mirror of https://github.com/apache/activemq.git
adding a patch to fix AMQ-1157 allowing a broker security context to be used to allow destinations to be created on startup etc.
git-svn-id: https://svn.apache.org/repos/asf/activemq/trunk@504586 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
6e7e3abf5d
commit
1d882e981c
|
@ -69,6 +69,7 @@ import org.apache.activemq.network.NetworkConnector;
|
|||
import org.apache.activemq.network.jms.JmsConnector;
|
||||
import org.apache.activemq.proxy.ProxyConnector;
|
||||
import org.apache.activemq.security.MessageAuthorizationPolicy;
|
||||
import org.apache.activemq.security.SecurityContext;
|
||||
import org.apache.activemq.store.DefaultPersistenceAdapterFactory;
|
||||
import org.apache.activemq.store.PersistenceAdapter;
|
||||
import org.apache.activemq.store.PersistenceAdapterFactory;
|
||||
|
@ -1454,6 +1455,7 @@ public class BrokerService implements Service, Serializable {
|
|||
protected ConnectionContext createAdminConnectionContext() throws Exception {
|
||||
ConnectionContext context = new ConnectionContext();
|
||||
context.setBroker(getBroker());
|
||||
context.setSecurityContext(SecurityContext.BROKER_SECURITY_CONTEXT);
|
||||
return context;
|
||||
}
|
||||
|
||||
|
|
|
@ -58,18 +58,20 @@ public class AuthorizationBroker extends BrokerFilter implements SecurityAdminMB
|
|||
|
||||
|
||||
//if(!((ActiveMQTempDestination)destination).getConnectionId().equals(context.getConnectionId().getValue()) ) {
|
||||
Set allowedACLs = null;
|
||||
if(!destination.isTemporary()) {
|
||||
allowedACLs = authorizationMap.getAdminACLs(destination);
|
||||
} else {
|
||||
allowedACLs = authorizationMap.getTempDestinationAdminACLs();
|
||||
}
|
||||
|
||||
if(allowedACLs!=null && !securityContext.isInOneOf(allowedACLs))
|
||||
throw new SecurityException("User "+securityContext.getUserName()+" is not authorized to create: "+destination);
|
||||
if (!securityContext.isBrokerContext()) {
|
||||
Set allowedACLs = null;
|
||||
if(!destination.isTemporary()) {
|
||||
allowedACLs = authorizationMap.getAdminACLs(destination);
|
||||
} else {
|
||||
allowedACLs = authorizationMap.getTempDestinationAdminACLs();
|
||||
}
|
||||
|
||||
if(allowedACLs!=null && !securityContext.isInOneOf(allowedACLs))
|
||||
throw new SecurityException("User "+securityContext.getUserName()+" is not authorized to create: "+destination);
|
||||
|
||||
}
|
||||
// }
|
||||
|
||||
// }
|
||||
|
||||
return super.addDestination(context, destination);
|
||||
}
|
||||
|
||||
|
|
|
@ -19,7 +19,7 @@ package org.apache.activemq.security;
|
|||
|
||||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
|
||||
import java.util.Collections;
|
||||
import java.util.concurrent.ConcurrentHashMap;
|
||||
|
||||
/**
|
||||
|
@ -29,6 +29,17 @@ import java.util.concurrent.ConcurrentHashMap;
|
|||
*/
|
||||
abstract public class SecurityContext {
|
||||
|
||||
public static final SecurityContext BROKER_SECURITY_CONTEXT = new SecurityContext("ActiveMQBroker") {
|
||||
@Override
|
||||
public boolean isBrokerContext() {
|
||||
return true;
|
||||
}
|
||||
|
||||
public Set getPrincipals() {
|
||||
return Collections.EMPTY_SET;
|
||||
}
|
||||
};
|
||||
|
||||
final String userName;
|
||||
|
||||
final ConcurrentHashMap authorizedReadDests = new ConcurrentHashMap();
|
||||
|
@ -53,8 +64,12 @@ abstract public class SecurityContext {
|
|||
public ConcurrentHashMap getAuthorizedReadDests() {
|
||||
return authorizedReadDests;
|
||||
}
|
||||
|
||||
public ConcurrentHashMap getAuthorizedWriteDests() {
|
||||
return authorizedWriteDests;
|
||||
}
|
||||
|
||||
|
||||
public boolean isBrokerContext() {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue