Apache
/
activemq
mirror of https://github.com/apache/activemq.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

updates for http://issues.apache.org/activemq/browse/AMQ-795 

git-svn-id: https://svn.apache.org/repos/asf/incubator/activemq/trunk@479639 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Jonas B. Lim 2006-11-27 14:35:34 +00:00
parent a11060452b
commit e78e72f957
9 changed files with 245 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
activemq-core/src/main/java/org/apache/activemq/security/AuthorizationBroker.java
View File

@ -56,14 +56,19 @@ public class AuthorizationBroker extends BrokerFilter implements SecurityAdminMB
if( securityContext == null ) if( securityContext == null )
throw new SecurityException("User is not authenticated."); throw new SecurityException("User is not authenticated.");
// You don't need to be an admin to create temp destinations.
if( !destination.isTemporary() //if(!((ActiveMQTempDestination)destination).getConnectionId().equals(context.getConnectionId().getValue()) ) {
|| !((ActiveMQTempDestination)destination).getConnectionId().equals(context.getConnectionId().getValue()) ) { Set allowedACLs = null;
if(!destination.isTemporary()) {
Set allowedACLs = authorizationMap.getAdminACLs(destination); allowedACLs = authorizationMap.getAdminACLs(destination);
if(allowedACLs!=null && !securityContext.isInOneOf(allowedACLs)) } else {
throw new SecurityException("User "+securityContext.getUserName()+" is not authorized to create: "+destination); allowedACLs = authorizationMap.getTempDestinationAdminACLs();
} }
if(allowedACLs!=null && !securityContext.isInOneOf(allowedACLs))
throw new SecurityException("User "+securityContext.getUserName()+" is not authorized to create: "+destination);
// }
return super.addDestination(context, destination); return super.addDestination(context, destination);
} }
@ -74,14 +79,15 @@ public class AuthorizationBroker extends BrokerFilter implements SecurityAdminMB
if( securityContext == null ) if( securityContext == null )
throw new SecurityException("User is not authenticated."); throw new SecurityException("User is not authenticated.");
// You don't need to be an admin to remove temp destinations. Set allowedACLs = null;
if( !destination.isTemporary() if(!destination.isTemporary()) {
|| !((ActiveMQTempDestination)destination).getConnectionId().equals(context.getConnectionId().getValue()) ) { allowedACLs = authorizationMap.getAdminACLs(destination);
} else {
Set allowedACLs = authorizationMap.getAdminACLs(destination); allowedACLs = authorizationMap.getTempDestinationAdminACLs();
if(allowedACLs!=null && !securityContext.isInOneOf(allowedACLs))
throw new SecurityException("User "+securityContext.getUserName()+" is not authorized to remove: "+destination);
} }
if(allowedACLs!=null && !securityContext.isInOneOf(allowedACLs))
throw new SecurityException("User "+securityContext.getUserName()+" is not authorized to remove: "+destination);
super.removeDestination(context, destination, timeout); super.removeDestination(context, destination, timeout);
} }
@ -92,9 +98,16 @@ public class AuthorizationBroker extends BrokerFilter implements SecurityAdminMB
if( subject == null ) if( subject == null )
throw new SecurityException("User is not authenticated."); throw new SecurityException("User is not authenticated.");
Set allowedACLs = authorizationMap.getReadACLs(info.getDestination()); Set allowedACLs = null;
if(!info.getDestination().isTemporary()) {
allowedACLs = authorizationMap.getReadACLs(info.getDestination());
}else {
allowedACLs = authorizationMap.getTempDestinationWriteACLs();
}
if(allowedACLs!=null && !subject.isInOneOf(allowedACLs)) if(allowedACLs!=null && !subject.isInOneOf(allowedACLs))
throw new SecurityException("User "+subject.getUserName()+" is not authorized to read from: "+info.getDestination()); throw new SecurityException("User "+subject.getUserName()+" is not authorized to read from: "+info.getDestination());
subject.getAuthorizedReadDests().put(info.getDestination(), info.getDestination()); subject.getAuthorizedReadDests().put(info.getDestination(), info.getDestination());
/* /*
@ -133,9 +146,17 @@ public class AuthorizationBroker extends BrokerFilter implements SecurityAdminMB
throw new SecurityException("User is not authenticated."); throw new SecurityException("User is not authenticated.");
if( info.getDestination()!=null ) { if( info.getDestination()!=null ) {
Set allowedACLs = authorizationMap.getWriteACLs(info.getDestination());
if(allowedACLs!=null && !subject.isInOneOf(allowedACLs)) Set allowedACLs = null;
if(!info.getDestination().isTemporary()) {
allowedACLs = authorizationMap.getWriteACLs(info.getDestination());
}else {
allowedACLs = authorizationMap.getTempDestinationWriteACLs();
}
if(allowedACLs!=null && !subject.isInOneOf(allowedACLs))
throw new SecurityException("User "+subject.getUserName()+" is not authorized to write to: "+info.getDestination()); throw new SecurityException("User "+subject.getUserName()+" is not authorized to write to: "+info.getDestination());
subject.getAuthorizedWriteDests().put(info.getDestination(), info.getDestination()); subject.getAuthorizedWriteDests().put(info.getDestination(), info.getDestination());
} }
@ -146,11 +167,19 @@ public class AuthorizationBroker extends BrokerFilter implements SecurityAdminMB
SecurityContext subject = (SecurityContext) context.getSecurityContext(); SecurityContext subject = (SecurityContext) context.getSecurityContext();
if( subject == null ) if( subject == null )
throw new SecurityException("User is not authenticated."); throw new SecurityException("User is not authenticated.");
if( !subject.getAuthorizedWriteDests().contains(messageSend.getDestination()) ) { if( !subject.getAuthorizedWriteDests().contains(messageSend.getDestination()) ) {
Set allowedACLs = authorizationMap.getWriteACLs(messageSend.getDestination());
if(allowedACLs!=null && !subject.isInOneOf(allowedACLs)) Set allowedACLs = null;
if(!messageSend.getDestination().isTemporary()) {
allowedACLs = authorizationMap.getWriteACLs(messageSend.getDestination());
}else {
allowedACLs = authorizationMap.getTempDestinationWriteACLs();
}
if(allowedACLs!=null && !subject.isInOneOf(allowedACLs))
throw new SecurityException("User "+subject.getUserName()+" is not authorized to write to: "+messageSend.getDestination()); throw new SecurityException("User "+subject.getUserName()+" is not authorized to write to: "+messageSend.getDestination());
subject.getAuthorizedWriteDests().put(messageSend.getDestination(), messageSend.getDestination()); subject.getAuthorizedWriteDests().put(messageSend.getDestination(), messageSend.getDestination());
} }

