mirror of https://github.com/apache/activemq.git
git-svn-id: https://svn.apache.org/repos/asf/incubator/activemq/trunk@479639 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
a11060452b
commit
e78e72f957
|
@ -56,14 +56,19 @@ public class AuthorizationBroker extends BrokerFilter implements SecurityAdminMB
|
|||
if( securityContext == null )
|
||||
throw new SecurityException("User is not authenticated.");
|
||||
|
||||
// You don't need to be an admin to create temp destinations.
|
||||
if( !destination.isTemporary()
|
||||
|| !((ActiveMQTempDestination)destination).getConnectionId().equals(context.getConnectionId().getValue()) ) {
|
||||
|
||||
Set allowedACLs = authorizationMap.getAdminACLs(destination);
|
||||
if(allowedACLs!=null && !securityContext.isInOneOf(allowedACLs))
|
||||
throw new SecurityException("User "+securityContext.getUserName()+" is not authorized to create: "+destination);
|
||||
|
||||
//if(!((ActiveMQTempDestination)destination).getConnectionId().equals(context.getConnectionId().getValue()) ) {
|
||||
Set allowedACLs = null;
|
||||
if(!destination.isTemporary()) {
|
||||
allowedACLs = authorizationMap.getAdminACLs(destination);
|
||||
} else {
|
||||
allowedACLs = authorizationMap.getTempDestinationAdminACLs();
|
||||
}
|
||||
|
||||
if(allowedACLs!=null && !securityContext.isInOneOf(allowedACLs))
|
||||
throw new SecurityException("User "+securityContext.getUserName()+" is not authorized to create: "+destination);
|
||||
|
||||
// }
|
||||
|
||||
return super.addDestination(context, destination);
|
||||
}
|
||||
|
@ -74,14 +79,15 @@ public class AuthorizationBroker extends BrokerFilter implements SecurityAdminMB
|
|||
if( securityContext == null )
|
||||
throw new SecurityException("User is not authenticated.");
|
||||
|
||||
// You don't need to be an admin to remove temp destinations.
|
||||
if( !destination.isTemporary()
|
||||
|| !((ActiveMQTempDestination)destination).getConnectionId().equals(context.getConnectionId().getValue()) ) {
|
||||
|
||||
Set allowedACLs = authorizationMap.getAdminACLs(destination);
|
||||
if(allowedACLs!=null && !securityContext.isInOneOf(allowedACLs))
|
||||
throw new SecurityException("User "+securityContext.getUserName()+" is not authorized to remove: "+destination);
|
||||
Set allowedACLs = null;
|
||||
if(!destination.isTemporary()) {
|
||||
allowedACLs = authorizationMap.getAdminACLs(destination);
|
||||
} else {
|
||||
allowedACLs = authorizationMap.getTempDestinationAdminACLs();
|
||||
}
|
||||
|
||||
if(allowedACLs!=null && !securityContext.isInOneOf(allowedACLs))
|
||||
throw new SecurityException("User "+securityContext.getUserName()+" is not authorized to remove: "+destination);
|
||||
|
||||
super.removeDestination(context, destination, timeout);
|
||||
}
|
||||
|
@ -92,9 +98,16 @@ public class AuthorizationBroker extends BrokerFilter implements SecurityAdminMB
|
|||
if( subject == null )
|
||||
throw new SecurityException("User is not authenticated.");
|
||||
|
||||
Set allowedACLs = authorizationMap.getReadACLs(info.getDestination());
|
||||
Set allowedACLs = null;
|
||||
if(!info.getDestination().isTemporary()) {
|
||||
allowedACLs = authorizationMap.getReadACLs(info.getDestination());
|
||||
}else {
|
||||
allowedACLs = authorizationMap.getTempDestinationWriteACLs();
|
||||
}
|
||||
|
||||
if(allowedACLs!=null && !subject.isInOneOf(allowedACLs))
|
||||
throw new SecurityException("User "+subject.getUserName()+" is not authorized to read from: "+info.getDestination());
|
||||
|
||||
subject.getAuthorizedReadDests().put(info.getDestination(), info.getDestination());
|
||||
|
||||
/*
|
||||
|
