This closes #1487
This commit is contained in:
Clebert Suconic
commit
74db627b83
|
|
@ -744,7 +744,7 @@ public class QueueControlImpl extends AbstractControl implements QueueControl {
|
||||||
final String user,
|
final String user,
|
||||||
final String password) throws Exception {
|
final String password) throws Exception {
|
||||||
try {
|
try {
|
||||||
securityStore.check(queue.getAddress(), CheckType.SEND, new SecurityAuth() {
|
securityStore.check(queue.getAddress(), queue.getName(), CheckType.SEND, new SecurityAuth() {
|
||||||
@Override
|
@Override
|
||||||
public String getUsername() {
|
public String getUsername() {
|
||||||
return user;
|
return user;
|
||||||
|
|
|
||||||
|
|
@ -25,6 +25,8 @@ public interface SecurityStore {
|
||||||
|
|
||||||
void check(SimpleString address, CheckType checkType, SecurityAuth session) throws Exception;
|
void check(SimpleString address, CheckType checkType, SecurityAuth session) throws Exception;
|
||||||
|
|
||||||
|
void check(SimpleString address, SimpleString queue, CheckType checkType, SecurityAuth session) throws Exception;
|
||||||
|
|
||||||
boolean isSecurityEnabled();
|
boolean isSecurityEnabled();
|
||||||
|
|
||||||
void stop();
|
void stop();
|
||||||
|
|
|
||||||
|
|
@ -162,6 +162,14 @@ public class SecurityStoreImpl implements SecurityStore, HierarchicalRepositoryC
|
||||||
public void check(final SimpleString address,
|
public void check(final SimpleString address,
|
||||||
final CheckType checkType,
|
final CheckType checkType,
|
||||||
final SecurityAuth session) throws Exception {
|
final SecurityAuth session) throws Exception {
|
||||||
|
check(address, null, checkType, session);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void check(final SimpleString address,
|
||||||
|
final SimpleString queue,
|
||||||
|
final CheckType checkType,
|
||||||
|
final SecurityAuth session) throws Exception {
|
||||||
if (securityEnabled) {
|
if (securityEnabled) {
|
||||||
if (logger.isTraceEnabled()) {
|
if (logger.isTraceEnabled()) {
|
||||||
logger.trace("checking access permissions to " + address);
|
logger.trace("checking access permissions to " + address);
|
||||||
|
|
@ -206,7 +214,11 @@ public class SecurityStoreImpl implements SecurityStore, HierarchicalRepositoryC
|
||||||
notificationService.sendNotification(notification);
|
notificationService.sendNotification(notification);
|
||||||
}
|
}
|
||||||
|
|
||||||
throw ActiveMQMessageBundle.BUNDLE.userNoPermissions(session.getUsername(), checkType, saddress);
|
if (queue == null) {
|
||||||
|
throw ActiveMQMessageBundle.BUNDLE.userNoPermissions(session.getUsername(), checkType, saddress);
|
||||||
|
} else {
|
||||||
|
throw ActiveMQMessageBundle.BUNDLE.userNoPermissionsQueue(session.getUsername(), checkType, queue.toString(), saddress);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
// if we get here we're granted, add to the cache
|
// if we get here we're granted, add to the cache
|
||||||
ConcurrentHashSet<SimpleString> set = new ConcurrentHashSet<>();
|
ConcurrentHashSet<SimpleString> set = new ConcurrentHashSet<>();
|
||||||
|
|
|
||||||
|
|
@ -433,4 +433,7 @@ public interface ActiveMQMessageBundle {
|
||||||
@Message(id = 119212, value = "Invalid deletion policy type {0}", format = Message.Format.MESSAGE_FORMAT)
|
@Message(id = 119212, value = "Invalid deletion policy type {0}", format = Message.Format.MESSAGE_FORMAT)
|
||||||
IllegalArgumentException invalidDeletionPolicyType(String val);
|
IllegalArgumentException invalidDeletionPolicyType(String val);
|
||||||
|
|
||||||
|
@Message(id = 119213, value = "User: {0} does not have permission=''{1}'' for queue {2} on address {3}", format = Message.Format.MESSAGE_FORMAT)
|
||||||
|