15
activemq-core/src/main/java/org/apache/activemq/security/AuthorizationMap.java
View File

@ -27,6 +27,21 @@ import java.util.Set;
*/ */
public interface AuthorizationMap { public interface AuthorizationMap {
/**
* Returns the set of all ACLs capable of administering temp destination
*/
Set getTempDestinationAdminACLs();
/**
* Returns the set of all ACLs capable of reading from temp destination
*/
Set getTempDestinationReadACLs();
/**
* Returns the set of all ACLs capable of writing to temp destination
*/
Set getTempDestinationWriteACLs();
/** /**
* Returns the set of all ACLs capable of administering the given destination * Returns the set of all ACLs capable of administering the given destination
*/ */

34
activemq-core/src/main/java/org/apache/activemq/security/DefaultAuthorizationMap.java
View File

@ -37,14 +37,46 @@ import java.util.Set;
public class DefaultAuthorizationMap extends DestinationMap implements AuthorizationMap { public class DefaultAuthorizationMap extends DestinationMap implements AuthorizationMap {
private AuthorizationEntry defaultEntry; private AuthorizationEntry defaultEntry;
private TempDestinationAuthorizationEntry tempDestinationAuthorizationEntry;
public DefaultAuthorizationMap() { public DefaultAuthorizationMap() {
} }
public DefaultAuthorizationMap(List authorizationEntries) { public DefaultAuthorizationMap(List authorizationEntries) {
setAuthorizationEntries(authorizationEntries); setAuthorizationEntries(authorizationEntries);
} }
public void setTempDestinationAuthorizationEntry(TempDestinationAuthorizationEntry tempDestinationAuthorizationEntry) {
this.tempDestinationAuthorizationEntry = tempDestinationAuthorizationEntry;
}
public TempDestinationAuthorizationEntry getTempDestinationAuthorizationEntry() {
return this.tempDestinationAuthorizationEntry;
}
public Set getTempDestinationAdminACLs() {
if(tempDestinationAuthorizationEntry != null)
return tempDestinationAuthorizationEntry.getAdminACLs();
else
return null;
}
public Set getTempDestinationReadACLs() {
if(tempDestinationAuthorizationEntry != null)
return tempDestinationAuthorizationEntry.getReadACLs();
else
return null;
}
public Set getTempDestinationWriteACLs() {
if(tempDestinationAuthorizationEntry != null)
return tempDestinationAuthorizationEntry.getWriteACLs();
else
return null;
}
public Set getAdminACLs(ActiveMQDestination destination) { public Set getAdminACLs(ActiveMQDestination destination) {
Set entries = getAllEntries(destination); Set entries = getAllEntries(destination);