@ -133,9 +146,17 @@ public class AuthorizationBroker extends BrokerFilter implements SecurityAdminMB
|
|||
throw new SecurityException("User is not authenticated.");
|
||||
|
||||
if( info.getDestination()!=null ) {
|
||||
Set allowedACLs = authorizationMap.getWriteACLs(info.getDestination());
|
||||
if(allowedACLs!=null && !subject.isInOneOf(allowedACLs))
|
||||
|
||||
Set allowedACLs = null;
|
||||
if(!info.getDestination().isTemporary()) {
|
||||
allowedACLs = authorizationMap.getWriteACLs(info.getDestination());
|
||||
}else {
|
||||
allowedACLs = authorizationMap.getTempDestinationWriteACLs();
|
||||
}
|
||||
if(allowedACLs!=null && !subject.isInOneOf(allowedACLs))
|
||||
throw new SecurityException("User "+subject.getUserName()+" is not authorized to write to: "+info.getDestination());
|
||||
|
||||
|
||||
subject.getAuthorizedWriteDests().put(info.getDestination(), info.getDestination());
|
||||
}
|
||||
|
||||
|
@ -146,11 +167,19 @@ public class AuthorizationBroker extends BrokerFilter implements SecurityAdminMB
|
|||
SecurityContext subject = (SecurityContext) context.getSecurityContext();
|
||||
if( subject == null )
|
||||
throw new SecurityException("User is not authenticated.");
|
||||
|
||||
|
||||
if( !subject.getAuthorizedWriteDests().contains(messageSend.getDestination()) ) {
|
||||
Set allowedACLs = authorizationMap.getWriteACLs(messageSend.getDestination());
|
||||
if(allowedACLs!=null && !subject.isInOneOf(allowedACLs))
|
||||
|
||||
Set allowedACLs = null;
|
||||
if(!messageSend.getDestination().isTemporary()) {
|
||||
allowedACLs = authorizationMap.getWriteACLs(messageSend.getDestination());
|
||||
}else {
|
||||
allowedACLs = authorizationMap.getTempDestinationWriteACLs();
|
||||
}
|
||||
|
||||
if(allowedACLs!=null && !subject.isInOneOf(allowedACLs))
|
||||
throw new SecurityException("User "+subject.getUserName()+" is not authorized to write to: "+messageSend.getDestination());
|
||||
|
||||
subject.getAuthorizedWriteDests().put(messageSend.getDestination(), messageSend.getDestination());
|
||||
}
|
||||
|
||||
|
|
|
@ -27,6 +27,21 @@ import java.util.Set;
|
|||
*/
|
||||
public interface AuthorizationMap {
|
||||
|
||||
/**
|
||||
* Returns the set of all ACLs capable of administering temp destination
|
||||
*/
|
||||
Set getTempDestinationAdminACLs();
|
||||
|
||||
/**
|
||||
* Returns the set of all ACLs capable of reading from temp destination
|
||||
*/
|
||||
Set getTempDestinationReadACLs();
|
||||
|
||||
/**
|
||||
* Returns the set of all ACLs capable of writing to temp destination
|
||||
*/
|
||||
Set getTempDestinationWriteACLs();
|
||||
|
||||
/**
|
||||
* Returns the set of all ACLs capable of administering the given destination
|
||||
*/
|
||||
|
|
|
@ -37,14 +37,46 @@ import java.util.Set;
|
|||
public class DefaultAuthorizationMap extends DestinationMap implements AuthorizationMap {
|
||||
|
||||
private AuthorizationEntry defaultEntry;
|
||||
|
||||
|
||||
private TempDestinationAuthorizationEntry tempDestinationAuthorizationEntry;
|
||||
|
||||
public DefaultAuthorizationMap() {
|
||||
}
|
||||
|
||||
public DefaultAuthorizationMap(List authorizationEntries) {
|
||||
setAuthorizationEntries(authorizationEntries);
|
||||
|
||||
}
|
||||
|
||||
|
||||
public void setTempDestinationAuthorizationEntry(TempDestinationAuthorizationEntry tempDestinationAuthorizationEntry) {
|
||||
this.tempDestinationAuthorizationEntry = tempDestinationAuthorizationEntry;
|
||||
}
|
||||
|
||||
public TempDestinationAuthorizationEntry getTempDestinationAuthorizationEntry() {
|
||||
return this.tempDestinationAuthorizationEntry;
|
||||
}
|
||||
|
||||
public Set getTempDestinationAdminACLs() {
