You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by rg...@apache.org on 2016/10/11 17:01:54 UTC
svn commit: r1764308 - in /qpid/java/trunk:
broker-core/src/main/java/org/apache/qpid/server/exchange/
broker-core/src/main/java/org/apache/qpid/server/message/
broker-core/src/main/java/org/apache/qpid/server/model/
broker-core/src/main/java/org/apach...
Author: rgodfrey
Date: Tue Oct 11 17:01:54 2016
New Revision: 1764308
URL: http://svn.apache.org/viewvc?rev=1764308&view=rev
Log:
QPID-7318 : Enforce permissions on default destination / allow permissions on non-configured objects
Added:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/PermissionedObject.java (with props)
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/exchange/AbstractExchange.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/exchange/DefaultDestination.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/message/MessageDestination.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/ConfiguredObject.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/queue/AbstractQueue.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/AccessControl.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/CompoundAccessControl.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SubjectFixedResultAccessControl.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/virtualhost/AbstractVirtualHost.java
qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/CachingSecurityToken.java
qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapter.java
qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleBasedAccessControl.java
qpid/java/trunk/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerSessionDelegate.java
qpid/java/trunk/broker-plugins/amqp-0-8-protocol/src/main/java/org/apache/qpid/server/protocol/v0_8/AMQChannel.java
qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/ExchangeDestination.java
qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/NodeReceivingDestination.java
qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/QueueDestination.java
qpid/java/trunk/broker-plugins/management-amqp/src/main/java/org/apache/qpid/server/management/amqp/ManagementAddressSpace.java
qpid/java/trunk/broker-plugins/management-amqp/src/main/java/org/apache/qpid/server/management/amqp/ManagementNode.java
qpid/java/trunk/broker-plugins/management-amqp/src/main/java/org/apache/qpid/server/management/amqp/ManagementNodeConsumer.java
qpid/java/trunk/systests/src/test/java/org/apache/qpid/server/security/acl/ExternalACLTest.java
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/exchange/AbstractExchange.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/exchange/AbstractExchange.java?rev=1764308&r1=1764307&r2=1764308&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/exchange/AbstractExchange.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/exchange/AbstractExchange.java Tue Oct 11 17:01:54 2016
@@ -20,6 +20,7 @@
*/
package org.apache.qpid.server.exchange;
+import java.security.AccessControlException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
@@ -39,12 +40,12 @@ import com.google.common.util.concurrent
import com.google.common.util.concurrent.Futures;
import com.google.common.util.concurrent.ListenableFuture;
import com.google.common.util.concurrent.SettableFuture;
-import org.apache.qpid.server.configuration.updater.Task;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.apache.qpid.exchange.ExchangeDefaults;
import org.apache.qpid.server.binding.BindingImpl;
+import org.apache.qpid.server.configuration.updater.Task;
import org.apache.qpid.server.logging.EventLogger;
import org.apache.qpid.server.logging.LogSubject;
import org.apache.qpid.server.logging.messages.ExchangeMessages;
@@ -59,12 +60,14 @@ import org.apache.qpid.server.model.Conf
import org.apache.qpid.server.model.Exchange;
import org.apache.qpid.server.model.LifetimePolicy;
import org.apache.qpid.server.model.ManagedAttributeField;
+import org.apache.qpid.server.model.NamedAddressSpace;
import org.apache.qpid.server.model.Publisher;
import org.apache.qpid.server.model.Queue;
import org.apache.qpid.server.model.State;
import org.apache.qpid.server.model.StateTransition;
import org.apache.qpid.server.model.VirtualHost;
import org.apache.qpid.server.queue.BaseQueue;
+import org.apache.qpid.server.security.SecurityToken;
import org.apache.qpid.server.security.access.Operation;
import org.apache.qpid.server.store.MessageEnqueueRecord;
import org.apache.qpid.server.store.StorableMessageMetaData;
@@ -943,5 +946,16 @@ public abstract class AbstractExchange<T
