You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by rg...@apache.org on 2016/06/29 23:23:10 UTC
svn commit: r1750734 [1/4] - in /qpid/java/trunk:
broker-core/src/main/java/org/apache/qpid/server/logging/
broker-core/src/main/java/org/apache/qpid/server/model/
broker-core/src/main/java/org/apache/qpid/server/model/adapter/
broker-core/src/main/jav...
Author: rgodfrey
Date: Wed Jun 29 23:23:09 2016
New Revision: 1750734
URL: http://svn.apache.org/viewvc?rev=1750734&view=rev
Log:
QPID-7318 : Move logic relating to the legacy ACL model into the plugin from broker-core
Added:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SecurityToken.java (with props)
qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/CachingSecurityToken.java (with props)
qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyAccessControl.java (with props)
qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapter.java (with props)
qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ObjectProperties.java
- copied, changed from r1750731, qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/access/ObjectProperties.java
qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ObjectType.java
- copied, changed from r1750613, qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/access/ObjectType.java
qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/OperationLoggingDetails.java
- copied, changed from r1750613, qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/access/OperationLoggingDetails.java
qpid/java/trunk/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapterTest.java (with props)
Removed:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/access/ObjectProperties.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/access/ObjectType.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/access/OperationLoggingDetails.java
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/BrokerFileLoggerImpl.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/BrokerMemoryLoggerImpl.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/VirtualHostFileLoggerImpl.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/AuthenticationProvider.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/adapter/FileSystemPreferencesProviderImpl.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/queue/AbstractQueue.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/AccessControl.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SecurityManager.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractAuthenticationManager.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/ConfigModelPasswordManagingAuthenticationProvider.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/transport/AMQPConnection.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/transport/AbstractAMQPConnection.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/virtualhost/AbstractVirtualHost.java
qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/security/SecurityManagerTest.java
qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AclAction.java
qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AclFileParser.java
qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AclRulePredicates.java
qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/Action.java
qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ClientAction.java
qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleBasedAccessControl.java
qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java
qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSetCreator.java
qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/ACLFileAccessControlProviderImpl.java
qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AclRule.java
qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/RuleBasedAccessControlProviderImpl.java
qpid/java/trunk/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclActionTest.java
qpid/java/trunk/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclFileParserTest.java
qpid/java/trunk/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclRulePredicatesTest.java
qpid/java/trunk/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/ActionTest.java
qpid/java/trunk/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleBasedAccessControlTest.java
qpid/java/trunk/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleSetTest.java
qpid/java/trunk/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerSession.java
qpid/java/trunk/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerSessionDelegate.java
qpid/java/trunk/broker-plugins/amqp-0-8-protocol/src/main/java/org/apache/qpid/server/protocol/v0_8/AMQChannel.java
qpid/java/trunk/broker-plugins/amqp-0-8-protocol/src/test/java/org/apache/qpid/server/protocol/v0_8/AMQChannelTest.java
qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/ExchangeDestination.java
qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/NodeReceivingDestination.java
qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/QueueDestination.java
qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/ReceivingDestination.java
qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/ReceivingLink_1_0.java
qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/Session_1_0.java
qpid/java/trunk/broker-plugins/management-amqp/src/main/java/org/apache/qpid/server/management/amqp/ManagementAddressSpace.java
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticator.java
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.java
qpid/java/trunk/broker-plugins/management-http/src/test/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticatorTest.java
qpid/java/trunk/systests/src/test/java/org/apache/qpid/server/security/acl/ExternalACLTest.java
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/BrokerFileLoggerImpl.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/BrokerFileLoggerImpl.java?rev=1750734&r1=1750733&r2=1750734&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/BrokerFileLoggerImpl.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/BrokerFileLoggerImpl.java Wed Jun 29 23:23:09 2016