|
||||
if(tempDestinationAuthorizationEntry != null)
|
||||
return tempDestinationAuthorizationEntry.getAdminACLs();
|
||||
else
|
||||
return null;
|
||||
}
|
||||
|
||||
public Set getTempDestinationReadACLs() {
|
||||
if(tempDestinationAuthorizationEntry != null)
|
||||
return tempDestinationAuthorizationEntry.getReadACLs();
|
||||
else
|
||||
return null;
|
||||
}
|
||||
|
||||
public Set getTempDestinationWriteACLs() {
|
||||
if(tempDestinationAuthorizationEntry != null)
|
||||
return tempDestinationAuthorizationEntry.getWriteACLs();
|
||||
else
|
||||
return null;
|
||||
}
|
||||
|
||||
public Set getAdminACLs(ActiveMQDestination destination) {
|
||||
Set entries = getAllEntries(destination);
|
||||
|
|
|
@ -137,6 +137,22 @@ public class LDAPAuthorizationMap implements AuthorizationMap {
|
|||
queueSearchSubtreeBool = new Boolean(queueSearchSubtree).booleanValue();
|
||||
}
|
||||
|
||||
public Set getTempDestinationAdminACLs() {
|
||||
//TODO insert implementation
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
public Set getTempDestinationReadACLs() {
|
||||
// TODO insert implementation
|
||||
return null;
|
||||
}
|
||||
|
||||
public Set getTempDestinationWriteACLs() {
|
||||
// TODO insert implementation
|
||||
return null;
|
||||
}
|
||||
|
||||
public Set getAdminACLs(ActiveMQDestination destination) {
|
||||
return getACLs(destination, adminBase, adminAttribute);
|
||||
}
|
||||
|
|
|
@ -36,6 +36,8 @@ public class SimpleAuthorizationMap implements AuthorizationMap {
|
|||
private DestinationMap readACLs;
|
||||
private DestinationMap adminACLs;
|
||||
|
||||
private TempDestinationAuthorizationEntry tempDestinationAuthorizationEntry;
|
||||
|
||||
public SimpleAuthorizationMap() {
|
||||
}
|
||||
|
||||
|
@ -45,6 +47,42 @@ public class SimpleAuthorizationMap implements AuthorizationMap {
|
|||
this.adminACLs = adminACLs;
|
||||
}
|
||||
|
||||
/*
|
||||
* Need to think how to retrieve the ACLs for temporary destinations since they are not map
|
||||
* to a specific destination. For now we'll just retrieve it from a TempDestinationAuthorizationEntry
|
||||
* same way as the DefaultAuthorizationMap. The ACLs retrieved here will be map to all temp destinations
|
||||
*/
|
||||
|
||||
public void setTempDestinationAuthorizationEntry(TempDestinationAuthorizationEntry tempDestinationAuthorizationEntry) {
|
||||
this.tempDestinationAuthorizationEntry = tempDestinationAuthorizationEntry;
|
||||
}
|
||||
|
||||
public TempDestinationAuthorizationEntry getTempDestinationAuthorizationEntry() {
|
||||
return this.tempDestinationAuthorizationEntry;
|
||||
}
|
||||
|
||||
|
||||
public Set getTempDestinationAdminACLs() {
|
||||
if(tempDestinationAuthorizationEntry != null)
|
||||
return tempDestinationAuthorizationEntry.getAdminACLs();
|
||||
else
|
||||
return null;
|
||||
}
|
||||
|
||||
public Set getTempDestinationReadACLs() {
|
||||
if(tempDestinationAuthorizationEntry != null)
|
||||
return tempDestinationAuthorizationEntry.getReadACLs();
|
||||
else
|
||||
return null;
|
||||
}
|
||||
|
||||
public Set getTempDestinationWriteACLs() {
|
||||
if(tempDestinationAuthorizationEntry != null)
|
||||
return tempDestinationAuthorizationEntry.getWriteACLs();
|
||||
else
|
||||
return null;
|
||||
}
|
||||
|
||||
public Set getAdminACLs(ActiveMQDestination destination) {
|
||||
return adminACLs.get(destination);
|
||||
}
|
||||
|
|
|
@ -0,0 +1,45 @@
|
|||
/**
|
||||
*
|
||||
* Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
* contributor license agreements. See the NOTICE file distributed with
|
||||
* this work for additional information regarding copyright ownership.
|
||||
* The ASF licenses this file to You under the Apache License, Version 2.0
|
||||
* (the "License"); you may not use this file except in compliance with
|
||||
* the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.apache.activemq.security;
|
||||
|
||||
import org.apache.activemq.filter.DestinationMapEntry;
|
||||
import org.apache.activemq.jaas.GroupPrincipal;
|
||||
|
||||
import java.util.Collections;
|
||||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
import java.util.StringTokenizer;
|
||||
|
||||
/**
|
||||
* Represents an entry in a {@link DefaultAuthorizationMap} for assigning
|
||||
* different operations (read, write, admin) of user roles to
|
||||
* a temporary destination
|
||||
*
|
||||
* @org.apache.xbean.XBean
|
||||
*
|
||||
* @version $Revision: 426366 $
|
||||
*/
|
||||
public class TempDestinationAuthorizationEntry extends AuthorizationEntry {
|
||||
|
||||
|
||||
public void afterPropertiesSet() throws Exception {
|
||||
//we don't need to check if destination is specified since
|
||||
//the TempDestinationAuthorizationEntry should map to all temp destinations
|
||||
}
|
||||
|
||||
}
|
|
@ -18,10 +18,10 @@
|
|||
package org.apache.activemq.security;
|
||||
|
||||
import org.apache.activemq.command.ActiveMQQueue;
|
||||
import org.apache.activemq.command.ActiveMQTempQueue;
|
||||
import org.apache.activemq.jaas.GroupPrincipal;
|
||||
|
||||
import java.util.*;
|
||||
import java.util.Set;
|
||||
|
||||
import junit.framework.TestCase;
|
||||
|
||||
|
@ -33,6 +33,7 @@ public class AuthorizationMapTest extends TestCase {
|
|||
static final GroupPrincipal guests = new GroupPrincipal("guests");
|
||||
static final GroupPrincipal users = new GroupPrincipal("users");
|
||||
static final GroupPrincipal admins = new GroupPrincipal("admins");
|
||||
static final GroupPrincipal tempDestinationAdmins = new GroupPrincipal("tempDestAdmins");
|
||||
|
||||
public void testAuthorizationMap() {
|
||||
AuthorizationMap map = createAuthorizationMap();
|
||||
|
@ -41,8 +42,23 @@ public class AuthorizationMapTest extends TestCase {
|
|||
assertEquals("set size: " + readACLs, 2, readACLs.size());
|
||||
assertTrue("Contains users group", readACLs.contains(admins));
|
||||
assertTrue("Contains users group", readACLs.contains(users));
|
||||
|
||||
}
|
||||
|
||||
public void testAuthorizationMapWithTempDest() {
|
||||
AuthorizationMap map = createAuthorizationMapWithTempDest();
|
||||
|
||||
Set readACLs = map.getReadACLs(new ActiveMQQueue("USERS.FOO.BAR"));
|
||||
assertEquals("set size: " + readACLs, 2, readACLs.size());
|
||||
assertTrue("Contains users group", readACLs.contains(admins));
|
||||
assertTrue("Contains users group", readACLs.contains(users));
|
||||
|
||||
Set tempAdminACLs = map.getTempDestinationAdminACLs();
|
||||
assertEquals("set size: " + tempAdminACLs, 1, tempAdminACLs.size());
|
||||
assertTrue("Contains users group", tempAdminACLs.contains(tempDestinationAdmins));
|
||||
|
||||
}
|
||||
|
||||
protected AuthorizationMap createAuthorizationMap() {
|
||||
DefaultAuthorizationMap answer = new DefaultAuthorizationMap();
|
||||
|
||||
|
@ -62,5 +78,31 @@ public class AuthorizationMapTest extends TestCase {
|
|||
|
||||
return answer;
|
||||
}
|
||||
|
||||
protected AuthorizationMap createAuthorizationMapWithTempDest() {
|
||||
DefaultAuthorizationMap answer = new DefaultAuthorizationMap();
|
||||
|
||||
List entries = new ArrayList();
|
||||
|
||||
AuthorizationEntry entry = new AuthorizationEntry();
|
||||
entry.setQueue(">");
|
||||
entry.setRead("admins");
|
||||
entries.add(entry);
|
||||
|
||||
entry = new AuthorizationEntry();
|
||||
entry.setQueue("USERS.>");
|
||||
entry.setRead("users");
|
||||
entries.add(entry);
|
||||
|
||||
answer.setAuthorizationEntries(entries);
|
||||
|
||||
//create entry for temporary queue
|
||||
TempDestinationAuthorizationEntry tEntry = new TempDestinationAuthorizationEntry();
|
||||
tEntry.setAdmin("tempDestAdmins");
|
||||
|
||||
answer.setTempDestinationAuthorizationEntry(tEntry);
|
||||
|
||||
return answer;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -16,5 +16,6 @@
|
|||
## ---------------------------------------------------------------------------
|
||||
|
||||
admins=system
|
||||
tempDestinationAdmins=system,user
|
||||
users=system,user
|
||||
guests=guest
|
||||
|
|
|
@ -42,6 +42,11 @@
|
|||
|
||||
<authorizationEntry topic="ActiveMQ.Advisory.>" read="guests,users" write="guests,users" admin="guests,users"/>
|
||||
</authorizationEntries>
|
||||
|
||||
<!-- let's assign roles to temporary destinations. comment this entry if we don't want any roles assigned to temp destinations -->
|
||||
<tempDestinationAuthorizationEntry>
|
||||
<tempDestinationAuthorizationEntry read="tempDestinationAdmins" write="tempDestinationAdmins" admin="tempDestinationAdmins"/>
|
||||
</tempDestinationAuthorizationEntry>
|
||||
</authorizationMap>
|
||||
</map>
|
||||
</authorizationPlugin>
|
||||
|
|
Loading…
Reference in New Issue