return binding;
}
+ @Override
+ public NamedAddressSpace getAddressSpace()
+ {
+ return _virtualHost;
+ }
+ @Override
+ public void authorisePublish(final SecurityToken token, final Map<String, Object> arguments)
+ throws AccessControlException
+ {
+ authorise(token, Operation.ACTION("publish"), arguments);
+ }
}
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/exchange/DefaultDestination.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/exchange/DefaultDestination.java?rev=1764308&r1=1764307&r2=1764308&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/exchange/DefaultDestination.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/exchange/DefaultDestination.java Tue Oct 11 17:01:54 2016
@@ -18,25 +18,70 @@
*/
package org.apache.qpid.server.exchange;
+import java.security.AccessControlException;
+import java.util.Map;
+
import org.apache.qpid.exchange.ExchangeDefaults;
import org.apache.qpid.server.message.InstanceProperties;
import org.apache.qpid.server.message.MessageDestination;
import org.apache.qpid.server.message.MessageInstance;
import org.apache.qpid.server.message.ServerMessage;
+import org.apache.qpid.server.model.ConfiguredObject;
import org.apache.qpid.server.model.Exchange;
+import org.apache.qpid.server.model.NamedAddressSpace;
+import org.apache.qpid.server.model.PermissionedObject;
import org.apache.qpid.server.model.VirtualHost;
+import org.apache.qpid.server.security.AccessControl;
+import org.apache.qpid.server.security.Result;
+import org.apache.qpid.server.security.SecurityToken;
+import org.apache.qpid.server.security.access.Operation;
import org.apache.qpid.server.store.StorableMessageMetaData;
import org.apache.qpid.server.txn.ServerTransaction;
import org.apache.qpid.server.util.Action;
-public class DefaultDestination implements MessageDestination
+public class DefaultDestination implements MessageDestination, PermissionedObject
{
+ private final AccessControl _accessControl;
private VirtualHost<?> _virtualHost;
- public DefaultDestination(VirtualHost<?> virtualHost)
+ public DefaultDestination(VirtualHost<?> virtualHost, final AccessControl accessControl)
{
_virtualHost = virtualHost;
+ _accessControl = accessControl;
+ }
+
+ @Override
+ public Class<? extends ConfiguredObject> getCategoryClass()
+ {
+ return Exchange.class;
+ }
+
+ @Override
+ public NamedAddressSpace getAddressSpace()
+ {
+ return _virtualHost;
+ }
+
+
+ @Override
+ public void authorisePublish(final SecurityToken token, final Map<String, Object> arguments)
+ throws AccessControlException
+ {
+
+ if(_accessControl != null)
+ {
+ Result result = _accessControl.authorise(token, Operation.ACTION("publish"), this, arguments);
+ if (result == Result.DEFER)
+ {
+ result = _accessControl.getDefault();
+ }
+
+ if (result == Result.DENIED)
+ {
+ throw new AccessControlException("Access denied to publish to default exchange with arguments: " + arguments);
+ }
+ }
}
@Override
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/message/MessageDestination.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/message/MessageDestination.java?rev=1764308&r1=1764307&r2=1764308&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/message/MessageDestination.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/message/MessageDestination.java Tue Oct 11 17:01:54 2016
@@ -20,6 +20,11 @@
*/
package org.apache.qpid.server.message;
+import java.security.AccessControlException;
+import java.util.Map;
+
+import org.apache.qpid.server.model.NamedAddressSpace;
+import org.apache.qpid.server.security.SecurityToken;
import org.apache.qpid.server.store.StorableMessageMetaData;
import org.apache.qpid.server.txn.ServerTransaction;
import org.apache.qpid.server.util.Action;
@@ -27,7 +32,11 @@ import org.apache.qpid.server.util.Actio
public interface MessageDestination extends MessageNode
{
- public String getName();
+ String getName();
+
+ NamedAddressSpace getAddressSpace();
+
+ void authorisePublish(SecurityToken token, Map<String, Object> arguments) throws AccessControlException;
/**
* Routes a message
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/ConfiguredObject.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/ConfiguredObject.java?rev=1764308&r1=1764307&r2=1764308&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/ConfiguredObject.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/ConfiguredObject.java Tue Oct 11 17:01:54 2016
@@ -40,7 +40,7 @@ import org.apache.qpid.server.store.Conf
/**
* An object that can be "managed" (eg via the web interface) and usually read from configuration.
