I've read about the automatic configuration reload which - according to the docs - also includes security settings. What I could not figure out yet (and did not see any indications for ) is if Artemis also updates Roles etc. when the LDAP auth is active.
Question is: In an ActiveMQ Artemis deployment where OpenLDAP is used for authentication and authorization do I need to take care about updating the roles etc. myself or is this done automatically?
The documentation you cited is related to reloading broker.xml when a change is detected. It isn't really applicable to the LDAP authorization data since that data is in LDAP and not in broker.xml. However, the documentation for the LegacyLDAPSecuritySettingsPlugin is relevant as it discusses the enableListener option:
enableListener. Whether or not to enable a listener that will automatically receive updates made in the LDAP server and update the broker's authorization configuration in real-time. The default value is true.
Since enableListener defaults to true then changes made to your LDAP authorization data should automatically be reflected in the broker.
The listener is an implementation of both javax.naming.event.NamespaceChangeListener and javax.naming.event.ObjectChangeListener and is registered using the javax.naming.event.EventDirContext#addNamingListener(java.lang.String, java.lang.String, javax.naming.directory.SearchControls, javax.naming.event.NamingListener) method.
That said, you may run into ARTEMIS-2671 which will be resolved in the next release (i.e. 2.12.0). It's also possible that your particular LDAP server doesn't actually support this listener functionality. If that's the case then restarting the broker is your only option to reload the LDAP data. Modifying broker.xml won't reload it.
Related
My Symfony application runs calculations based on a user's request. I'd like to send them an email as a response.
I have created a custom channel and handler in config.yml:
# config.yml
# ...
monolog:
handlers:
buildbot:
level: info
type: stream
channels: [buildbot]
Now I write logs to it from various services:
<?php
// AppBundle/Services/BuildBot.php
$this->buildLogger->info('Fabricating robot shell');
In a service I want to email the requestor with log lines from the "buildbot" Monolog channel. How can I read the log lines?
From a design perspective I don’t think that Symfony’s logger is the right tool to use for this task. In my opinion that logger is meant to log information about your application’s activities that may or may not be useful to you as the developer (or other kinds of administrators).
Whereas in your use case the log is meant for the end user and doesn’t really contain application-level information but request-level information. I would separate that.
My personal approach would be to create a simple service (that might even implement the logger interface) that accepts those messages, subscribes to the kernel.terminate event and sends the combined messages to the user in the end.
Anyway, if you really want to do this with Monolog, you should look into its handlers. Here is a list of available handlers whereas here and here are Symfony-specific examples on how to configure them. You probably have to write your own mailing handler because the packaged one assumes that there is a static recipient whereas you probably want the mail to be sent to the current user.
In the Symfony configuration there is an entry framework.session.storage_id. This setting also appears in the default config on the Symfony configuration documentation but it is not explained. My assumption is that it defines where session data is stored on the server side.
Values I have seen for this entry include session.storage.mock_file, session.storage.native and session.storage.filesystem. I am unsure of what these values exactly mean (e.g. what is the difference between a mock file and a filesystem?) and also think that this is not the complete list of possible values.
So what exactly does this configuration key control and what values are valid?
Valid values for framework.session.storage_id are following:
session.storage.mock_file - for testing. It doesn't start session at all.
session.storage.filesystem - for testing. It is an alias for session.storage.mock_file.
session.storage.native - default implementation using defined session handler
session.storage.php_bridge - for legacy apps
From developer perspective, there is a session service that abstracts working with session. session service depends on some session storage service. Session storage implements session management from PHP perspective (calling session_start() function for example). Storage also depends on some session handler. Handler is implementation of \SessionStorage and it tells how and where will be session physically stored.
This three layer design allows creating storage for testing which does not call session_start() at all and does not use handler (session.storage.mock_file). Or creating of handler that can store and load session from anywhere (session.storage.native). session.storage.php_bridge solves situation when session_start() is called by external PHP code (not by Symfony session storage).
I hope it is clear to understand.
Session management in Symfony is based on two main rules.
Symfony must start the session.
The Symfony sessions are designed to replace the use of PHP native functions session_*() and $_SESSION global.
However, some exceptions exist. Sometimes it may be necessary to integrate Symfony in a legacy application, which starts the session with session_start().
With session.storage.php_bridge directive, you can manage the session using a special gateway that is designed to allow to Symfony working with a session that was started outside the framework.
In goal to make the code using sessions testable, session.storage.mock_file directive allows to simulate the flow of a PHP session without starting it really.
when I use the cloudify(2.7) to deploy an application(e.g. an application app includes two services A and B ),I try to use the Admin.addEventListener() to add some eventListener,but it does't work !
I try to add the ProcessingUnitStatusChangedEventListener ,when I debug the code,the value of (ProcessingUnitStatusChangedEvent)event.getNewStatus() changes from SCHEDULED to INTACT,then SCHEDULED,then INTACT again,
I also try to add the ProcessingUnitInstanceLifecycleEventListener,when I debug the code,the status is intact,but the service is not available!
Is there any other listener or method to know the application(not the services) is available,or I use the listener in the wrong way?
First, the Admin API is internal - use it at your own risk. And you should not be using it the way you are - Cloudify adds a lot of logic on top of the internal Admin API.
Second, it is not exactly clear where you are executing your code from.
You can always use the rest client to get an accurate state of the application. Look at https://github.com/CloudifySource/cloudify/blob/master/rest-client/src/main/java/org/cloudifysource/restclient/RestClient.java#L388
In addition, if you are running this code in a service lifecycle event handler, the easiest way to implement this is to have your 'top' level service, the one that should be available last, write an application entry to the shared attributes store in its 'postStart' event. Everyone else can just periodically poll on this entry. The polling itself is very fast, all in-memory operations.
If you do not have a top-level service, or your logic is more complicated then that, you would need to use the Service Context API to scan each service and its instances to see if they are up. An explanation on getting service instance state is available here:
cloudify service dependsOn other service
I want to kill user session forcefully (logout a user), in case of an activity like Change password. How can i do this pragmatically in jboss portal server.
When this activity happens my portlet's processAction method is called and I have RenderRequest available but not HTTPRequest, so session.invalidate is not an option i think.
Consider using the approach documented in the following JBoss article:
http://community.jboss.org/wiki/SessionInvalidate
I have a Relying Party and a provider running with DotNetOpenAuth. The issue is that when the provider has not been accessed in a while it is unloaded from IIS to conserve memory (which is normally a good thing). However, in this case it causes the Relying Party to throw the "No OpenID endpoint found" exception.
I know that IIS can be configured to never unload an application, but that is not an option in this case.
Is there a way to increase the timeout on the relying party to let it wait until the provider "wakes up" and not throw the No OpenId Endpoint Found exception?.
I thought I had it with the "maxAuthenticationTime" property, but I guess this is really a setting for how many minutes in total the authentication round trip should be allowed to take.
Thanks.
Yes, these timeouts can be configured via your web.config file. Below is a snippet, with the defaults which you can raise:
<messaging>
<untrustedWebRequest
timeout="00:00:10"
readWriteTimeout="00:00:01.500"
Full configuration options are documented.