You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@activemq.apache.org by Allen Reese <ar...@yahoo-inc.com> on 2010/09/25 00:33:25 UTC

Question about org.apache.activemq.security.AuthorizationBroker

I'm playing with org.apache.activemq.security.AuthorizationBroker, and I'm not quite sure I understand what it is doing.

This is from the 5.3.2 code, but it's almost exactly the same in the trunk.
Lines 62-65, entire function below.

http://svn.apache.org/viewvc/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationBroker.java

The part I don't understand is why it calls super.addDestination() if it doesn't exist without first checking the acl's.

Will this code get called again to verify the acl once it's in the DestinationMap?

Thanks

--Allen

Function I'm talking about:

   public Destination addDestination(ConnectionContext context, ActiveMQDestination destination) throws Exception {
        final SecurityContext securityContext = (SecurityContext)context.getSecurityContext();
        if (securityContext == null) {
            throw new SecurityException("User is not authenticated.");
        }
        
        Destination existing = this.getDestinationMap().get(destination);
        if (existing != null) {
        	return super.addDestination(context, destination);
        }
        
        if (!securityContext.isBrokerContext()) {
            Set<?> allowedACLs = null;
            if (!destination.isTemporary()) {
                allowedACLs = authorizationMap.getAdminACLs(destination);
            } else {
                allowedACLs = authorizationMap.getTempDestinationAdminACLs();
            }

            if (allowedACLs != null && !securityContext.isInOneOf(allowedACLs)) {
                throw new SecurityException("User " + securityContext.getUserName() + " is not authorized to create: " + destination);
            }

        }

        return super.addDestination(context, destination);
    }

RE: Question about org.apache.activemq.security.AuthorizationBroker

Posted by Allen Reese <ar...@yahoo-inc.com>.

Great thanks.

That means my test code isn't wrong, I just need to test better.

--Allen 

-----Original Message-----
From: chubrilo@gmail.com [mailto:chubrilo@gmail.com] On Behalf Of Dejan Bosanac
Sent: Monday, September 27, 2010 12:56 AM
To: dev@activemq.apache.org
Subject: Re: Question about org.apache.activemq.security.AuthorizationBroker

Hi Allen,

it returns the existing destination in case it already exists. Some more info on that particular part of code could be found in comments of this issue: https://issues.apache.org/activemq/browse/AMQ-1747


Cheers
--
Dejan Bosanac - http://twitter.com/dejanb

Open Source Integration - http://fusesource.com/ ActiveMQ in Action - http://www.manning.com/snyder/ Blog - http://www.nighttale.net



On Sat, Sep 25, 2010 at 12:33 AM, Allen Reese <ar...@yahoo-inc.com> wrote:
> I'm playing with org.apache.activemq.security.AuthorizationBroker, and I'm not quite sure I understand what it is doing.
>
> This is from the 5.3.2 code, but it's almost exactly the same in the trunk.
> Lines 62-65, entire function below.
>
> http://svn.apache.org/viewvc/activemq/trunk/activemq-core/src/main/jav
> a/org/apache/activemq/security/AuthorizationBroker.java
>
> The part I don't understand is why it calls super.addDestination() if it doesn't exist without first checking the acl's.
>
> Will this code get called again to verify the acl once it's in the DestinationMap?
>
> Thanks
>
> --Allen
>
> Function I'm talking about:
>
>   public Destination addDestination(ConnectionContext context, 
> ActiveMQDestination destination) throws Exception {
>        final SecurityContext securityContext = 
> (SecurityContext)context.getSecurityContext();
>        if (securityContext == null) {
>            throw new SecurityException("User is not authenticated.");
>        }
>
>        Destination existing = 
> this.getDestinationMap().get(destination);
>        if (existing != null) {
>                return super.addDestination(context, destination);
>        }
>
>        if (!securityContext.isBrokerContext()) {
>            Set<?> allowedACLs = null;
>            if (!destination.isTemporary()) {
>                allowedACLs = 
> authorizationMap.getAdminACLs(destination);
>            } else {
>                allowedACLs = 
> authorizationMap.getTempDestinationAdminACLs();
>            }
>
>            if (allowedACLs != null && 
> !securityContext.isInOneOf(allowedACLs)) {
>                throw new SecurityException("User " + 
> securityContext.getUserName() + " is not authorized to create: " + 
> destination);
>            }
>
>        }
>
>        return super.addDestination(context, destination);
>    }

Re: Question about org.apache.activemq.security.AuthorizationBroker

Posted by Dejan Bosanac <de...@nighttale.net>.

Hi Allen,

it returns the existing destination in case it already exists. Some
more info on that particular part of code could be found in comments
of this issue: https://issues.apache.org/activemq/browse/AMQ-1747


Cheers
--
Dejan Bosanac - http://twitter.com/dejanb

Open Source Integration - http://fusesource.com/
ActiveMQ in Action - http://www.manning.com/snyder/
Blog - http://www.nighttale.net



On Sat, Sep 25, 2010 at 12:33 AM, Allen Reese <ar...@yahoo-inc.com> wrote:
> I'm playing with org.apache.activemq.security.AuthorizationBroker, and I'm not quite sure I understand what it is doing.
>
> This is from the 5.3.2 code, but it's almost exactly the same in the trunk.
> Lines 62-65, entire function below.
>
> http://svn.apache.org/viewvc/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationBroker.java
>
> The part I don't understand is why it calls super.addDestination() if it doesn't exist without first checking the acl's.
>
> Will this code get called again to verify the acl once it's in the DestinationMap?
>
> Thanks
>
> --Allen
>
> Function I'm talking about:
>
>   public Destination addDestination(ConnectionContext context, ActiveMQDestination destination) throws Exception {
>        final SecurityContext securityContext = (SecurityContext)context.getSecurityContext();
>        if (securityContext == null) {
>            throw new SecurityException("User is not authenticated.");
>        }
>
>        Destination existing = this.getDestinationMap().get(destination);
>        if (existing != null) {
>                return super.addDestination(context, destination);
>        }
>
>        if (!securityContext.isBrokerContext()) {
>            Set<?> allowedACLs = null;
>            if (!destination.isTemporary()) {
>                allowedACLs = authorizationMap.getAdminACLs(destination);
>            } else {
>                allowedACLs = authorizationMap.getTempDestinationAdminACLs();
>            }
>
>            if (allowedACLs != null && !securityContext.isInOneOf(allowedACLs)) {
>                throw new SecurityException("User " + securityContext.getUserName() + " is not authorized to create: " + destination);
>            }
>
>        }
>
>        return super.addDestination(context, destination);
>    }