*/
-public interface ConfiguredObject<X extends ConfiguredObject<X>> extends ContextProvider, TaskExecutorProvider
+public interface ConfiguredObject<X extends ConfiguredObject<X>> extends ContextProvider, TaskExecutorProvider, PermissionedObject
{
String OVER_SIZED_ATTRIBUTE_ALTERNATIVE_TEXT = "Value is too long to display";
Added: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/PermissionedObject.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/PermissionedObject.java?rev=1764308&view=auto
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/PermissionedObject.java (added)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/PermissionedObject.java Tue Oct 11 17:01:54 2016
@@ -0,0 +1,28 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.server.model;
+
+public interface PermissionedObject
+{
+ Class<? extends ConfiguredObject> getCategoryClass();
+
+ String getName();
+}
Propchange: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/PermissionedObject.java
------------------------------------------------------------------------------
svn:eol-style = native
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/queue/AbstractQueue.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/queue/AbstractQueue.java?rev=1764308&r1=1764307&r2=1764308&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/queue/AbstractQueue.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/queue/AbstractQueue.java Tue Oct 11 17:01:54 2016
@@ -33,7 +33,6 @@ import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.util.ArrayList;
-import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.EnumSet;
@@ -98,6 +97,7 @@ import org.apache.qpid.server.plugin.Mes
import org.apache.qpid.server.plugin.QpidServiceLoader;
import org.apache.qpid.server.protocol.AMQSessionModel;
import org.apache.qpid.server.protocol.MessageConverterRegistry;
+import org.apache.qpid.server.security.SecurityToken;
import org.apache.qpid.server.security.access.Operation;
import org.apache.qpid.server.security.auth.AuthenticatedPrincipal;
import org.apache.qpid.server.store.MessageDurability;
@@ -3494,6 +3494,20 @@ public abstract class AbstractQueue<X ex
}
}
+ @Override
+ public NamedAddressSpace getAddressSpace()
+ {
+ return _virtualHost;
+ }
+
+
+ @Override
+ public void authorisePublish(final SecurityToken token, final Map<String, Object> arguments)
+ throws AccessControlException
+ {
+ authorise(token, Operation.ACTION("publish"), arguments);
+ }
+
private class DeletedChildListener implements ConfigurationChangeListener
{
@Override
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/AccessControl.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/AccessControl.java?rev=1764308&r1=1764307&r2=1764308&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/AccessControl.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/AccessControl.java Tue Oct 11 17:01:54 2016
@@ -22,7 +22,7 @@ import java.util.Map;
import javax.security.auth.Subject;
-import org.apache.qpid.server.model.ConfiguredObject;
+import org.apache.qpid.server.model.PermissionedObject;
import org.apache.qpid.server.security.access.Operation;
public interface AccessControl<T extends SecurityToken>
@@ -34,9 +34,9 @@ public interface AccessControl<T extends
T newToken(Subject subject);
- Result authorise(T token, Operation operation, ConfiguredObject<?> configuredObject);
+ Result authorise(T token, Operation operation, PermissionedObject configuredObject);
- Result authorise(T token, Operation operation, ConfiguredObject<?> configuredObject, Map<String,Object> arguments);
+ Result authorise(T token, Operation operation, PermissionedObject configuredObject, Map<String,Object> arguments);
final class FixedResultAccessControl implements AccessControl<SecurityToken>
{
@@ -68,7 +68,7 @@ public interface AccessControl<T extends
@Override
public Result authorise(final SecurityToken token,
final Operation operation,
- final ConfiguredObject<?> configuredObject)
+ final PermissionedObject configuredObject)
{
return _result;
}
@@ -76,7 +76,7 @@ public interface AccessControl<T extends
@Override
public Result authorise(final SecurityToken token,
final Operation operation,
- final ConfiguredObject<?> configuredObject,
+ final PermissionedObject configuredObject,
final Map<String, Object> arguments)
{
return _result;
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/CompoundAccessControl.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/CompoundAccessControl.java?rev=1764308&r1=1764307&r2=1764308&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/CompoundAccessControl.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/CompoundAccessControl.java Tue Oct 11 17:01:54 2016
@@ -29,7 +29,7 @@ import java.util.concurrent.atomic.Atomi
import javax.security.auth.Subject;
-import org.apache.qpid.server.model.ConfiguredObject;
+import org.apache.qpid.server.model.PermissionedObject;
import org.apache.qpid.server.security.access.Operation;
public class CompoundAccessControl implements AccessControl<CompoundSecurityToken>
@@ -79,7 +79,7 @@ public class CompoundAccessControl imple
@Override
public Result authorise(final CompoundSecurityToken token,
final Operation operation,
- final ConfiguredObject<?> configuredObject)
+ final PermissionedObject configuredObject)
{
return authorise(token, operation, configuredObject, Collections.<String,Object>emptyMap());
}