@@ -158,7 +158,7 @@ public class BrokerFileLoggerImpl extend
@Override
public Content getFile(final String fileName)
{
- getSecurityManager().authoriseLogsAccess(this);
+ getSecurityManager().authoriseExecute(this, "getFile", Collections.singletonMap("fileName", (Object)fileName));
return _rolloverWatcher == null ? null : _rolloverWatcher.getFileContent(fileName);
}
@@ -166,7 +166,7 @@ public class BrokerFileLoggerImpl extend
@Override
public Content getFiles(@Param(name = "fileName") Set<String> fileName)
{
- getSecurityManager().authoriseLogsAccess(this);
+ getSecurityManager().authoriseExecute(this, "getFiles", Collections.singletonMap("fileName", (Object)fileName));
return _rolloverWatcher == null ? null :_rolloverWatcher.getFilesAsZippedContent(fileName);
}
@@ -174,7 +174,7 @@ public class BrokerFileLoggerImpl extend
@Override
public Content getAllFiles()
{
- getSecurityManager().authoriseLogsAccess(this);
+ getSecurityManager().authoriseExecute(this, "getAllFiles", Collections.<String,Object>emptyMap());
return _rolloverWatcher == null ? null : _rolloverWatcher.getAllFilesAsZippedContent();
}
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/BrokerMemoryLoggerImpl.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/BrokerMemoryLoggerImpl.java?rev=1750734&r1=1750733&r2=1750734&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/BrokerMemoryLoggerImpl.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/BrokerMemoryLoggerImpl.java Wed Jun 29 23:23:09 2016
@@ -23,6 +23,7 @@ package org.apache.qpid.server.logging;
import java.security.AccessControlException;
import java.util.ArrayList;
import java.util.Collection;
+import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Set;
@@ -105,7 +106,7 @@ public class BrokerMemoryLoggerImpl exte
@Override
public Collection<LogRecord> getLogEntries(long lastLogId)
{
- getSecurityManager().authoriseLogsAccess(this);
+ getSecurityManager().authoriseExecute(this, "getLogEntries", Collections.<String,Object>emptyMap());
List<LogRecord> logRecords = new ArrayList<>();
for(LogRecord record : _logRecorder)
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/VirtualHostFileLoggerImpl.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/VirtualHostFileLoggerImpl.java?rev=1750734&r1=1750733&r2=1750734&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/VirtualHostFileLoggerImpl.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/VirtualHostFileLoggerImpl.java Wed Jun 29 23:23:09 2016
@@ -146,7 +146,7 @@ public class VirtualHostFileLoggerImpl e
@Override
public Content getFile(final String fileName)
{
- getSecurityManager().authoriseLogsAccess(this);
+ getSecurityManager().authoriseExecute(this, "getFile", Collections.singletonMap("fileName", (Object)fileName));
return _rolloverWatcher == null ? null : _rolloverWatcher.getFileContent(fileName);
}
@@ -154,7 +154,7 @@ public class VirtualHostFileLoggerImpl e
@Override
public Content getFiles(@Param(name = "fileName") Set<String> fileName)
{
- getSecurityManager().authoriseLogsAccess(this);
+ getSecurityManager().authoriseExecute(this, "getFiles", Collections.singletonMap("fileName", (Object)fileName));
return _rolloverWatcher == null ? null : _rolloverWatcher.getFilesAsZippedContent(fileName);
}
@@ -163,7 +163,7 @@ public class VirtualHostFileLoggerImpl e
@Override
public Content getAllFiles()
{
- getSecurityManager().authoriseLogsAccess(this);
+ getSecurityManager().authoriseExecute(this, "getAllFiles", Collections.<String,Object>emptyMap());
return _rolloverWatcher == null ? null : _rolloverWatcher.getAllFilesAsZippedContent();
}
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/AuthenticationProvider.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/AuthenticationProvider.java?rev=1750734&r1=1750733&r2=1750734&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/AuthenticationProvider.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/AuthenticationProvider.java Wed Jun 29 23:23:09 2016
@@ -56,8 +56,6 @@ public interface AuthenticationProvider<
*/
void setPreferencesProvider(PreferencesProvider<?> preferencesProvider);
- void recoverUser(User user);
-
/**
* Gets the SASL mechanisms known to this manager.
*
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/adapter/FileSystemPreferencesProviderImpl.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/adapter/FileSystemPreferencesProviderImpl.java?rev=1750734&r1=1750733&r2=1750734&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/adapter/FileSystemPreferencesProviderImpl.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/adapter/FileSystemPreferencesProviderImpl.java Wed Jun 29 23:23:09 2016
@@ -45,7 +45,6 @@ import com.fasterxml.jackson.databind.Se
import com.google.common.util.concurrent.Futures;
import com.google.common.util.concurrent.ListenableFuture;
-import com.google.common.util.concurrent.SettableFuture;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -226,7 +225,7 @@ public class FileSystemPreferencesProvid
@Override
public Map<String, Object> getPreferences(String userId)
{
- getSecurityManager().authoriseUserUpdate(userId);
+ getSecurityManager().authoriseExecute(_authenticationProvider, "getPreferences", Collections.singletonMap("userId", (Object)userId));
return _store == null? Collections.<String, Object>emptyMap() : _store.getPreferences(userId);
}
@@ -251,7 +250,7 @@ public class FileSystemPreferencesProvid
for (String userId: userIDs)
{
- getSecurityManager().authoriseUserUpdate(userId);
+ getSecurityManager().authoriseExecute(_authenticationProvider, "deletePreferences", Collections.singletonMap("userId", (Object)userId));
}
return _store.deletePreferences(userIDs);
}
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/queue/AbstractQueue.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/queue/AbstractQueue.java?rev=1750734&r1=1750733&r2=1750734&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/queue/AbstractQueue.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/queue/AbstractQueue.java Wed Jun 29 23:23:09 2016
@@ -29,6 +29,7 @@ import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.EnumSet;
