Apache
/
activemq
mirror of https://github.com/apache/activemq.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

https://issues.apache.org/jira/browse/AMQ-826 - ldap based authorization - more fixes - support composite and easy advisory settings 

git-svn-id: https://svn.apache.org/repos/asf/activemq/trunk@1091862 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Bosanac Dejan 2011-04-13 17:49:29 +00:00
parent a072126722
commit 046130ef8e
10 changed files with 449 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
activemq-core/pom.xml
View File

@ -466,6 +466,10 @@
<!-- This test only works on machines which have ssh propertly configured -->
<exclude>**/SSHTunnelNetworkReconnectTest.*</exclude>
<!-- exclude until we fix problems with apache ds and maven -->
<exclude>**/LDAPAuthorizationMapTest.*</exclude>
<exclude>**/LDAPSecurityTest.*</exclude>
<!-- http://issues.apache.org/activemq/browse/AMQ-1027 -->
<exclude>**/FailoverConsumerTest.*</exclude>

78
activemq-core/src/main/java/org/apache/activemq/security/LDAPAuthorizationMap.java
View File

@ -33,6 +33,7 @@ import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import org.apache.activemq.advisory.AdvisorySupport;
import org.apache.activemq.command.ActiveMQDestination;
import org.apache.activemq.jaas.GroupPrincipal;
import org.apache.activemq.jaas.LDAPLoginModule;
@ -79,9 +80,11 @@ public class LDAPAuthorizationMap implements AuthorizationMap {
private MessageFormat topicSearchMatchingFormat;
private MessageFormat queueSearchMatchingFormat;
private String advisorySearchBase = "uid=ActiveMQ.Advisory,ou=topics,ou=destinations,o=ActiveMQ,dc=example,dc=com";
private boolean topicSearchSubtreeBool = true;
private boolean queueSearchSubtreeBool = true;
private boolean useAdvisorySearchBase = true;
private String adminBase;
private String adminAttribute;
@ -99,8 +102,9 @@ public class LDAPAuthorizationMap implements AuthorizationMap {
connectionProtocol = "s";
authentication = "simple";
topicSearchMatchingFormat = new MessageFormat("uid={0},ou=topics,ou=destinations,o=ActiveMQ,ou=system");
queueSearchMatchingFormat = new MessageFormat("uid={0},ou=queues,ou=destinations,o=ActiveMQ,ou=system");
topicSearchMatchingFormat = new MessageFormat("uid={0},ou=topics,ou=destinations,o=ActiveMQ,dc=example,dc=com");
queueSearchMatchingFormat = new MessageFormat("uid={0},ou=queues,ou=destinations,o=ActiveMQ,dc=example,dc=com");
adminBase = "(cn=admin)";
adminAttribute = "uniqueMember";
@ -151,14 +155,23 @@ public class LDAPAuthorizationMap implements AuthorizationMap {
}
public Set<GroupPrincipal> getAdminACLs(ActiveMQDestination destination) {
if (destination.isComposite()) {
return getCompositeACLs(destination, adminBase, adminAttribute);
}
return getACLs(destination, adminBase, adminAttribute);
}
public Set<GroupPrincipal> getReadACLs(ActiveMQDestination destination) {
if (destination.isComposite()) {
return getCompositeACLs(destination, readBase, readAttribute);
}
return getACLs(destination, readBase, readAttribute);
}
public Set<GroupPrincipal> getWriteACLs(ActiveMQDestination destination) {
if (destination.isComposite()) {
return getCompositeACLs(destination, writeBase, writeAttribute);
}
return getACLs(destination, writeBase, writeAttribute);
}
@ -301,6 +314,31 @@ public class LDAPAuthorizationMap implements AuthorizationMap {
this.writeBase = writeBase;
}
public boolean isUseAdvisorySearchBase() {
return useAdvisorySearchBase;
}
public void setUseAdvisorySearchBase(boolean useAdvisorySearchBase) {
this.useAdvisorySearchBase = useAdvisorySearchBase;
}
public String getAdvisorySearchBase() {
return advisorySearchBase;
}
public void setAdvisorySearchBase(String advisorySearchBase) {
this.advisorySearchBase = advisorySearchBase;
}
protected Set<GroupPrincipal> getCompositeACLs(ActiveMQDestination destination, String roleBase, String roleAttribute) {
ActiveMQDestination[] dests = destination.getCompositeDestinations();
Set<GroupPrincipal> acls = new HashSet<GroupPrincipal>();
for (ActiveMQDestination dest : dests) {
acls.addAll(getACLs(dest, roleBase, roleAttribute));
}
return acls;
}
// Implementation methods
// -------------------------------------------------------------------------
protected Set<GroupPrincipal> getACLs(ActiveMQDestination destination, String roleBase, String roleAttribute) {
@ -311,28 +349,28 @@ public class LDAPAuthorizationMap implements AuthorizationMap {
return new HashSet<GroupPrincipal>();
}
// if ((destination.getDestinationType() &
// (ActiveMQDestination.QUEUE_TYPE | ActiveMQDestination.TOPIC_TYPE)) !=
// 0)
// return new HashSet();
String destinationBase = "";
SearchControls constraints = new SearchControls();
if ((destination.getDestinationType() & ActiveMQDestination.QUEUE_TYPE) == ActiveMQDestination.QUEUE_TYPE) {
destinationBase = queueSearchMatchingFormat.format(new String[] {destination.getPhysicalName()});
if (queueSearchSubtreeBool) {
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
} else {
constraints.setSearchScope(SearchControls.ONELEVEL_SCOPE);
if (AdvisorySupport.isAdvisoryTopic(destination) && useAdvisorySearchBase) {
destinationBase = advisorySearchBase;
} else {
if ((destination.getDestinationType() & ActiveMQDestination.QUEUE_TYPE) == ActiveMQDestination.QUEUE_TYPE) {
destinationBase = queueSearchMatchingFormat.format(new String[]{destination.getPhysicalName()});
if (queueSearchSubtreeBool) {
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
} else {
constraints.setSearchScope(SearchControls.ONELEVEL_SCOPE);
}
}
}
if ((destination.getDestinationType() & ActiveMQDestination.TOPIC_TYPE) == ActiveMQDestination.TOPIC_TYPE) {
destinationBase = topicSearchMatchingFormat.format(new String[] {destination.getPhysicalName()});
if (topicSearchSubtreeBool) {
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
} else {
constraints.setSearchScope(SearchControls.ONELEVEL_SCOPE);
if ((destination.getDestinationType() & ActiveMQDestination.TOPIC_TYPE) == ActiveMQDestination.TOPIC_TYPE) {
destinationBase = topicSearchMatchingFormat.format(new String[]{destination.getPhysicalName()});
if (topicSearchSubtreeBool) {
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
} else {
constraints.setSearchScope(SearchControls.ONELEVEL_SCOPE);
}
}
}

