https://issues.apache.org/jira/browse/AMQ-6116 - improve security context

2016-01-08 17:05:58 +01:00 · 2016-01-08 17:05:58 +01:00 · 5f8a3df5a4
parent 43d493e527
commit 5f8a3df5a4
6 changed files with 4 additions and 19 deletions
--- a/activemq-broker/src/main/java/org/apache/activemq/security/AbstractAuthenticationBroker.java
+++ b/activemq-broker/src/main/java/org/apache/activemq/security/AbstractAuthenticationBroker.java
@ -38,7 +38,6 @@ public abstract class AbstractAuthenticationBroker extends BrokerFilter implemen
        next.removeDestination(context, destination, timeout);

        for (SecurityContext sc : securityContexts) {
-            sc.getAuthorizedReadDests().remove(destination);
            sc.getAuthorizedWriteDests().remove(destination);
        }
    }
@ -53,7 +52,6 @@ public abstract class AbstractAuthenticationBroker extends BrokerFilter implemen

    public void refresh() {
        for (SecurityContext sc : securityContexts) {
-            sc.getAuthorizedReadDests().clear();
            sc.getAuthorizedWriteDests().clear();
        }
    }
--- a/activemq-broker/src/main/java/org/apache/activemq/security/AuthorizationBroker.java
+++ b/activemq-broker/src/main/java/org/apache/activemq/security/AuthorizationBroker.java
@ -126,6 +126,8 @@ public class AuthorizationBroker extends BrokerFilter implements SecurityAdminMB
            throw new SecurityException("User " + securityContext.getUserName() + " is not authorized to remove: " + destination);
        }

+        securityContext.getAuthorizedWriteDests().remove(destination);
+
        super.removeDestination(context, destination, timeout);
    }

@ -137,6 +139,8 @@ public class AuthorizationBroker extends BrokerFilter implements SecurityAdminMB
            throw new SecurityException("User " + securityContext.getUserName() + " is not authorized to remove: " + info.getDestination());
        }

+        securityContext.getAuthorizedWriteDests().remove(info.getDestination());
+
        super.removeDestinationInfo(context, info);
    }

@ -154,7 +158,6 @@ public class AuthorizationBroker extends BrokerFilter implements SecurityAdminMB
        if (!securityContext.isBrokerContext() && allowedACLs != null && !securityContext.isInOneOf(allowedACLs) ) {
            throw new SecurityException("User " + securityContext.getUserName() + " is not authorized to read from: " + info.getDestination());
        }
-        securityContext.getAuthorizedReadDests().put(info.getDestination(), info.getDestination());

        /*
         * Need to think about this a little more. We could do per message
--- a/activemq-broker/src/main/java/org/apache/activemq/security/AuthorizationDestinationFilter.java
+++ b/activemq-broker/src/main/java/org/apache/activemq/security/AuthorizationDestinationFilter.java
@ -56,7 +56,6 @@ public class AuthorizationDestinationFilter extends DestinationFilter {
        if (!securityContext.isBrokerContext() && allowedACLs != null && !securityContext.isInOneOf(allowedACLs) ) {
            throw new SecurityException("User " + securityContext.getUserName() + " is not authorized to read from: " + destination);
        }
-        securityContext.getAuthorizedReadDests().put(destination, destination);

        super.addSubscription(context, sub);
    }
--- a/activemq-broker/src/main/java/org/apache/activemq/security/SecurityContext.java
+++ b/activemq-broker/src/main/java/org/apache/activemq/security/SecurityContext.java
@ -47,7 +47,6 @@ public abstract class SecurityContext {

    final String userName;

-    final ConcurrentMap<ActiveMQDestination, ActiveMQDestination> authorizedReadDests = new ConcurrentHashMap<ActiveMQDestination, ActiveMQDestination>();
    final ConcurrentMap<ActiveMQDestination, ActiveMQDestination> authorizedWriteDests = new ConcurrentHashMap<ActiveMQDestination, ActiveMQDestination>();

    public SecurityContext(String userName) {
@ -74,10 +73,6 @@ public abstract class SecurityContext {
        return userName;
    }

-    public ConcurrentMap<ActiveMQDestination, ActiveMQDestination> getAuthorizedReadDests() {
-        return authorizedReadDests;
-    }
-
    public ConcurrentMap<ActiveMQDestination, ActiveMQDestination> getAuthorizedWriteDests() {
        return authorizedWriteDests;
    }
--- a/activemq-shiro/src/main/java/org/apache/activemq/shiro/subject/SubjectSecurityContext.java
+++ b/activemq-shiro/src/main/java/org/apache/activemq/shiro/subject/SubjectSecurityContext.java
@ -72,11 +72,6 @@ public class SubjectSecurityContext extends SecurityContext {
        throw notAllowed("isInOneOf");
    }

-    @Override
-    public ConcurrentMap<ActiveMQDestination, ActiveMQDestination> getAuthorizedReadDests() {
-        throw notAllowed("getAuthorizedReadDests");
-    }
-
    @Override
    public ConcurrentMap<ActiveMQDestination, ActiveMQDestination> getAuthorizedWriteDests() {
        throw notAllowed("getAuthorizedWriteDests");
--- a/activemq-shiro/src/test/java/org/apache/activemq/shiro/subject/SubjectSecurityContextTest.java
+++ b/activemq-shiro/src/test/java/org/apache/activemq/shiro/subject/SubjectSecurityContextTest.java
@ -41,11 +41,6 @@ public class SubjectSecurityContextTest {
        ctx.isInOneOf(null);
    }

-    @Test(expected=UnsupportedOperationException.class)
-    public void testGetAuthorizedReadDests() {
-        ctx.getAuthorizedReadDests();
-    }
-
    @Test(expected=UnsupportedOperationException.class)
    public void testGetAuthorizedWriteDests() {
        ctx.getAuthorizedWriteDests();