+import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.List;
@@ -1864,13 +1865,8 @@ public abstract class AbstractQueue<X ex
@Override
public long clearQueue()
{
- return clear(0l);
- }
-
- private long clear(final long request)
- {
//Perform ACLs
- getVirtualHost().getSecurityManager().authorisePurge(this);
+ getVirtualHost().getSecurityManager().authoriseExecute(this, "clearQueue", Collections.<String,Object>emptyMap());
QueueEntryIterator queueListIterator = getEntries().iterator();
long count = 0;
@@ -1892,10 +1888,6 @@ public abstract class AbstractQueue<X ex
if (acquired)
{
dequeueEntry(node, txn);
- if(++count == request)
- {
- break;
- }
}
}
@@ -3418,9 +3410,12 @@ public abstract class AbstractQueue<X ex
@Override
public List<Long> moveMessages(Queue<?> destination, List<Long> messageIds, final String selector, final int limit)
{
- // FIXME: added temporary authorization check until we introduce management layer
- // and review current ACL rules to have common rules for all management interfaces
- authorizeMethod("moveMessages");
+ Map<String, Object> args = new HashMap<>();
+ args.put("destination", destination);
+ args.put("messageIds", messageIds);
+ args.put("selector", selector);
+ args.put("limit", limit);
+ getSecurityManager().authoriseExecute(this, "moveMessages", args);
MoveMessagesTransaction transaction = new MoveMessagesTransaction(this,
messageIds,
@@ -3435,9 +3430,13 @@ public abstract class AbstractQueue<X ex
@Override
public List<Long> copyMessages(Queue<?> destination, List<Long> messageIds, final String selector, int limit)
{
- // FIXME: added temporary authorization check until we introduce management layer
- // and review current ACL rules to have common rules for all management interfaces
- authorizeMethod("copyMessages");
+
+ Map<String, Object> args = new HashMap<>();
+ args.put("destination", destination);
+ args.put("messageIds", messageIds);
+ args.put("selector", selector);
+ args.put("limit", limit);
+ getSecurityManager().authoriseExecute(this, "copyMessages", args);
CopyMessagesTransaction transaction = new CopyMessagesTransaction(this,
messageIds,
@@ -3453,9 +3452,12 @@ public abstract class AbstractQueue<X ex
public List<Long> deleteMessages(final List<Long> messageIds, final String selector, int limit)
{
- // FIXME: added temporary authorization check until we introduce management layer
- // and review current ACL rules to have common rules for all management interfaces
- authorizeMethod("deleteMessages");
+ Map<String, Object> args = new HashMap<>();
+ args.put("messageIds", messageIds);
+ args.put("selector", selector);
+ args.put("limit", limit);
+ getSecurityManager().authoriseExecute(this, "deleteMessages", args);
+
DeleteMessagesTransaction transaction = new DeleteMessagesTransaction(this,
messageIds,
parseSelector(selector),
@@ -3509,14 +3511,6 @@ public abstract class AbstractQueue<X ex
return messageFinder.getMessageInfo();
}
- private void authorizeMethod(String methodName)
- {
- getSecurityManager().authoriseMethod(Operation.UPDATE,
- "VirtualHost.Queue",
- methodName,
- getVirtualHost().getName());
- }
-
private class MessageFinder implements QueueEntryVisitor
{
private final long _messageNumber;
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/AccessControl.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/AccessControl.java?rev=1750734&r1=1750733&r2=1750734&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/AccessControl.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/AccessControl.java Wed Jun 29 23:23:09 2016
@@ -18,24 +18,116 @@
*/
package org.apache.qpid.server.security;
-import org.apache.qpid.server.security.access.ObjectProperties;
-import org.apache.qpid.server.security.access.ObjectType;
+import java.util.Map;
+
+import javax.security.auth.Subject;
+
+import org.apache.qpid.server.model.ConfiguredObject;
import org.apache.qpid.server.security.access.Operation;
-/**
- * The method {@link #authorise(Operation, ObjectType, ObjectProperties)},
- * returns the {@link Result} of the security decision, which may be to {@link Result#ABSTAIN} if no decision is made.
- */
-public interface AccessControl
+public interface AccessControl<T extends SecurityToken>
{
- /**
- * Default result for {@link #authorise(Operation, ObjectType, ObjectProperties)}.
- */
Result getDefault();
- /**
- * Authorise an operation on an object defined by a set of properties.
- */
- Result authorise(Operation operation, ObjectType objectType, ObjectProperties properties);
+
+ T newToken();
+
+ T newToken(Subject subject);
+
+ Result authorise(Operation operation, ConfiguredObject<?> configuredObject);
+ Result authoriseMethod(ConfiguredObject<?> configuredObject, String methodName, Map<String,Object> arguments);
+ Result authoriseMethod(T token, ConfiguredObject<?> configuredObject, String methodName, Map<String,Object> arguments);
+
+
+
+ AccessControl ALWAYS_ALLOWED = new AccessControl<SecurityToken>()
+ {
+ @Override
+ public Result getDefault()
+ {
+ return Result.ALLOWED;
+ }
+
+ @Override
+ public SecurityToken newToken()
+ {
+ return null;
+ }
+
+ @Override
+ public SecurityToken newToken(final Subject subject)
+ {
+ return null;
+ }
+
+ @Override
+ public Result authorise(final Operation operation, final ConfiguredObject<?> configuredObject)
+ {
+ return Result.ALLOWED;
+ }
+
+ @Override
+ public Result authoriseMethod(final ConfiguredObject<?> configuredObject,
+ final String methodName,
+ final Map<String, Object> arguments)
+ {
+ return Result.ALLOWED;
+ }
+
+ @Override
+ public Result authoriseMethod(final SecurityToken token,
+ final ConfiguredObject configuredObject,
+ final String methodName,
+ final Map arguments)
+ {
+ return Result.ALLOWED;
+ }
+ };
+
+ AccessControl ALWAYS_DENIED = new AccessControl<SecurityToken>()
+ {
+ @Override
+ public Result getDefault()
+ {
+ return Result.DENIED;
+ }
+
+ @Override
+ public SecurityToken newToken()
+ {
+ return null;
+ }
+
+ @Override
+ public SecurityToken newToken(final Subject subject)
+ {
+ return null;
+ }
+
+ @Override
+ public Result authorise(final Operation operation, final ConfiguredObject<?> configuredObject)
+ {
+ return Result.DENIED;
+ }
+
+ @Override
+ public Result authoriseMethod(final ConfiguredObject<?> configuredObject,
+ final String methodName,
+ final Map<String, Object> arguments)
+ {
+ return Result.DENIED;
+ }
+
+ @Override
+ public Result authoriseMethod(final SecurityToken token,
+ final ConfiguredObject<?> configuredObject,
+ final String methodName,
+ final Map<String, Object> arguments)
+ {
+ return Result.DENIED;
+ }
+ };
+
+
}
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SecurityManager.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SecurityManager.java?rev=1750734&r1=1750733&r2=1750734&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SecurityManager.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SecurityManager.java Wed Jun 29 23:23:09 2016
@@ -18,15 +18,6 @@
*/
package org.apache.qpid.server.security;
-import static org.apache.qpid.server.security.access.ObjectType.BROKER;
-import static org.apache.qpid.server.security.access.ObjectType.EXCHANGE;
-import static org.apache.qpid.server.security.access.ObjectType.METHOD;
-import static org.apache.qpid.server.security.access.ObjectType.QUEUE;
-import static org.apache.qpid.server.security.access.ObjectType.USER;
-import static org.apache.qpid.server.security.access.Operation.ACCESS_LOGS;
-import static org.apache.qpid.server.security.access.Operation.PUBLISH;
-import static org.apache.qpid.server.security.access.Operation.PURGE;
-
import java.security.AccessControlContext;
import java.security.AccessControlException;
import java.security.AccessController;
@@ -34,46 +25,19 @@ import java.security.Principal;
import java.security.PrivilegedAction;
import java.util.Collection;
import java.util.Collections;
+import java.util.Map;
import java.util.Set;
-import java.util.concurrent.ConcurrentHashMap;
-import java.util.concurrent.ConcurrentMap;
import javax.security.auth.Subject;
import javax.security.auth.SubjectDomainCombiner;
import org.apache.qpid.server.model.AccessControlProvider;
-import org.apache.qpid.server.model.Binding;
-import org.apache.qpid.server.model.Broker;
-import org.apache.qpid.server.model.BrokerLogInclusionRule;
import org.apache.qpid.server.model.ConfiguredObject;
-import org.apache.qpid.server.model.Connection;
-import org.apache.qpid.server.model.Consumer;
-import org.apache.qpid.server.model.Exchange;
-import org.apache.qpid.server.model.ExclusivityPolicy;
-import org.apache.qpid.server.model.Group;
-import org.apache.qpid.server.model.GroupMember;
-import org.apache.qpid.server.model.LifetimePolicy;
import org.apache.qpid.server.model.Model;
-import org.apache.qpid.server.model.PreferencesProvider;
-import org.apache.qpid.server.model.Queue;
-import org.apache.qpid.server.model.RemoteReplicationNode;
-import org.apache.qpid.server.model.Session;
import org.apache.qpid.server.model.State;
-import org.apache.qpid.server.model.User;
-import org.apache.qpid.server.model.VirtualHost;
-import org.apache.qpid.server.model.VirtualHostAlias;
-import org.apache.qpid.server.model.VirtualHostLogger;
-import org.apache.qpid.server.model.VirtualHostLogInclusionRule;
-import org.apache.qpid.server.model.VirtualHostNode;
-import org.apache.qpid.server.queue.QueueConsumer;
-import org.apache.qpid.server.security.access.ObjectProperties;
-import org.apache.qpid.server.security.access.ObjectProperties.Property;
-import org.apache.qpid.server.security.access.ObjectType;
import org.apache.qpid.server.security.access.Operation;
-import org.apache.qpid.server.security.access.OperationLoggingDetails;
import org.apache.qpid.server.security.auth.AuthenticatedPrincipal;
import org.apache.qpid.server.security.auth.TaskPrincipal;
-import org.apache.qpid.server.transport.AMQPConnection;
public class SecurityManager
{
@@ -87,8 +51,6 @@ public class SecurityManager
private final boolean _managementMode;
private final ConfiguredObject<?> _aclProvidersParent;
- private final ConcurrentMap<PublishAccessCheckCacheEntry, PublishAccessCheck> _publishAccessCheckCache = new ConcurrentHashMap<>();
-
public SecurityManager(ConfiguredObject<?> aclProvidersParent, boolean managementMode)
{
_managementMode = managementMode;
@@ -207,6 +169,22 @@ public class SecurityManager
});
}
+ public SecurityToken newToken(final Subject subject)
+ {
+ Collection<AccessControlProvider> accessControlProviders = _aclProvidersParent.getChildren(AccessControlProvider.class);
+ if(accessControlProviders != null && !accessControlProviders.isEmpty())
+ {
+ AccessControlProvider<?> accessControlProvider = accessControlProviders.iterator().next();
+ if (accessControlProvider != null
+ && accessControlProvider.getState() == State.ACTIVE
+ && accessControlProvider.getAccessControl() != null)
+ {
+ return accessControlProvider.getAccessControl().newToken(subject);
+ }
+ }
+ return null;
+ }
+
private static final class SystemPrincipal implements Principal
{
@@ -269,56 +247,6 @@ public class SecurityManager
return true;
}
- public void authoriseMethod(final Operation operation, final String componentName, final String methodName, final String virtualHostName)
- {
- boolean allowed = checkAllPlugins(new AccessCheck()
- {
- Result allowed(AccessControl plugin)
- {
- ObjectProperties properties = new ObjectProperties();
- properties.setName(methodName);
- if (componentName != null)
- {
- properties.put(ObjectProperties.Property.COMPONENT, componentName);
- }
- if (virtualHostName != null)
- {
- properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, virtualHostName);
- }
- return plugin.authorise(operation, METHOD, properties);
- }
- });
- if(!allowed)
- {
- throw new AccessControlException("Permission denied: " + operation.name() + " " + methodName);
- }
- }
-
- public void accessManagement()
- {
- if(!checkAllPlugins(new AccessCheck()
- {
- Result allowed(AccessControl plugin)
- {
- return plugin.authorise(Operation.ACCESS, ObjectType.MANAGEMENT, ObjectProperties.EMPTY);
- }
- }))
- {
- throw new AccessControlException("User is not authorised for management");
- }
- }
-
- public void authoriseCreateConnection(final AMQPConnection<?> connection)
- {
- String virtualHostName = connection.getAddressSpaceName();
- ObjectProperties properties = new ObjectProperties(virtualHostName);
- properties.put(Property.VIRTUALHOST_NAME, virtualHostName);
- if (!checkAllPlugins(ObjectType.VIRTUALHOST, properties, Operation.ACCESS))
- {
- throw new AccessControlException("Permission denied: " + virtualHostName);
- }
- }
-
public void authoriseCreate(ConfiguredObject<?> object)
{
authorise(Operation.CREATE, object);
@@ -342,26 +270,14 @@ public class SecurityManager
return;
}
- if (isAllowedOperation(operation, configuredObject))
- {
- // creation of remote replication node is out of control for user of this broker
- return;
- }
- Class<? extends ConfiguredObject> categoryClass = configuredObject.getCategoryClass();
- ObjectType objectType = getACLObjectTypeManagingConfiguredObjectOfCategory(categoryClass);
- if (objectType == null)
- {
- throw new IllegalArgumentException("Cannot identify object type for category " + categoryClass );
- }
- ObjectProperties properties = getACLObjectProperties(configuredObject, operation);
- Operation authoriseOperation = validateAuthoriseOperation(operation, categoryClass);
- if(!checkAllPlugins(objectType, properties, authoriseOperation))
+ if(!checkAllPlugins(operation, configuredObject))
{
+ Class<? extends ConfiguredObject> categoryClass = configuredObject.getCategoryClass();
String objectName = (String)configuredObject.getAttribute(ConfiguredObject.NAME);
- StringBuilder exceptionMessage = new StringBuilder(String.format("Permission %s %s is denied for : %s %s '%s'",
- authoriseOperation.name(), objectType.name(), operation.name(), categoryClass.getSimpleName(), objectName ));
+ StringBuilder exceptionMessage = new StringBuilder(String.format("Permission %s is denied for : %s '%s'",
+ operation.name(), categoryClass.getSimpleName(), objectName ));
Model model = getModel();
Collection<Class<? extends ConfiguredObject>> parentClasses = model.getParentTypes(categoryClass);
@@ -383,443 +299,57 @@ public class SecurityManager
}
}
- private boolean isAllowedOperation(Operation operation, ConfiguredObject<?> configuredObject)
+ public void authoriseExecute(final ConfiguredObject<?> object, final String methodName, final Map<String,Object> arguments)
{
- if (configuredObject instanceof Session && (operation == Operation.CREATE || operation == Operation.UPDATE
- || operation == Operation.DELETE))
- {
- return true;
-
- }
-
- if (configuredObject instanceof Consumer && (operation == Operation.UPDATE || operation == Operation.DELETE))
- {
- return true;
- }
-
- if (configuredObject instanceof Connection && (operation == Operation.UPDATE || operation == Operation.DELETE))
- {
- return true;
- }
-
- return false;
- }
-
- private Model getModel()
- {
- return _aclProvidersParent.getModel();
- }
-
- private boolean checkAllPlugins(final ObjectType objectType, final ObjectProperties properties, final Operation authoriseOperation)
- {
- return checkAllPlugins(new AccessCheck()
- {
- Result allowed(AccessControl plugin)
- {
- return plugin.authorise(authoriseOperation, objectType, properties);
- }
- });
- }
-
- private Operation validateAuthoriseOperation(Operation operation, Class<? extends ConfiguredObject> category)
- {
- if (operation == Operation.CREATE || operation == Operation.UPDATE)
- {
- if (Binding.class.isAssignableFrom(category))
- {
- // CREATE BINDING is transformed into BIND EXCHANGE rule
- return Operation.BIND;
- }
- else if (Consumer.class.isAssignableFrom(category))
- {
- // CREATE CONSUMER is transformed into CONSUME QUEUE rule
- return Operation.CONSUME;
- }
- else if (GroupMember.class.isAssignableFrom(category))
- {
- // CREATE GROUP MEMBER is transformed into UPDATE GROUP rule
- return Operation.UPDATE;
- }
- else if (isBrokerType(category))
- {
- // CREATE/UPDATE broker child is transformed into CONFIGURE BROKER rule
- return Operation.CONFIGURE;
- }
- }
- else if (operation == Operation.DELETE)
- {
- if (Binding.class.isAssignableFrom(category))
- {
- // DELETE BINDING is transformed into UNBIND EXCHANGE rule
- return Operation.UNBIND;
- }
- else if (isBrokerType(category))
- {
- // DELETE broker child is transformed into CONFIGURE BROKER rule
- return Operation.CONFIGURE;
-
- }
- else if (GroupMember.class.isAssignableFrom(category))
- {
- // DELETE GROUP MEMBER is transformed into UPDATE GROUP rule
- return Operation.UPDATE;
- }
- }
- return operation;
- }
-
- private boolean isBrokerType(Class<? extends ConfiguredObject> category)
- {
- return Broker.class.isAssignableFrom(category) ||
- PreferencesProvider.class.isAssignableFrom(category) ||
- BrokerLogInclusionRule.class.isAssignableFrom(category) ||
- VirtualHostAlias.class.isAssignableFrom(category) ||
- ( !VirtualHostNode.class.isAssignableFrom(category) && getModel().getChildTypes(Broker.class).contains(category));
- }
-
- private ObjectProperties getACLObjectProperties(ConfiguredObject<?> configuredObject, Operation configuredObjectOperation)
- {
- String objectName = (String)configuredObject.getAttribute(ConfiguredObject.NAME);
- Class<? extends ConfiguredObject> configuredObjectType = configuredObject.getCategoryClass();
- ObjectProperties properties = new ObjectProperties(objectName);
- if (configuredObject instanceof Binding)
- {
- Exchange<?> exchange = (Exchange<?>)configuredObject.getParent(Exchange.class);
- Queue<?> queue = (Queue<?>)configuredObject.getParent(Queue.class);
- properties.setName((String)exchange.getAttribute(Exchange.NAME));
- properties.put(Property.QUEUE_NAME, (String)queue.getAttribute(Queue.NAME));
- properties.put(Property.ROUTING_KEY, (String)configuredObject.getAttribute(Binding.NAME));
- properties.put(Property.VIRTUALHOST_NAME, (String)queue.getParent(VirtualHost.class).getAttribute(VirtualHost.NAME));
-
- // The temporary attribute (inherited from the binding's queue) seems to exist to allow the user to
- // express rules about the binding of temporary queues (whose names cannot be predicted).
- properties.put(Property.TEMPORARY, queue.getAttribute(Queue.LIFETIME_POLICY) != LifetimePolicy.PERMANENT);
- properties.put(Property.DURABLE, (Boolean)queue.getAttribute(Queue.DURABLE));
- }
- else if (configuredObject instanceof Queue)
- {
- setQueueProperties(configuredObject, properties);
- }
- else if (configuredObject instanceof Exchange)
- {
- Object lifeTimePolicy = configuredObject.getAttribute(ConfiguredObject.LIFETIME_POLICY);
- properties.put(Property.AUTO_DELETE, lifeTimePolicy != LifetimePolicy.PERMANENT);
- properties.put(Property.TEMPORARY, lifeTimePolicy != LifetimePolicy.PERMANENT);
- properties.put(Property.DURABLE, (Boolean) configuredObject.getAttribute(ConfiguredObject.DURABLE));
- properties.put(Property.TYPE, (String) configuredObject.getAttribute(Exchange.TYPE));
- VirtualHost virtualHost = configuredObject.getParent(VirtualHost.class);
- properties.put(Property.VIRTUALHOST_NAME, (String)virtualHost.getAttribute(virtualHost.NAME));
- }
- else if (configuredObject instanceof QueueConsumer)
- {
- Queue<?> queue = (Queue<?>)configuredObject.getParent(Queue.class);
- setQueueProperties(queue, properties);
- }
- else if (isBrokerType(configuredObjectType))
- {
- String description = String.format("%s %s '%s'",
- configuredObjectOperation == null? null : configuredObjectOperation.name().toLowerCase(),
- configuredObjectType == null ? null : configuredObjectType.getSimpleName().toLowerCase(),
- objectName);
- properties = new OperationLoggingDetails(description);
- }
- else if (isVirtualHostType(configuredObjectType))
- {
- ConfiguredObject<?> virtualHost = getModel().getAncestor(VirtualHost.class, configuredObject);
- properties = new ObjectProperties((String)virtualHost.getAttribute(ConfiguredObject.NAME));
- }
- return properties;
- }
-
- private void setQueueProperties(ConfiguredObject<?> queue, ObjectProperties properties)
- {
- properties.setName((String)queue.getAttribute(Exchange.NAME));
- Object lifeTimePolicy = queue.getAttribute(ConfiguredObject.LIFETIME_POLICY);
- properties.put(Property.AUTO_DELETE, lifeTimePolicy!= LifetimePolicy.PERMANENT);
- properties.put(Property.TEMPORARY, lifeTimePolicy != LifetimePolicy.PERMANENT);
- properties.put(Property.DURABLE, (Boolean)queue.getAttribute(ConfiguredObject.DURABLE));
- properties.put(Property.EXCLUSIVE, queue.getAttribute(Queue.EXCLUSIVE) != ExclusivityPolicy.NONE);
- Object alternateExchange = queue.getAttribute(Queue.ALTERNATE_EXCHANGE);
- if (alternateExchange != null)
- {
- String name = alternateExchange instanceof ConfiguredObject ?
- (String)((ConfiguredObject)alternateExchange).getAttribute(ConfiguredObject.NAME) :
- String.valueOf(alternateExchange);
- properties.put(Property.ALTERNATE,name);
- }
- String owner = (String)queue.getAttribute(Queue.OWNER);
- if (owner != null)
- {
- properties.put(Property.OWNER, owner);
- }
- VirtualHost virtualHost = queue.getParent(VirtualHost.class);
- properties.put(Property.VIRTUALHOST_NAME, (String)virtualHost.getAttribute(virtualHost.NAME));
- }
-
- private ObjectType getACLObjectTypeManagingConfiguredObjectOfCategory(Class<? extends ConfiguredObject> category)
- {
- if (Binding.class.isAssignableFrom(category))
- {
- return ObjectType.EXCHANGE;
- }
- else if (VirtualHostNode.class.isAssignableFrom(category))
- {
- return ObjectType.VIRTUALHOSTNODE;
- }
- else if (isBrokerType(category))
- {
- return ObjectType.BROKER;
- }
- else if (isVirtualHostType(category))
- {
- return ObjectType.VIRTUALHOST;
- }
- else if (Group.class.isAssignableFrom(category))
- {
- return ObjectType.GROUP;
- }
- else if (GroupMember.class.isAssignableFrom(category))
- {
- // UPDATE GROUP
- return ObjectType.GROUP;
- }
- else if (User.class.isAssignableFrom(category))
- {
- return ObjectType.USER;
- }
- else if (Queue.class.isAssignableFrom(category))
- {
- return ObjectType.QUEUE;
- }
- else if (Exchange.class.isAssignableFrom(category))
- {
- return ObjectType.EXCHANGE;
- }
- else if (Session.class.isAssignableFrom(category))
- {
- // PUBLISH EXCHANGE
- return ObjectType.EXCHANGE;
- }
- else if (Consumer.class.isAssignableFrom(category))
- {
- // CONSUME QUEUE
- return ObjectType.QUEUE;
- }
- else if (RemoteReplicationNode.class.isAssignableFrom(category))
- {
- // VHN permissions apply to remote nodes
- return ObjectType.VIRTUALHOSTNODE;
- }
- return null;
- }
-
- private boolean isVirtualHostType(Class<? extends ConfiguredObject> category)
- {
- return VirtualHost.class.isAssignableFrom(category) ||
- VirtualHostLogger.class.isAssignableFrom(category) ||
- VirtualHostLogInclusionRule.class.isAssignableFrom(category) ||
- Connection.class.isAssignableFrom(category);
- }
-
- public void authoriseUserUpdate(final String userName)
- {
- AuthenticatedPrincipal principal = getCurrentUser();
- if (principal != null && principal.getName().equals(userName))
- {
- // allow user to update its own data
- return;
- }
-
- final Operation operation = Operation.UPDATE;
- if(! checkAllPlugins(new AccessCheck()
+ if(!checkAllPlugins(new AccessCheck()
{
Result allowed(AccessControl plugin)
{
- return plugin.authorise(operation, USER, new ObjectProperties(userName));
+ return plugin.authoriseMethod(object, methodName, arguments);
}
}))
{
- throw new AccessControlException("Do not have permission" +
- " to perform the " + operation + " on the user " + userName);
- }
- }
-
- public void authorisePublish(final boolean immediate, String routingKey, String exchangeName, String virtualHostName)
- {
- PublishAccessCheckCacheEntry key = new PublishAccessCheckCacheEntry(immediate, routingKey, exchangeName, virtualHostName);
- PublishAccessCheck check = _publishAccessCheckCache.get(key);
- if (check == null)
- {