ActiveMQSecurityException userNoPermissionsQueue(String username, CheckType checkType, String squeue, String saddress);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1861,9 +1861,9 @@ public class ActiveMQServerImpl implements ActiveMQServer {
|
||||||
|
|
||||||
if (queue.isDurable()) {
|
if (queue.isDurable()) {
|
||||||
// make sure the user has privileges to delete this queue
|
// make sure the user has privileges to delete this queue
|
||||||
securityStore.check(address, CheckType.DELETE_DURABLE_QUEUE, session);
|
securityStore.check(address, queueName, CheckType.DELETE_DURABLE_QUEUE, session);
|
||||||
} else {
|
} else {
|
||||||
securityStore.check(address, CheckType.DELETE_NON_DURABLE_QUEUE, session);
|
securityStore.check(address, queueName, CheckType.DELETE_NON_DURABLE_QUEUE, session);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -415,6 +415,12 @@ public class ServerSessionImpl implements ServerSession, FailureListener {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private void securityCheck(SimpleString address, SimpleString queue, CheckType checkType, SecurityAuth auth) throws Exception {
|
||||||
|
if (securityEnabled) {
|
||||||
|
securityStore.check(address, queue, checkType, auth);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public ServerConsumer createConsumer(final long consumerID,
|
public ServerConsumer createConsumer(final long consumerID,
|
||||||
final SimpleString queueName,
|
final SimpleString queueName,
|
||||||
|
|
@ -441,15 +447,15 @@ public class ServerSessionImpl implements ServerSession, FailureListener {
|
||||||
SimpleString address = removePrefix(binding.getAddress());
|
SimpleString address = removePrefix(binding.getAddress());
|
||||||
if (browseOnly) {
|
if (browseOnly) {
|
||||||
try {
|
try {
|
||||||
securityCheck(address, CheckType.BROWSE, this);
|
securityCheck(address, queueName, CheckType.BROWSE, this);
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
securityCheck(address.concat(".").concat(unPrefixedQueueName), CheckType.BROWSE, this);
|
securityCheck(address.concat(".").concat(unPrefixedQueueName), queueName, CheckType.BROWSE, this);
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
try {
|
try {
|
||||||
securityCheck(address, CheckType.CONSUME, this);
|
securityCheck(address, queueName, CheckType.CONSUME, this);
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
securityCheck(address.concat(".").concat(unPrefixedQueueName), CheckType.CONSUME, this);
|
securityCheck(address.concat(".").concat(unPrefixedQueueName), queueName, CheckType.CONSUME, this);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -553,9 +559,9 @@ public class ServerSessionImpl implements ServerSession, FailureListener {
|
||||||
|
|
||||||
if (durable) {
|
if (durable) {
|
||||||
// make sure the user has privileges to create this queue
|
// make sure the user has privileges to create this queue
|
||||||
securityCheck(address, CheckType.CREATE_DURABLE_QUEUE, this);
|
securityCheck(address, name, CheckType.CREATE_DURABLE_QUEUE, this);
|
||||||
} else {
|
} else {
|
||||||
securityCheck(address, CheckType.CREATE_NON_DURABLE_QUEUE, this);
|
securityCheck(address, name, CheckType.CREATE_NON_DURABLE_QUEUE, this);
|
||||||
}
|
}
|
||||||
|
|
||||||
server.checkQueueCreationLimit(getUsername());
|
server.checkQueueCreationLimit(getUsername());
|
||||||
|
|
@ -631,7 +637,7 @@ public class ServerSessionImpl implements ServerSession, FailureListener {
|
||||||
|
|
||||||
address = removePrefix(address);
|
address = removePrefix(address);
|
||||||
|
|
||||||
securityCheck(address, CheckType.CREATE_NON_DURABLE_QUEUE, this);
|
securityCheck(address, name, CheckType.CREATE_NON_DURABLE_QUEUE, this);
|
||||||
|
|
||||||
server.checkQueueCreationLimit(getUsername());
|
server.checkQueueCreationLimit(getUsername());
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue