You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by ri...@apache.org on 2007/04/06 10:21:02 UTC
svn commit: r526091 - in /incubator/qpid/branches/M2/java/broker: etc/
src/main/java/org/apache/qpid/server/security/access/
src/main/java/org/apache/qpid/server/security/auth/database/
Author: ritchiem
Date: Fri Apr 6 01:21:01 2007
New Revision: 526091
URL: http://svn.apache.org/viewvc?view=rev&rev=526091
Log:
QPID-416 Update to Access control to allow simply read/write permissions per Virtual host.
access - updated file to have examples of access control.
AccessManager - Deprecated old isAuthorised method
Implemented new isAuthorized method on all AccessManagers
Modified:
incubator/qpid/branches/M2/java/broker/etc/access
incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/AccessManager.java
incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/AccessManagerImpl.java
incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/AllowAll.java
incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/DenyAll.java
incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/FileAccessManager.java
incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalDatabaseAccessManager.java
incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordVhostFilePrincipalDatabase.java
Modified: incubator/qpid/branches/M2/java/broker/etc/access
URL: http://svn.apache.org/viewvc/incubator/qpid/branches/M2/java/broker/etc/access?view=diff&rev=526091&r1=526090&r2=526091
==============================================================================
--- incubator/qpid/branches/M2/java/broker/etc/access (original)
+++ incubator/qpid/branches/M2/java/broker/etc/access Fri Apr 6 01:21:01 2007
@@ -1 +1 @@
-guest:test
+guest:localhost(w),test(rw)
Modified: incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/AccessManager.java
URL: http://svn.apache.org/viewvc/incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/AccessManager.java?view=diff&rev=526091&r1=526090&r2=526091
==============================================================================
--- incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/AccessManager.java (original)
+++ incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/AccessManager.java Fri Apr 6 01:21:01 2007
@@ -20,9 +20,13 @@
*/
package org.apache.qpid.server.security.access;
+import java.security.Principal;
+
public interface AccessManager
{
- //AccessResult isAuthorized(Accessable accessObject, Principal username, AccessRights rights);
+ AccessResult isAuthorized(Accessable accessObject, Principal username, AccessRights.Rights rights);
+
+ @Deprecated
AccessResult isAuthorized(Accessable accessObject, String username);
String getName();
Modified: incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/AccessManagerImpl.java
URL: http://svn.apache.org/viewvc/incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/AccessManagerImpl.java?view=diff&rev=526091&r1=526090&r2=526091
==============================================================================
--- incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/AccessManagerImpl.java (original)
+++ incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/AccessManagerImpl.java Fri Apr 6 01:21:01 2007
@@ -23,13 +23,13 @@
import org.apache.commons.configuration.Configuration;
import org.apache.commons.configuration.ConfigurationException;
import org.apache.qpid.server.registry.ApplicationRegistry;
+import org.apache.qpid.server.security.auth.sasl.UsernamePrincipal;
import org.apache.qpid.configuration.PropertyUtils;
-import org.apache.qpid.configuration.PropertyException;
import org.apache.log4j.Logger;
import java.util.List;
import java.lang.reflect.Method;
-import java.lang.reflect.InvocationTargetException;
+import java.security.Principal;
public class AccessManagerImpl implements AccessManager
{
@@ -121,9 +121,13 @@
}
}
-
public AccessResult isAuthorized(Accessable accessObject, String username)
{
+ return isAuthorized(accessObject, new UsernamePrincipal(username), AccessRights.Rights.READ);
+ }
+
+ public AccessResult isAuthorized(Accessable accessObject, Principal user, AccessRights.Rights rights)
+ {
if (_accessManager == null)
{
if (ApplicationRegistry.getInstance().getAccessManager() == this)
@@ -133,17 +137,16 @@
}
else
{
- return ApplicationRegistry.getInstance().getAccessManager().isAuthorized(accessObject, username);
+ return ApplicationRegistry.getInstance().getAccessManager().isAuthorized(accessObject, user, rights);
}
}
else
{
- return _accessManager.isAuthorized(accessObject, username);
+ return _accessManager.isAuthorized(accessObject, user, rights);
}
}
- public String getName
- ()
+ public String getName()
{
return "AccessManagerImpl";
}
Modified: incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/AllowAll.java
URL: http://svn.apache.org/viewvc/incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/AllowAll.java?view=diff&rev=526091&r1=526090&r2=526091
==============================================================================
--- incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/AllowAll.java (original)
+++ incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/AllowAll.java Fri Apr 6 01:21:01 2007
@@ -20,8 +20,15 @@
*/
package org.apache.qpid.server.security.access;
+import java.security.Principal;
+
public class AllowAll implements AccessManager
{
+
+ public AccessResult isAuthorized(Accessable accessObject, Principal username, AccessRights.Rights rights)
+ {
+ return new AccessResult(this, AccessResult.AccessStatus.GRANTED);
+ }
public AccessResult isAuthorized(Accessable accessObject, String username)
{
Modified: incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/DenyAll.java
URL: http://svn.apache.org/viewvc/incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/DenyAll.java?view=diff&rev=526091&r1=526090&r2=526091
==============================================================================
--- incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/DenyAll.java (original)
+++ incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/DenyAll.java Fri Apr 6 01:21:01 2007
@@ -20,8 +20,15 @@
*/
package org.apache.qpid.server.security.access;
+import java.security.Principal;
+
public class DenyAll implements AccessManager
{
+ public AccessResult isAuthorized(Accessable accessObject, Principal username, AccessRights.Rights rights)
+ {
+ return new AccessResult(this, AccessResult.AccessStatus.REFUSED);
+ }
+
public AccessResult isAuthorized(Accessable accessObject, String username)
{
return new AccessResult(this, AccessResult.AccessStatus.REFUSED);
Modified: incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/FileAccessManager.java
URL: http://svn.apache.org/viewvc/incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/FileAccessManager.java?view=diff&rev=526091&r1=526090&r2=526091
==============================================================================
--- incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/FileAccessManager.java (original)
+++ incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/FileAccessManager.java Fri Apr 6 01:21:01 2007
@@ -21,6 +21,7 @@
package org.apache.qpid.server.security.access;
import org.apache.qpid.server.virtualhost.VirtualHost;
+import org.apache.qpid.server.security.auth.sasl.UsernamePrincipal;
import org.apache.log4j.Logger;
import java.io.IOException;
@@ -29,6 +30,7 @@
import java.io.FileNotFoundException;
import java.io.File;
import java.util.regex.Pattern;
+import java.security.Principal;
/**
* Represents a user database where the account information is stored in a simple flat file.
@@ -71,9 +73,17 @@
*
* @return a list of virtualhosts
*/
- private String[] lookupVirtualHost(String user)
+ private VirtualHostAccess[] lookupVirtualHost(String user)
{
- return lookup(user, VIRTUALHOST_INDEX);
+ String[] results = lookup(user, VIRTUALHOST_INDEX);
+ VirtualHostAccess vhosts[] = new VirtualHostAccess[results.length];
+
+ for (int index = 0; index < results.length; index++)
+ {
+ vhosts[index] = new VirtualHostAccess(results[index]);
+ }
+
+ return vhosts;
}
@@ -117,20 +127,31 @@
return null;
}
-
public AccessResult isAuthorized(Accessable accessObject, String username)
{
+ return isAuthorized(accessObject, new UsernamePrincipal(username), AccessRights.Rights.READ);
+ }
+
+ public AccessResult isAuthorized(Accessable accessObject, Principal user, AccessRights.Rights rights)
+ {
if (accessObject instanceof VirtualHost)
{
- String[] hosts = lookupVirtualHost(username);