- check = new PublishAccessCheck(new ObjectProperties(virtualHostName, exchangeName, routingKey, immediate));
- _publishAccessCheckCache.putIfAbsent(key, check);
- }
- if(!checkAllPlugins(check))
- {
- throw new AccessControlException("Permission denied, publish to: exchange-name '" + exchangeName + "'");
- }
- }
-
- public void authorisePublish(final boolean immediate,
- String routingKey,
- String exchangeName,
- String virtualHostName,
- Subject currentSubject,
- final String messageUserId,
- final AMQPConnection<?> connection)
- {
- if(!connection.isAuthorizedMessagePrincipal(messageUserId))
- {
- throw new AccessControlException("The user id of the message '"
- + messageUserId
- + "' is not valid on a connection authenticated as "
- + connection.getAuthorizedPrincipal().getName());
- }
- PublishAccessCheckCacheEntry key = new PublishAccessCheckCacheEntry(immediate, routingKey, exchangeName, virtualHostName);
- PublishAccessCheck check = _publishAccessCheckCache.get(key);
- if (check == null)
- {
- check = new PublishAccessCheck(new ObjectProperties(virtualHostName, exchangeName, routingKey, immediate));
- _publishAccessCheckCache.putIfAbsent(key, check);
- }
- if(!checkAllPlugins(check, currentSubject))
- {
- throw new AccessControlException("Permission denied, publish to: exchange-name '" + exchangeName + "'");
+ throw new AccessControlException("Permission denied on "
+ + object.getCategoryClass().getSimpleName()
+ + " '" + object.getName() + "' to perform '"
+ + methodName + "' operation");
}
}
- public void authorisePurge(final Queue queue)
+ public void authoriseExecute(final SecurityToken token, final ConfiguredObject<?> object, final String methodName, final Map<String,Object> arguments)
{
- final ObjectProperties properties = new ObjectProperties();
- setQueueProperties(queue, properties);
if(!checkAllPlugins(new AccessCheck()
{
Result allowed(AccessControl plugin)
{
- return plugin.authorise(PURGE, QUEUE, properties);
+ return plugin.authoriseMethod(token, object, methodName, arguments);
}
}))
{
- throw new AccessControlException("Permission denied: queue " + queue.getName());
+ throw new AccessControlException("Permission denied on "
+ + object.getCategoryClass().getSimpleName()
+ + " '" + object.getName() + "' to perform '"
+ + methodName + "' operation");
}
}
- private class PublishAccessCheck extends AccessCheck
+ private Model getModel()
{
- private final ObjectProperties _props;
-
- public PublishAccessCheck(ObjectProperties props)
- {
- _props = props;
- }
-
- Result allowed(AccessControl plugin)
- {
- return plugin.authorise(PUBLISH, EXCHANGE, _props);
- }
+ return _aclProvidersParent.getModel();
}
- public void authoriseLogsAccess(ConfiguredObject configuredObject)
+
+ private boolean checkAllPlugins(final Operation operation, final ConfiguredObject<?> configuredObject)
{
- Class<? extends ConfiguredObject> categoryClass = configuredObject.getCategoryClass();
- final ObjectType objectType = getACLObjectTypeManagingConfiguredObjectOfCategory(categoryClass);
- final ObjectProperties objectProperties = objectType == BROKER ? ObjectProperties.EMPTY : new ObjectProperties((String)configuredObject.getAttribute(ConfiguredObject.NAME));
- if(!checkAllPlugins(new AccessCheck()
+ return checkAllPlugins(new AccessCheck()
{
Result allowed(AccessControl plugin)
{
- return plugin.authorise(ACCESS_LOGS, objectType, objectProperties);
+ return plugin.authorise(operation, configuredObject);
}
- }))
- {
- throw new AccessControlException("Permission denied to access log content");
- };
+ });
}
- public static class PublishAccessCheckCacheEntry
- {
- private final boolean _immediate;
- private final String _routingKey;
- private final String _exchangeName;
- private final String _virtualHostName;
-
- public PublishAccessCheckCacheEntry(boolean immediate, String routingKey, String exchangeName, String virtualHostName)
- {
- super();
- _immediate = immediate;
- _routingKey = routingKey;
- _exchangeName = exchangeName;
- _virtualHostName = virtualHostName;
- }
- @Override
- public int hashCode()
- {
- final int prime = 31;
- int result = 1;
- result = prime * result + ((_exchangeName == null) ? 0 : _exchangeName.hashCode());
- result = prime * result + (_immediate ? 1231 : 1237);
- result = prime * result + ((_routingKey == null) ? 0 : _routingKey.hashCode());
- result = prime * result + ((_virtualHostName == null) ? 0 : _virtualHostName.hashCode());
- return result;
- }
-
- @Override
- public boolean equals(Object obj)
- {
- if (this == obj)
- {
- return true;
- }
- if (obj == null)
- {
- return false;
- }
- if (getClass() != obj.getClass())
- {
- return false;
- }
- PublishAccessCheckCacheEntry other = (PublishAccessCheckCacheEntry) obj;
- if (_exchangeName == null)
- {
- if (other._exchangeName != null)
- {
- return false;
- }
- }
- else if (!_exchangeName.equals(other._exchangeName))
- {
- return false;
- }
- if (_immediate != other._immediate)
- {
- return false;
- }
- if (_routingKey == null)
- {
- if (other._routingKey != null)
- {
- return false;
- }
- }
- else if (!_routingKey.equals(other._routingKey))
- {
- return false;
- }
- if (_virtualHostName == null)
- {
- if (other._virtualHostName != null)
- {
- return false;
- }
- }
- else if (!_virtualHostName.equals(other._virtualHostName))
- {
- return false;
- }
- return true;
- }
-
-
- }
}
Added: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SecurityToken.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SecurityToken.java?rev=1750734&view=auto
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SecurityToken.java (added)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SecurityToken.java Wed Jun 29 23:23:09 2016
@@ -0,0 +1,25 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.server.security;
+
+public interface SecurityToken
