equals("admin")) {
return true;
}
else {
return false;
}
}
return true;
}
}
The
org.apache.activemq.broker.ConnectionContext class stores details of the current client connection and the org.apache.activemq.command.Message class is essentially an implementation of the standard javax.jms.Message interface.
To install the message authorization policy, compile the preceding code, package it as a JAR file, and drop the JAR file into the
$ACTIVEMQ_HOME/lib directory.
Configure the messageAuthorizationPolicy element
To configure the broker to install the message authorization policy from Example 8.5, “Implementation of MessageAuthorizationPolicy”, add the following lines to the broker configuration file,
etc/activemq.xml, inside the broker element:
<broker>
...
<messageAuthorizationPolicy>
<bean class="com.acme.MsgAuthzPolicy"
xmlns="http://www.springframework.org/schema/beans"/>
</messageAuthorizationPolicy>
...
</broker>
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.