26
activemq-core/src/test/java/org/apache/activemq/security/LDAPAuthorizationMapTest.java
View File

@ -17,10 +17,12 @@
package org.apache.activemq.security;
import junit.framework.TestCase;
import org.apache.activemq.advisory.AdvisorySupport;
import org.apache.activemq.command.ActiveMQDestination;
import org.apache.activemq.command.ActiveMQQueue;
import org.apache.activemq.command.ActiveMQTopic;
import org.apache.activemq.jaas.GroupPrincipal;
import org.apache.activemq.spring.ActiveMQConnectionFactory;
import org.apache.directory.server.annotations.CreateLdapServer;
import org.apache.directory.server.annotations.CreateTransport;
import org.apache.directory.server.core.annotations.ApplyLdifFiles;
@ -34,6 +36,7 @@ import org.junit.runner.RunWith;
import javax.naming.NameClassPair;
import javax.naming.NamingEnumeration;
import javax.naming.directory.DirContext;
import java.text.MessageFormat;
import java.util.HashSet;
import java.util.Set;
@ -62,6 +65,9 @@ public class LDAPAuthorizationMapTest extends AbstractLdapTestUnit {
public void setup() throws Exception {
authMap = new LDAPAuthorizationMap();
authMap.setConnectionURL("ldap://localhost:1024");
authMap.setTopicSearchMatchingFormat(new MessageFormat("uid={0},ou=topics,ou=destinations,o=ActiveMQ,ou=system"));
authMap.setQueueSearchMatchingFormat(new MessageFormat("uid={0},ou=queues,ou=destinations,o=ActiveMQ,ou=system"));
authMap.setAdvisorySearchBase("uid=ActiveMQ.Advisory,ou=topics,ou=destinations,o=ActiveMQ,ou=system");
}
@Test
@ -129,4 +135,24 @@ public class LDAPAuthorizationMapTest extends AbstractLdapTestUnit {
assertTrue(aclst1.contains(new GroupPrincipal("role3")));
}
@Test
public void testComposite() {
ActiveMQDestination q1 = new ActiveMQQueue("queue1,topic://topic1");
Set aclsq1 = authMap.getWriteACLs(q1);
assertEquals(3, aclsq1.size());
assertTrue(aclsq1.contains(new GroupPrincipal("role1")));
assertTrue(aclsq1.contains(new GroupPrincipal("role2")));
assertTrue(aclsq1.contains(new GroupPrincipal("role3")));
}
@Test
public void testAdvisory() {
ActiveMQDestination dest = AdvisorySupport.getConnectionAdvisoryTopic();
Set acls = authMap.getWriteACLs(dest);
assertEquals(1, acls.size());
assertTrue(acls.contains(new GroupPrincipal("role3")));
}
}

79
activemq-core/src/test/java/org/apache/activemq/security/LDAPSecurityTest.java Normal file
View File

@ -0,0 +1,79 @@
/**
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.activemq.security;
import org.apache.activemq.ActiveMQConnectionFactory;
import org.apache.activemq.broker.BrokerFactory;
import org.apache.activemq.broker.BrokerService;
import org.apache.activemq.command.ActiveMQQueue;
import org.apache.directory.server.annotations.CreateLdapServer;
import org.apache.directory.server.annotations.CreateTransport;
import org.apache.directory.server.core.annotations.ApplyLdifFiles;
import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
import org.apache.directory.server.core.integ.FrameworkRunner;
import org.apache.directory.server.ldap.LdapServer;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import javax.jms.*;
import static org.junit.Assert.assertNotNull;
@RunWith( FrameworkRunner.class )
@CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP")})
@ApplyLdifFiles(
"org/apache/activemq/security/activemq.ldif"
)
public class LDAPSecurityTest extends AbstractLdapTestUnit {
public BrokerService broker;
public static LdapServer ldapServer;
@Before
public void setup() throws Exception {
broker = BrokerFactory.createBroker("xbean:org/apache/activemq/security/activemq-ldap.xml");
broker.start();
broker.waitUntilStarted();
}
@After
public void shutdown() throws Exception {
broker.stop();
broker.waitUntilStopped();
}
@Test
public void testSendReceive() throws Exception {
ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory("tcp://localhost:61616");
Connection conn = factory.createQueueConnection("jdoe", "sunflower");
Session sess = conn.createSession(false, Session.AUTO_ACKNOWLEDGE);
conn.start();
Queue queue = sess.createQueue("TEST.FOO");
MessageProducer producer = sess.createProducer(queue);
MessageConsumer consumer = sess.createConsumer(queue);
producer.send(sess.createTextMessage("test"));
Message msg = consumer.receive(1000);
assertNotNull(msg);
}
}

2
activemq-core/src/test/resources/login.config
View File

@ -65,4 +65,4 @@ broker2 {
debug=true
org.apache.activemq.jaas.textfiledn.user="org/apache/activemq/security/users2.properties"
org.apache.activemq.jaas.textfiledn.group="org/apache/activemq/security/groups.properties";
};
};

27
activemq-core/src/test/resources/org/apache/activemq/security/AMQauth.ldif
View File

