adding a patch to fix AMQ-1157 allowing a broker security context to be used to allow destinations to be created on startup etc.

git-svn-id: https://svn.apache.org/repos/asf/activemq/trunk@504586 13f79535-47bb-0310-9956-ffa450edef68

activemq-core/src/main/java/org/apache/activemq/broker/BrokerService.java

@@ -69,6 +69,7 @@ import org.apache.activemq.network.NetworkConnector;
 import org.apache.activemq.network.jms.JmsConnector;
 import org.apache.activemq.proxy.ProxyConnector;
 import org.apache.activemq.security.MessageAuthorizationPolicy;
+import org.apache.activemq.security.SecurityContext;
 import org.apache.activemq.store.DefaultPersistenceAdapterFactory;
 import org.apache.activemq.store.PersistenceAdapter;
 import org.apache.activemq.store.PersistenceAdapterFactory;
@@ -1454,6 +1455,7 @@ public class BrokerService implements Service, Serializable {
     protected ConnectionContext createAdminConnectionContext() throws Exception {
         ConnectionContext context = new ConnectionContext();
         context.setBroker(getBroker());
+        context.setSecurityContext(SecurityContext.BROKER_SECURITY_CONTEXT);
         return context;
     }
 

activemq-core/src/main/java/org/apache/activemq/security/AuthorizationBroker.java

@@ -58,18 +58,20 @@ public class AuthorizationBroker extends BrokerFilter implements SecurityAdminMB
 
 
         //if(!((ActiveMQTempDestination)destination).getConnectionId().equals(context.getConnectionId().getValue()) ) {
-        Set allowedACLs = null;
+        if (!securityContext.isBrokerContext()) {
-        if(!destination.isTemporary()) {
+            Set allowedACLs = null;
-            allowedACLs = authorizationMap.getAdminACLs(destination);
+            if(!destination.isTemporary()) {
-        } else {
+                allowedACLs = authorizationMap.getAdminACLs(destination);
-        	allowedACLs = authorizationMap.getTempDestinationAdminACLs();
+            } else {
-        }
+                allowedACLs = authorizationMap.getTempDestinationAdminACLs();
-     
+            }
-        if(allowedACLs!=null && !securityContext.isInOneOf(allowedACLs))
+         
-            throw new SecurityException("User "+securityContext.getUserName()+" is not authorized to create: "+destination);
+            if(allowedACLs!=null && !securityContext.isInOneOf(allowedACLs))
+                throw new SecurityException("User "+securityContext.getUserName()+" is not authorized to create: "+destination);
+
+        }
+        // }
 
-       // }
-        
         return super.addDestination(context, destination);
     }
     

activemq-core/src/main/java/org/apache/activemq/security/SecurityContext.java

@@ -19,7 +19,7 @@ package org.apache.activemq.security;
 
 import java.util.HashSet;
 import java.util.Set;
-
+import java.util.Collections;
 import java.util.concurrent.ConcurrentHashMap;
 
 /**
@@ -29,6 +29,17 @@ import java.util.concurrent.ConcurrentHashMap;
  */
 abstract public class SecurityContext {
 
+    public static final SecurityContext BROKER_SECURITY_CONTEXT = new SecurityContext("ActiveMQBroker") {
+        @Override
+        public boolean isBrokerContext() {
+            return true;
+        }
+
+        public Set getPrincipals() {
+            return Collections.EMPTY_SET;
+        }
+    };
+
     final String userName;
     
     final ConcurrentHashMap authorizedReadDests = new ConcurrentHashMap();
@@ -53,8 +64,12 @@ abstract public class SecurityContext {
     public ConcurrentHashMap getAuthorizedReadDests() {
         return authorizedReadDests;
     }
+
     public ConcurrentHashMap getAuthorizedWriteDests() {
         return authorizedWriteDests;
     }
-    
+
+    public boolean isBrokerContext() {
+        return false;
+    }
 }