16
activemq-core/src/main/java/org/apache/activemq/security/LDAPAuthorizationMap.java
View File

@ -137,6 +137,22 @@ public class LDAPAuthorizationMap implements AuthorizationMap {
queueSearchSubtreeBool = new Boolean(queueSearchSubtree).booleanValue(); queueSearchSubtreeBool = new Boolean(queueSearchSubtree).booleanValue();
} }
public Set getTempDestinationAdminACLs() {
//TODO insert implementation
return null;
}
public Set getTempDestinationReadACLs() {
// TODO insert implementation
return null;
}
public Set getTempDestinationWriteACLs() {
// TODO insert implementation
return null;
}
public Set getAdminACLs(ActiveMQDestination destination) { public Set getAdminACLs(ActiveMQDestination destination) {
return getACLs(destination, adminBase, adminAttribute); return getACLs(destination, adminBase, adminAttribute);
} }

38
activemq-core/src/main/java/org/apache/activemq/security/SimpleAuthorizationMap.java
View File

@ -36,6 +36,8 @@ public class SimpleAuthorizationMap implements AuthorizationMap {
private DestinationMap readACLs; private DestinationMap readACLs;
private DestinationMap adminACLs; private DestinationMap adminACLs;
private TempDestinationAuthorizationEntry tempDestinationAuthorizationEntry;
public SimpleAuthorizationMap() { public SimpleAuthorizationMap() {
} }
@ -45,6 +47,42 @@ public class SimpleAuthorizationMap implements AuthorizationMap {
this.adminACLs = adminACLs; this.adminACLs = adminACLs;
} }
/*
* Need to think how to retrieve the ACLs for temporary destinations since they are not map
* to a specific destination. For now we'll just retrieve it from a TempDestinationAuthorizationEntry
* same way as the DefaultAuthorizationMap. The ACLs retrieved here will be map to all temp destinations
*/
public void setTempDestinationAuthorizationEntry(TempDestinationAuthorizationEntry tempDestinationAuthorizationEntry) {
this.tempDestinationAuthorizationEntry = tempDestinationAuthorizationEntry;
}
public TempDestinationAuthorizationEntry getTempDestinationAuthorizationEntry() {
return this.tempDestinationAuthorizationEntry;
}
public Set getTempDestinationAdminACLs() {
if(tempDestinationAuthorizationEntry != null)
return tempDestinationAuthorizationEntry.getAdminACLs();
else
return null;
}
public Set getTempDestinationReadACLs() {
if(tempDestinationAuthorizationEntry != null)
return tempDestinationAuthorizationEntry.getReadACLs();
else
return null;
}
public Set getTempDestinationWriteACLs() {
if(tempDestinationAuthorizationEntry != null)
return tempDestinationAuthorizationEntry.getWriteACLs();
else
return null;
}
public Set getAdminACLs(ActiveMQDestination destination) { public Set getAdminACLs(ActiveMQDestination destination) {
return adminACLs.get(destination); return adminACLs.get(destination);
} }

45
activemq-core/src/main/java/org/apache/activemq/security/TempDestinationAuthorizationEntry.java Normal file
View File

@ -0,0 +1,45 @@
/**
*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.activemq.security;
import org.apache.activemq.filter.DestinationMapEntry;
import org.apache.activemq.jaas.GroupPrincipal;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import java.util.StringTokenizer;
/**
* Represents an entry in a {@link DefaultAuthorizationMap} for assigning
* different operations (read, write, admin) of user roles to
* a temporary destination
*
* @org.apache.xbean.XBean
*
* @version $Revision: 426366 $
*/
public class TempDestinationAuthorizationEntry extends AuthorizationEntry {
public void afterPropertiesSet() throws Exception {
//we don't need to check if destination is specified since
//the TempDestinationAuthorizationEntry should map to all temp destinations
}
}

44
activemq-core/src/test/java/org/apache/activemq/security/AuthorizationMapTest.java
View File

