7.4. Programming Message-Level Authorization
Overview
In the preceding examples, the authorization step is performed at the time of connection creation and access is applied at the destination level of granularity. That is, the authorization step grants or denies access to particular queues or topics. It is conceivable, though, that in some systems you might want to grant or deny access at the level of individual messages, rather than at the level of destinations. For example, you might want to grant permission to all users to read from a certain queue, but some messages published to this queue should be accessible to administrators only.
You can achieve message-level authorization by configuring a message authorization policy in the broker configuration file. To implement this policy, you need to write some Java code.
Implement the MessageAuthorizationPolicy interface
Example 7.5, “Implementation of MessageAuthorizationPolicy” shows an example of a message authorization policy that allows messages from the
WebServer
application to reach only the admin
user, with all other users blocked from reading these messages. This example presupposes that the WebServer
application is configured to set the JMSXAppID
property in the message's JMS header.
Example 7.5. Implementation of MessageAuthorizationPolicy
package com.acme; ... public class MsgAuthzPolicy implements MessageAuthorizationPolicy { public boolean isAllowedToConsume(ConnectionContext context, Message message) { if (message.getProperty("JMSXAppID").equals("WebServer")) { if (context.getUserName().equals("admin")) { return true; } else { return false; } } return true; } }
The
org.apache.activemq.broker.ConnectionContext
class stores details of the current client connection and the org.apache.activemq.command.Message
class is essentially an implementation of the standard javax.jms.Message
interface.
To install the message authorization policy, compile the preceding code, package it as a JAR file, and drop the JAR file into the
$ACTIVEMQ_HOME/lib
directory.
Configure the messageAuthorizationPolicy element
To configure the broker to install the message authorization policy from Example 7.5, “Implementation of MessageAuthorizationPolicy”, add the following lines to the broker configuration file,
conf/activemq.xml
, inside the broker
element:
<broker> ... <messageAuthorizationPolicy> <bean class="com.acme.MsgAuthzPolicy" xmlns="http://www.springframework.org/schema/beans"/> </messageAuthorizationPolicy> ... </broker>