@ -15,8 +15,6 @@
## limitations under the License.
## ---------------------------------------------------------------------------
version: 1
dn: o=ActiveMQ,ou=system
objectclass: organization
objectclass: top
@ -109,3 +107,28 @@ objectclass: top
cn: admin
uniquemember: uid=role1
dn: uid=ActiveMQ.Advisory,ou=topics,ou=destinations,o=ActiveMQ,ou=system
objectclass: uidObject
objectclass: top
objectclass: applicationProcess
uid: ActiveMQ.Advisory
cn: ActiveMQ.Advisory
dn: cn=admin,uid=ActiveMQ.Advisory,ou=topics,ou=destinations,o=ActiveMQ,ou=system
objectclass: groupOfUniqueNames
objectclass: top
cn: admin
uniquemember: uid=role1
dn: cn=read,uid=ActiveMQ.Advisory,ou=topics,ou=destinations,o=ActiveMQ,ou=system
objectclass: groupOfUniqueNames
objectclass: top
cn: read
uniquemember: uid=role2
dn: cn=write,uid=ActiveMQ.Advisory,ou=topics,ou=destinations,o=ActiveMQ,ou=system
objectclass: groupOfUniqueNames
objectclass: top
cn: write
uniquemember: uid=role3

77
activemq-core/src/test/resources/org/apache/activemq/security/activemq-ldap.xml Normal file
View File

@ -0,0 +1,77 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- START SNIPPET: xbean -->
<beans
xmlns="http://www.springframework.org/schema/beans"
xmlns:amq="http://activemq.apache.org/schema/core"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://activemq.apache.org/schema/core http://activemq.apache.org/schema/core/activemq-core.xsd">
<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
<broker useJmx="false" xmlns="http://activemq.apache.org/schema/core" persistent="false">
<plugins>
<simpleAuthenticationPlugin>
<users>
<authenticationUser username="jdoe" password="sunflower"
groups="users"/>
<authenticationUser username="admin" password="sunflower"
groups="admin"/>
</users>
</simpleAuthenticationPlugin>
<authorizationPlugin>
<map>
<bean id="lDAPAuthorizationMap" class="org.apache.activemq.security.LDAPAuthorizationMap"
xmlns="http://www.springframework.org/schema/beans">
<property name="initialContextFactory" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<property name="connectionURL" value="ldap://localhost:1024"/>
<property name="authentication" value="simple"/>
<property name="connectionUsername" value="uid=admin,ou=system"/>
<property name="connectionPassword" value="secret"/>
<property name="connectionProtocol" value="s"/>
<property name="topicSearchMatchingFormat"
value="cn={0},ou=Topic,ou=Destination,ou=ActiveMQ,ou=system"/>
<property name="topicSearchSubtreeBool" value="true"/>
<property name="queueSearchMatchingFormat"
value="cn={0},ou=Queue,ou=Destination,ou=ActiveMQ,ou=system"/>
<property name="advisorySearchBase"
value="cn=ActiveMQ.Advisory,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system"/>
<property name="queueSearchSubtreeBool" value="true"/>
<property name="adminBase" value="(cn=admin)"/>
<property name="adminAttribute" value="member"/>
<property name="readBase" value="(cn=read)"/>
<property name="readAttribute" value="member"/>
<property name="writeBase" value="(cn=write)"/>
<property name="writeAttribute" value="member"/>
</bean>
</map>
</authorizationPlugin>
</plugins>
<transportConnectors>
<transportConnector uri="tcp://localhost:61616"/>
</transportConnectors>
</broker>
</beans>
<!-- END SNIPPET: xbean -->

179
activemq-core/src/test/resources/org/apache/activemq/security/activemq.ldif Normal file
View File