@ -18,10 +18,10 @@
package org.apache.activemq.security; package org.apache.activemq.security;
import org.apache.activemq.command.ActiveMQQueue; import org.apache.activemq.command.ActiveMQQueue;
import org.apache.activemq.command.ActiveMQTempQueue;
import org.apache.activemq.jaas.GroupPrincipal; import org.apache.activemq.jaas.GroupPrincipal;
import java.util.*; import java.util.*;
import java.util.Set;
import junit.framework.TestCase; import junit.framework.TestCase;
@ -33,6 +33,7 @@ public class AuthorizationMapTest extends TestCase {
static final GroupPrincipal guests = new GroupPrincipal("guests"); static final GroupPrincipal guests = new GroupPrincipal("guests");
static final GroupPrincipal users = new GroupPrincipal("users"); static final GroupPrincipal users = new GroupPrincipal("users");
static final GroupPrincipal admins = new GroupPrincipal("admins"); static final GroupPrincipal admins = new GroupPrincipal("admins");
static final GroupPrincipal tempDestinationAdmins = new GroupPrincipal("tempDestAdmins");
public void testAuthorizationMap() { public void testAuthorizationMap() {
AuthorizationMap map = createAuthorizationMap(); AuthorizationMap map = createAuthorizationMap();
@ -41,8 +42,23 @@ public class AuthorizationMapTest extends TestCase {
assertEquals("set size: " + readACLs, 2, readACLs.size()); assertEquals("set size: " + readACLs, 2, readACLs.size());
assertTrue("Contains users group", readACLs.contains(admins)); assertTrue("Contains users group", readACLs.contains(admins));
assertTrue("Contains users group", readACLs.contains(users)); assertTrue("Contains users group", readACLs.contains(users));
} }
public void testAuthorizationMapWithTempDest() {
AuthorizationMap map = createAuthorizationMapWithTempDest();
Set readACLs = map.getReadACLs(new ActiveMQQueue("USERS.FOO.BAR"));
assertEquals("set size: " + readACLs, 2, readACLs.size());
assertTrue("Contains users group", readACLs.contains(admins));
assertTrue("Contains users group", readACLs.contains(users));
Set tempAdminACLs = map.getTempDestinationAdminACLs();
assertEquals("set size: " + tempAdminACLs, 1, tempAdminACLs.size());
assertTrue("Contains users group", tempAdminACLs.contains(tempDestinationAdmins));
}
protected AuthorizationMap createAuthorizationMap() { protected AuthorizationMap createAuthorizationMap() {
DefaultAuthorizationMap answer = new DefaultAuthorizationMap(); DefaultAuthorizationMap answer = new DefaultAuthorizationMap();
@ -62,5 +78,31 @@ public class AuthorizationMapTest extends TestCase {
return answer; return answer;
} }
protected AuthorizationMap createAuthorizationMapWithTempDest() {
DefaultAuthorizationMap answer = new DefaultAuthorizationMap();
List entries = new ArrayList();
AuthorizationEntry entry = new AuthorizationEntry();
entry.setQueue(">");
entry.setRead("admins");
entries.add(entry);
entry = new AuthorizationEntry();
entry.setQueue("USERS.>");
entry.setRead("users");
entries.add(entry);
answer.setAuthorizationEntries(entries);
//create entry for temporary queue
TempDestinationAuthorizationEntry tEntry = new TempDestinationAuthorizationEntry();
tEntry.setAdmin("tempDestAdmins");
answer.setTempDestinationAuthorizationEntry(tEntry);
return answer;
}
} }

1
activemq-core/src/test/resources/org/apache/activemq/security/groups.properties
View File

@ -16,5 +16,6 @@
## --------------------------------------------------------------------------- ## ---------------------------------------------------------------------------
admins=system admins=system
tempDestinationAdmins=system,user
users=system,user users=system,user
guests=guest guests=guest

5
activemq-core/src/test/resources/org/apache/activemq/security/jaas-broker.xml
View File

@ -42,6 +42,11 @@
<authorizationEntry topic="ActiveMQ.Advisory.>" read="guests,users" write="guests,users" admin="guests,users"/> <authorizationEntry topic="ActiveMQ.Advisory.>" read="guests,users" write="guests,users" admin="guests,users"/>
</authorizationEntries> </authorizationEntries>
<!-- let's assign roles to temporary destinations. comment this entry if we don't want any roles assigned to temp destinations -->
<tempDestinationAuthorizationEntry>
<tempDestinationAuthorizationEntry read="tempDestinationAdmins" write="tempDestinationAdmins" admin="tempDestinationAdmins"/>
</tempDestinationAuthorizationEntry>
</authorizationMap> </authorizationMap>
</map> </map>
</authorizationPlugin> </authorizationPlugin>