ARTEMIS-2886 put address/FQQN into new security manager interface

The default JAAS security manager doesn't need the address/FQQN for
authorization, but I'm putting it back into the interface because there
are other use cases which *do* need it.
This commit is contained in:
Justin Bertram 2020-09-03 21:29:25 -05:00 committed by Clebert Suconic
parent 24ba4daf94
commit cf92c16339
5 changed files with 12 additions and 9 deletions

View File

@ -270,7 +270,7 @@ public class SecurityStoreImpl implements SecurityStore, HierarchicalRepositoryC
final Boolean validated;
if (securityManager instanceof ActiveMQSecurityManager5) {
Subject subject = getSubjectForAuthorization(session, ((ActiveMQSecurityManager5) securityManager));
validated = ((ActiveMQSecurityManager5) securityManager).authorize(subject, roles, checkType);
validated = ((ActiveMQSecurityManager5) securityManager).authorize(subject, roles, checkType, isFullyQualified ? fqqn.toString() : bareAddress.toString());
} else if (securityManager instanceof ActiveMQSecurityManager4) {
validated = ((ActiveMQSecurityManager4) securityManager).validateUserAndRole(user, session.getPassword(), roles, checkType, bareAddress.toString(), session.getRemotingConnection(), session.getSecurityDomain()) != null;
} else if (securityManager instanceof ActiveMQSecurityManager3) {

View File

@ -113,7 +113,8 @@ public class ActiveMQJAASSecurityManager implements ActiveMQSecurityManager5 {
@Override
public boolean authorize(final Subject subject,
final Set<Role> roles,
final CheckType checkType) {
final CheckType checkType,
final String address) {
boolean authorized = false;
if (subject != null) {

View File

@ -42,7 +42,7 @@ public interface ActiveMQSecurityManager5 extends ActiveMQSecurityManager {
* @param password the user's password
* @param remotingConnection the user's connection which contains any corresponding SSL certs
* @param securityDomain the name of the JAAS security domain to use (can be null)
* @return the Subject of the authenticated user or null if the user isn't authenticated
* @return the Subject of the authenticated user, else null
*/
Subject authenticate(String user, String password, RemotingConnection remotingConnection, String securityDomain);
@ -55,7 +55,8 @@ public interface ActiveMQSecurityManager5 extends ActiveMQSecurityManager {
* @param subject the Subject to authorize
* @param roles the roles configured in the security-settings
* @param checkType which permission to validate
* @param address the address (or FQQN) to grant access to
* @return true if the user is authorized, else false
*/
boolean authorize(Subject subject, Set<Role> roles, CheckType checkType);
boolean authorize(Subject subject, Set<Role> roles, CheckType checkType, String address);
}

View File

@ -92,7 +92,7 @@ public class JAASSecurityManagerTest {
Role role = new Role("programmers", true, true, true, true, true, true, true, true, true, true);
Set<Role> roles = new HashSet<>();
roles.add(role);
boolean authorizationResult = securityManager.authorize(result, roles, CheckType.SEND);
boolean authorizationResult = securityManager.authorize(result, roles, CheckType.SEND, "someaddress");
assertTrue(authorizationResult);

View File

@ -33,16 +33,17 @@ public class JAASSecurityManagerWrapper implements ActiveMQSecurityManager5 {
@Override
public Subject authenticate(String user, String password, RemotingConnection remotingConnection, String securityDomain) {
System.out.println("authenticate(" + user + ", " + password + ", " + remotingConnection.getRemoteAddress() + ")");
System.out.println("authenticate(" + user + ", " + password + ", " + remotingConnection.getRemoteAddress() + ", " + securityDomain + ")");
return activeMQJAASSecurityManager.authenticate(user, password, remotingConnection, securityDomain);
}
@Override
public boolean authorize(Subject subject,
Set<Role> roles,
CheckType checkType) {
System.out.println("authorize(" + subject + ", " + roles + ", " + checkType + ")");
return activeMQJAASSecurityManager.authorize(subject, roles, checkType);
CheckType checkType,
String address) {
System.out.println("authorize(" + subject + ", " + roles + ", " + checkType + ", " + address + ")");
return activeMQJAASSecurityManager.authorize(subject, roles, checkType, address);
}
@Override