https://issues.apache.org/jira/browse/AMQ-3845 - handle LDAP restarts in cached ldap authorization map

git-svn-id: https://svn.apache.org/repos/asf/activemq/trunk@1348761 13f79535-47bb-0310-9956-ffa450edef68
2012-06-11 09:24:51 +00:00 · 2012-06-11 09:24:51 +00:00 · 06949a5074
parent 21a0465448
commit 06949a5074
2 changed files with 87 additions and 16 deletions
--- a/activemq-core/src/main/java/org/apache/activemq/security/CachedLDAPAuthorizationMap.java
+++ b/activemq-core/src/main/java/org/apache/activemq/security/CachedLDAPAuthorizationMap.java
@ -94,6 +94,22 @@ public class CachedLDAPAuthorizationMap extends DefaultAuthorizationMap implemen
    protected HashMap<ActiveMQDestination, AuthorizationEntry> entries = 
            new HashMap<ActiveMQDestination, AuthorizationEntry>();

+    protected DirContext createContext() throws NamingException {
+        Hashtable<String, String> env = new Hashtable<String, String>();
+        env.put(Context.INITIAL_CONTEXT_FACTORY, initialContextFactory);
+        if (connectionUsername != null || !"".equals(connectionUsername)) {
+            env.put(Context.SECURITY_PRINCIPAL, connectionUsername);
+        }
+        if (connectionPassword != null || !"".equals(connectionPassword)) {
+            env.put(Context.SECURITY_CREDENTIALS, connectionPassword);
+        }
+        env.put(Context.SECURITY_PROTOCOL, connectionProtocol);
+        env.put(Context.PROVIDER_URL, connectionURL);
+        env.put(Context.SECURITY_AUTHENTICATION, authentication);
+        //env.put("com.sun.jndi.ldap.connect.pool", "true");
+        return new InitialDirContext(env);
+    }
+
    /**
     * Returns the existing open context or creates a new one and registers listeners for
     * push notifications if such an update style is enabled.  This implementation should not
@ -105,23 +121,20 @@ public class CachedLDAPAuthorizationMap extends DefaultAuthorizationMap implemen
     */
    protected DirContext open() throws NamingException {
        if (context != null) {
-            return context;
+            boolean alive = true;
+            try {
+                context.getAttributes("");
+            } catch (Exception e) {
+               LOG.info("LDAP connection failed", e);
+               alive = false;
+            }
+            if (alive) {
+                return context;
+            }
        }

        try {
-            Hashtable<String, String> env = new Hashtable<String, String>();
-            env.put(Context.INITIAL_CONTEXT_FACTORY, initialContextFactory);
-            if (connectionUsername != null || !"".equals(connectionUsername)) {
-                env.put(Context.SECURITY_PRINCIPAL, connectionUsername);
-            }
-            if (connectionPassword != null || !"".equals(connectionPassword)) {
-                env.put(Context.SECURITY_CREDENTIALS, connectionPassword);
-            }
-            env.put(Context.SECURITY_PROTOCOL, connectionProtocol);
-            env.put(Context.PROVIDER_URL, connectionURL);
-            env.put(Context.SECURITY_AUTHENTICATION, authentication);
-            context = new InitialDirContext(env);
-
+            context = createContext();