@ -0,0 +1,179 @@
## ---------------------------------------------------------------------------
## Licensed to the Apache Software Foundation (ASF) under one or more
## contributor license agreements. See the NOTICE file distributed with
## this work for additional information regarding copyright ownership.
## The ASF licenses this file to You under the Apache License, Version 2.0
## (the "License"); you may not use this file except in compliance with
## the License. You may obtain a copy of the License at
##
## http://www.apache.org/licenses/LICENSE-2.0
##
## Unless required by applicable law or agreed to in writing, software
## distributed under the License is distributed on an "AS IS" BASIS,
## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
## See the License for the specific language governing permissions and
## limitations under the License.
## ---------------------------------------------------------------------------
##########################
## Define basic objects ##
##########################
# Uncomment if adding to open ldap
#dn: ou=system
#objectclass: organizationalUnit
#objectclass: top
#ou: system
dn: ou=ActiveMQ,ou=system
objectClass: organizationalUnit
objectClass: top
ou: ActiveMQ
dn: ou=Services,ou=system
ou: Services
objectClass: organizationalUnit
objectClass: top
dn: cn=mqbroker,ou=Services,ou=system
cn: mqbroker
objectClass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: {SSHA}YvMAkkd66cDecNoejo8jnw5uUUBziyl0
description: Bind user for MQ broker
###################
## Define groups ##
###################
dn: ou=Group,ou=ActiveMQ,ou=system
objectClass: organizationalUnit
objectClass: top
ou: Group
dn: cn=admins,ou=Group,ou=ActiveMQ,ou=system
cn: admins
member: uid=admin
objectClass: groupOfNames
objectClass: top
dn: cn=users,ou=Group,ou=ActiveMQ,ou=system
cn: users
member: uid=jdoe
objectClass: groupOfNames
objectClass: top
##################
## Define users ##
##################
dn: ou=User,ou=ActiveMQ,ou=system
objectClass: organizationalUnit
objectClass: top
ou: User
dn: uid=admin,ou=User,ou=ActiveMQ,ou=system
uid: admin
userPassword: {SSHA}YvMAkkd66cDecNoejo8jnw5uUUBziyl0
objectClass: account
objectClass: simpleSecurityObject
objectClass: top
dn: uid=jdoe,ou=User,ou=ActiveMQ,ou=system
uid: jdoe
userPassword: {SSHA}YvMAkkd66cDecNoejo8jnw5uUUBziyl0
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top
cn: Jane Doe
sn: Doe
#########################
## Define destinations ##
#########################
dn: ou=Destination,ou=ActiveMQ,ou=system
objectClass: organizationalUnit
objectClass: top
ou: Destination
dn: ou=Topic,ou=Destination,ou=ActiveMQ,ou=system
objectClass: organizationalUnit
objectClass: top
ou: Topic
dn: ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
objectClass: organizationalUnit
objectClass: top
ou: Queue
## TEST.FOO
dn: cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
cn: TEST.FOO
description: A queue
objectClass: applicationProcess
objectClass: top
dn: cn=admin,cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
cn: admin
description: Admin privilege group, members are roles
member: cn=admins
member: cn=users
objectClass: groupOfNames
objectClass: top
dn: cn=read,cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
cn: read
member: cn=users
member: cn=admins
objectClass: groupOfNames
objectClass: top
dn: cn=write,cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
cn: write
objectClass: groupOfNames
objectClass: top
member: cn=users
member: cn=admins
#######################
## Define advisories ##
#######################
dn: cn=ActiveMQ.Advisory,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system
cn: ActiveMQ.Advisory
objectClass: applicationProcess
objectClass: top
description: Advisory topic about consumers
dn: cn=read,cn=ActiveMQ.Advisory,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system
cn: read
member: cn=admins
member: cn=users
objectClass: groupOfNames
objectClass: top
dn: cn=write,cn=ActiveMQ.Advisory,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system
cn: write
member: cn=admins
member: cn=users
objectClass: groupOfNames
objectClass: top
dn: cn=admin,cn=ActiveMQ.Advisory,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system
cn: admin
member: cn=admins
member: cn=users
objectClass: groupOfNames
objectClass: top

1
activemq-jaas/pom.xml
View File

@ -40,7 +40,6 @@
<plugin>
<artifactId>maven-surefire-plugin</artifactId>
<configuration>
<forkMode>pertest</forkMode>
<childDelegation>false</childDelegation>
<useFile>true</useFile>
<argLine>-Xmx512M</argLine>

11
activemq-jaas/src/test/java/org/apache/activemq/jaas/LDAPLoginModuleTest.java
View File

@ -47,17 +47,6 @@ import static org.junit.Assert.assertTrue;
"test.ldif"
)
public class LDAPLoginModuleTest extends AbstractLdapTestUnit {
static {
String path = System.getProperty("java.security.auth.login.config");
if (path == null) {
URL resource = PropertiesLoginModuleTest.class.getClassLoader().getResource("login.config");
if (resource != null) {
path = resource.getFile();
System.setProperty("java.security.auth.login.config", path);
}
}
}
private static final String BASE = "o=ActiveMQ,ou=system";
public static LdapServer ldapServer;