+ VirtualHostAccess[] hosts = lookupVirtualHost(user.getName());
if (hosts != null)
{
- for (String host : hosts)
+ for (VirtualHostAccess host : hosts)
{
- if (accessObject.getAccessableName().equals(host))
+ if (accessObject.getAccessableName().equals(host.getVirtualHost()))
{
- return new AccessResult(this, AccessResult.AccessStatus.GRANTED);
+ if (host.getAccessRights().allows(rights))
+ {
+ return new AccessResult(this, AccessResult.AccessStatus.GRANTED);
+ }
+ else
+ {
+ return new AccessResult(this, AccessResult.AccessStatus.REFUSED);
+ }
}
}
}
Modified: incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalDatabaseAccessManager.java
URL: http://svn.apache.org/viewvc/incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalDatabaseAccessManager.java?view=diff&rev=526091&r1=526090&r2=526091
==============================================================================
--- incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalDatabaseAccessManager.java (original)
+++ incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalDatabaseAccessManager.java Fri Apr 6 01:21:01 2007
@@ -22,8 +22,11 @@
import org.apache.qpid.server.registry.ApplicationRegistry;
import org.apache.qpid.server.security.auth.database.PrincipalDatabase;
+import org.apache.qpid.server.security.auth.sasl.UsernamePrincipal;
import org.apache.log4j.Logger;
+import java.security.Principal;
+
public class PrincipalDatabaseAccessManager implements AccessManager
{
private static final Logger _logger = Logger.getLogger(PrincipalDatabaseAccessManager.class);
@@ -58,15 +61,21 @@
}
}
+
public AccessResult isAuthorized(Accessable accessObject, String username)
{
+ return isAuthorized(accessObject, new UsernamePrincipal(username), AccessRights.Rights.READ);
+ }
+
+ public AccessResult isAuthorized(Accessable accessObject, Principal username, AccessRights.Rights rights)
+ {
AccessResult result;
if (_database == null)
{
if (_default != null)
{
- result = _default.isAuthorized(accessObject, username);
+ result = _default.isAuthorized(accessObject, username, rights);
}
else
{
@@ -78,11 +87,11 @@
if (!(_database instanceof AccessManager))
{
_logger.warn("Specified PrincipalDatabase is not an AccessManager so using default AccessManager");
- result = _default.isAuthorized(accessObject, username);
+ result = _default.isAuthorized(accessObject, username, rights);
}
else
{
- result = ((AccessManager) _database).isAuthorized(accessObject, username);
+ result = ((AccessManager) _database).isAuthorized(accessObject, username, rights);
}
}
Modified: incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordVhostFilePrincipalDatabase.java
URL: http://svn.apache.org/viewvc/incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordVhostFilePrincipalDatabase.java?view=diff&rev=526091&r1=526090&r2=526091
==============================================================================
--- incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordVhostFilePrincipalDatabase.java (original)
+++ incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordVhostFilePrincipalDatabase.java Fri Apr 6 01:21:01 2007
@@ -23,12 +23,15 @@
import org.apache.qpid.server.security.access.AccessManager;
import org.apache.qpid.server.security.access.AccessResult;
import org.apache.qpid.server.security.access.Accessable;
+import org.apache.qpid.server.security.access.AccessRights;
+import org.apache.qpid.server.security.auth.sasl.UsernamePrincipal;
import org.apache.qpid.server.virtualhost.VirtualHost;
import org.apache.log4j.Logger;
import java.io.IOException;
import java.io.BufferedReader;
import java.io.FileReader;
+import java.security.Principal;
/**
* Represents a user database where the account information is stored in a simple flat file.
@@ -91,9 +94,15 @@
public AccessResult isAuthorized(Accessable accessObject, String username)
{
+ return isAuthorized(accessObject, new UsernamePrincipal(username), AccessRights.Rights.READ);
+ }
+
+ public AccessResult isAuthorized(Accessable accessObject, Principal user, AccessRights.Rights rights)
+ {
+
if (accessObject instanceof VirtualHost)
{
- String[] hosts = lookupVirtualHost(username);
+ String[] hosts = lookupVirtualHost(user.getName());
if (hosts != null)
{
@@ -114,5 +123,5 @@
{
return "PlainPasswordVhostFile";
}
-
+
}