            if (refreshInterval == -1 && !refreshDisabled) {
                eventContext = ((EventDirContext)context.lookup(""));
@ -158,6 +171,7 @@ public class CachedLDAPAuthorizationMap extends DefaultAuthorizationMap implemen
                    eventContext.addNamingListener(tempSearchBase, getFilterForPermissionType(permissionType), constraints,
                            this.new CachedLDAPAuthorizationMapNamespaceChangeListener(DestinationType.TEMP, permissionType));
                }
+
            }
        } catch (NamingException e) {
            context = null;
@ -616,8 +630,15 @@ public class CachedLDAPAuthorizationMap extends DefaultAuthorizationMap implemen
     * and are the refresh interval has elapsed.
     */
    protected void checkForUpdates() {
-        if (!refreshDisabled && (refreshInterval != -1 && System.currentTimeMillis() >= lastUpdated + refreshInterval)) {
-
+        if (context == null || (!refreshDisabled && (refreshInterval != -1 && System.currentTimeMillis() >= lastUpdated + refreshInterval))) {
+            if (context == null) {
+                try {
+                    context = createContext();
+                } catch (NamingException ne) {
+                    // LDAP is down, use already cached values
+                    return;
+                }
+            }
            reset();
            setTempDestinationAuthorizationEntry(null);
            entries.clear();
@ -688,6 +709,7 @@ public class CachedLDAPAuthorizationMap extends DefaultAuthorizationMap implemen
     * {@link AuthorizationEntry} is not setup for concurrent access.
     */
    public synchronized Set<Object> getReadACLs(ActiveMQDestination destination) {
+        checkForUpdates();
        return super.getReadACLs(destination);
    }

@ -696,6 +718,7 @@ public class CachedLDAPAuthorizationMap extends DefaultAuthorizationMap implemen
     * {@link AuthorizationEntry} is not setup for concurrent access.
     */
    public synchronized Set<Object> getWriteACLs(ActiveMQDestination destination) {
+        checkForUpdates();
        return super.getWriteACLs(destination);
    }

@ -850,6 +873,7 @@ public class CachedLDAPAuthorizationMap extends DefaultAuthorizationMap implemen
     * @param namingExceptionEvent the exception event
     */
    public void namingExceptionThrown(NamingExceptionEvent namingExceptionEvent) {
+        context = null;
        LOG.error("Caught unexpected exception.", namingExceptionEvent.getException());
    }
    
--- a/activemq-core/src/test/java/org/apache/activemq/security/AbstractCachedLDAPAuthorizationMapLegacyTest.java
+++ b/activemq-core/src/test/java/org/apache/activemq/security/AbstractCachedLDAPAuthorizationMapLegacyTest.java
@ -274,6 +274,53 @@ public abstract class AbstractCachedLDAPAuthorizationMapLegacyTest extends Abstr
        failedACLs = map.getReadACLs(new ActiveMQQueue("TEST.FOO"));
        assertEquals("set size: " + failedACLs, 1, failedACLs.size());
    }
+
+    @Test
+    public void testRestartAsync() throws Exception {
+        testRestart(false);
+    }
+
+    @Test
+    public void testRestartSync() throws Exception {
+        testRestart(true);
+    }
+
+    public void testRestart(boolean sync) throws Exception {
+        map.query();
+        if (sync) {
+            map.setRefreshInterval(1);
+        }
+
+        Set<?> failedACLs = map.getReadACLs(new ActiveMQQueue("FAILED"));
+        assertEquals("set size: " + failedACLs, 0, failedACLs.size());
+
+        failedACLs = map.getReadACLs(new ActiveMQQueue("TEST.FOO"));
+        assertEquals("set size: " + failedACLs, 2, failedACLs.size());
+
+        getLdapServer().stop();
+
+        Thread.sleep(1000);
+
+        failedACLs = map.getReadACLs(new ActiveMQQueue("TEST.FOO"));
+        assertEquals("set size: " + failedACLs, 2, failedACLs.size());
+
+        getLdapServer().start();
+
+        Thread.sleep(1000);
+
+        connection = getLdapConnection();
+
+        LdifReader reader = new LdifReader(getAddLdif());
+
+        for (LdifEntry entry : reader) {
+            connection.add(entry.getEntry());
+        }
+
+        Thread.sleep(2000);
+
+        failedACLs = map.getReadACLs(new ActiveMQQueue("FAILED"));
+        assertEquals("set size: " + failedACLs, 2, failedACLs.size());
+    }
    
    protected CachedLDAPAuthorizationMap createMap() {
        return new CachedLDAPAuthorizationMap();