diff --git a/activemq-core/src/main/java/org/apache/activemq/broker/BrokerService.java b/activemq-core/src/main/java/org/apache/activemq/broker/BrokerService.java index 0a784e6240..68742b5b10 100644 --- a/activemq-core/src/main/java/org/apache/activemq/broker/BrokerService.java +++ b/activemq-core/src/main/java/org/apache/activemq/broker/BrokerService.java @@ -69,6 +69,7 @@ import org.apache.activemq.network.NetworkConnector; import org.apache.activemq.network.jms.JmsConnector; import org.apache.activemq.proxy.ProxyConnector; import org.apache.activemq.security.MessageAuthorizationPolicy; +import org.apache.activemq.security.SecurityContext; import org.apache.activemq.store.DefaultPersistenceAdapterFactory; import org.apache.activemq.store.PersistenceAdapter; import org.apache.activemq.store.PersistenceAdapterFactory; @@ -1454,6 +1455,7 @@ public class BrokerService implements Service, Serializable { protected ConnectionContext createAdminConnectionContext() throws Exception { ConnectionContext context = new ConnectionContext(); context.setBroker(getBroker()); + context.setSecurityContext(SecurityContext.BROKER_SECURITY_CONTEXT); return context; } diff --git a/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationBroker.java b/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationBroker.java index 3c7308fa7d..9fd954a6b3 100644 --- a/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationBroker.java +++ b/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationBroker.java @@ -58,18 +58,20 @@ public class AuthorizationBroker extends BrokerFilter implements SecurityAdminMB //if(!((ActiveMQTempDestination)destination).getConnectionId().equals(context.getConnectionId().getValue()) ) { - Set allowedACLs = null; - if(!destination.isTemporary()) { - allowedACLs = authorizationMap.getAdminACLs(destination); - } else { - allowedACLs = authorizationMap.getTempDestinationAdminACLs(); - } - - if(allowedACLs!=null && !securityContext.isInOneOf(allowedACLs)) - throw new SecurityException("User "+securityContext.getUserName()+" is not authorized to create: "+destination); + if (!securityContext.isBrokerContext()) { + Set allowedACLs = null; + if(!destination.isTemporary()) { + allowedACLs = authorizationMap.getAdminACLs(destination); + } else { + allowedACLs = authorizationMap.getTempDestinationAdminACLs(); + } + + if(allowedACLs!=null && !securityContext.isInOneOf(allowedACLs)) + throw new SecurityException("User "+securityContext.getUserName()+" is not authorized to create: "+destination); + + } + // } - // } - return super.addDestination(context, destination); } diff --git a/activemq-core/src/main/java/org/apache/activemq/security/SecurityContext.java b/activemq-core/src/main/java/org/apache/activemq/security/SecurityContext.java index d335d21db1..1b7dbc0189 100644 --- a/activemq-core/src/main/java/org/apache/activemq/security/SecurityContext.java +++ b/activemq-core/src/main/java/org/apache/activemq/security/SecurityContext.java @@ -19,7 +19,7 @@ package org.apache.activemq.security; import java.util.HashSet; import java.util.Set; - +import java.util.Collections; import java.util.concurrent.ConcurrentHashMap; /** @@ -29,6 +29,17 @@ import java.util.concurrent.ConcurrentHashMap; */ abstract public class SecurityContext { + public static final SecurityContext BROKER_SECURITY_CONTEXT = new SecurityContext("ActiveMQBroker") { + @Override + public boolean isBrokerContext() { + return true; + } + + public Set getPrincipals() { + return Collections.EMPTY_SET; + } + }; + final String userName; final ConcurrentHashMap authorizedReadDests = new ConcurrentHashMap(); @@ -53,8 +64,12 @@ abstract public class SecurityContext { public ConcurrentHashMap getAuthorizedReadDests() { return authorizedReadDests; } + public ConcurrentHashMap getAuthorizedWriteDests() { return authorizedWriteDests; } - + + public boolean isBrokerContext() { + return false; + } }