+{
+}
Propchange: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SecurityToken.java
------------------------------------------------------------------------------
svn:eol-style = native
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractAuthenticationManager.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractAuthenticationManager.java?rev=1750734&r1=1750733&r2=1750734&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractAuthenticationManager.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractAuthenticationManager.java Wed Jun 29 23:23:09 2016
@@ -25,7 +25,6 @@ import java.util.Collection;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
-import java.util.Set;
import com.google.common.util.concurrent.FutureCallback;
import com.google.common.util.concurrent.Futures;
@@ -47,7 +46,6 @@ import org.apache.qpid.server.model.Port
import org.apache.qpid.server.model.PreferencesProvider;
import org.apache.qpid.server.model.State;
import org.apache.qpid.server.model.StateTransition;
-import org.apache.qpid.server.model.User;
import org.apache.qpid.server.model.VirtualHostAlias;
import org.apache.qpid.server.model.port.AbstractPortWithAuthProvider;
import org.apache.qpid.server.security.SubjectCreator;
@@ -133,12 +131,6 @@ public abstract class AbstractAuthentica
_preferencesProvider = preferencesProvider;
}
- @Override
- public void recoverUser(final User user)
- {
- throw new IllegalConfigurationException("Cannot associate " + user + " with authentication provider " + this);
- }
-
@SuppressWarnings("unchecked")
@Override
public <C extends ConfiguredObject> ListenableFuture<C> addChildAsync(Class<C> childClass, Map<String, Object> attributes, ConfiguredObject... otherParents)
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/ConfigModelPasswordManagingAuthenticationProvider.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/ConfigModelPasswordManagingAuthenticationProvider.java?rev=1750734&r1=1750733&r2=1750734&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/ConfigModelPasswordManagingAuthenticationProvider.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/ConfigModelPasswordManagingAuthenticationProvider.java Wed Jun 29 23:23:09 2016
@@ -166,12 +166,6 @@ public abstract class ConfigModelPasswor
}
@Override
- public void recoverUser(final User user)
- {
- _users.put(user.getName(), (ManagedUser) user);
- }
-
- @Override
public void setPassword(final String username, final String password) throws AccountNotFoundException
{
runTask(new Task<Object, AccountNotFoundException>()
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/transport/AMQPConnection.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/transport/AMQPConnection.java?rev=1750734&r1=1750733&r2=1750734&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/transport/AMQPConnection.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/transport/AMQPConnection.java Wed Jun 29 23:23:09 2016
@@ -73,7 +73,7 @@ public interface AMQPConnection<C extend
boolean isIOThread();
- boolean isAuthorizedMessagePrincipal(String messageUserId);
+ void checkAuthorizedMessagePrincipal(String messageUserId);
void stopConnection();
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/transport/AbstractAMQPConnection.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/transport/AbstractAMQPConnection.java?rev=1750734&r1=1750733&r2=1750734&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/transport/AbstractAMQPConnection.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/transport/AbstractAMQPConnection.java Wed Jun 29 23:23:09 2016
@@ -20,20 +20,18 @@
*/
package org.apache.qpid.server.transport;
-import java.lang.reflect.Type;
import java.net.InetSocketAddress;
import java.net.SocketAddress;
import java.security.AccessControlContext;
+import java.security.AccessControlException;
import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedAction;
-import java.security.Security;
import java.util.Collection;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
-import java.util.Set;
import java.util.concurrent.CopyOnWriteArrayList;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.atomic.AtomicLong;
@@ -770,9 +768,18 @@ public abstract class AbstractAMQPConnec
}
@Override
- public final boolean isAuthorizedMessagePrincipal(final String userId)
+ public final void checkAuthorizedMessagePrincipal(final String userId)
{
- return !_messageAuthorizationRequired || getAuthorizedPrincipal().getName().equals(userId == null? "" : userId);
+ if(!(userId == null
+ || "".equals(userId.trim())
+ || !_messageAuthorizationRequired
+ || getAuthorizedPrincipal().getName().equals(userId)))
+ {
+ throw new AccessControlException("The user id of the message '"
+ + userId
+ + "' is not valid on a connection authenticated as "
+ + getAuthorizedPrincipal().getName());
+ }
}
@Override
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/virtualhost/AbstractVirtualHost.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/virtualhost/AbstractVirtualHost.java?rev=1750734&r1=1750733&r2=1750734&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/virtualhost/AbstractVirtualHost.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/virtualhost/AbstractVirtualHost.java Wed Jun 29 23:23:09 2016
@@ -610,7 +610,7 @@ public abstract class AbstractVirtualHos
@Override
public boolean authoriseCreateConnection(final AMQPConnection<?> connection)
{
- getSecurityManager().authoriseCreateConnection(connection);
+ getSecurityManager().authoriseExecute(this, "connect", Collections.<String,Object>emptyMap());
for(ConnectionValidator validator : _connectionValidators)
{
if(!validator.validateConnectionCreation(connection, this))
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org