@@ -87,7 +87,7 @@ public class CompoundAccessControl imple
@Override
public Result authorise(final CompoundSecurityToken token,
final Operation operation,
- final ConfiguredObject<?> configuredObject,
+ final PermissionedObject configuredObject,
final Map<String, Object> arguments)
{
List<AccessControl<?>> underlying = _underlyingControls.get();
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SubjectFixedResultAccessControl.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SubjectFixedResultAccessControl.java?rev=1764308&r1=1764307&r2=1764308&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SubjectFixedResultAccessControl.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SubjectFixedResultAccessControl.java Tue Oct 11 17:01:54 2016
@@ -25,7 +25,7 @@ import java.util.Map;
import javax.security.auth.Subject;
-import org.apache.qpid.server.model.ConfiguredObject;
+import org.apache.qpid.server.model.PermissionedObject;
import org.apache.qpid.server.security.access.Operation;
public final class SubjectFixedResultAccessControl implements AccessControl<SubjectFixedResultAccessControl.FixedResultSecurityToken>
@@ -61,7 +61,7 @@ public final class SubjectFixedResultAcc
@Override
public Result authorise(final FixedResultSecurityToken token,
final Operation operation,
- final ConfiguredObject<?> configuredObject)
+ final PermissionedObject configuredObject)
{
return token == null
? _calculator.getResult(Subject.getSubject(AccessController.getContext()))
@@ -71,7 +71,7 @@ public final class SubjectFixedResultAcc
@Override
public Result authorise(final FixedResultSecurityToken token,
final Operation operation,
- final ConfiguredObject<?> configuredObject,
+ final PermissionedObject configuredObject,
final Map<String, Object> arguments)
{
return token == null
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/virtualhost/AbstractVirtualHost.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/virtualhost/AbstractVirtualHost.java?rev=1764308&r1=1764307&r2=1764308&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/virtualhost/AbstractVirtualHost.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/virtualhost/AbstractVirtualHost.java Tue Oct 11 17:01:54 2016
@@ -279,7 +279,6 @@ public abstract class AbstractVirtualHos
_eventLogger.message(VirtualHostMessages.CREATED(getName()));
- _defaultDestination = new DefaultDestination(this);
_messagesDelivered = new StatisticsCounter("messages-delivered-" + getName());
_dataDelivered = new StatisticsCounter("bytes-delivered-" + getName());
@@ -298,6 +297,9 @@ public abstract class AbstractVirtualHos
);
}
+ _defaultDestination = new DefaultDestination(this, _accessControl);
+
+
_housekeepingJobContext = getSystemTaskControllerContext("Housekeeping["+getName()+"]", _principal);
_fileSystemSpaceCheckerJobContext = getSystemTaskControllerContext("FileSystemSpaceChecker["+getName()+"]", _principal);
Modified: qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/CachingSecurityToken.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/CachingSecurityToken.java?rev=1764308&r1=1764307&r2=1764308&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/CachingSecurityToken.java (original)
+++ qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/CachingSecurityToken.java Tue Oct 11 17:01:54 2016
@@ -28,7 +28,7 @@ import java.util.concurrent.atomic.Atomi
import javax.security.auth.Subject;
-import org.apache.qpid.server.model.ConfiguredObject;
+import org.apache.qpid.server.model.PermissionedObject;
import org.apache.qpid.server.security.Result;
import org.apache.qpid.server.security.SecurityToken;
import org.apache.qpid.server.security.access.Operation;
@@ -53,7 +53,7 @@ class CachingSecurityToken implements Se
}
Result authorise(final RuleBasedAccessControl ruleBasedAccessControl, final Operation operation,
- final ConfiguredObject<?> configuredObject,
+ final PermissionedObject configuredObject,
final Map<String, Object> arguments)
{
AccessControlCache cache;
@@ -73,12 +73,12 @@ class CachingSecurityToken implements Se
private static final class CachedMethodAuthKey
{
- private final ConfiguredObject<?> _configuredObject;
+ private final PermissionedObject _configuredObject;
private final Operation _operation;
private final Map<String, Object> _arguments;
private final int _hashCode;
- public CachedMethodAuthKey(final ConfiguredObject<?> configuredObject,
+ public CachedMethodAuthKey(final PermissionedObject configuredObject,
final Operation operation,
final Map<String, Object> arguments)
{
Modified: qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapter.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapter.java?rev=1764308&r1=1764307&r2=1764308&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapter.java (original)
+++ qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapter.java Tue Oct 11 17:01:54 2016
@@ -35,6 +35,7 @@ import java.util.HashSet;
import java.util.Map;
import java.util.Set;
+import org.apache.qpid.server.message.MessageDestination;
import org.apache.qpid.server.model.*;
import org.apache.qpid.server.queue.QueueConsumer;
import org.apache.qpid.server.security.Result;
@@ -89,7 +90,7 @@ class LegacyAccessControlAdapter
return _model;
}
- Result authorise(final LegacyOperation operation, final ConfiguredObject<?> configuredObject)
+ Result authorise(final LegacyOperation operation, final PermissionedObject configuredObject)
{
if (isAllowedOperation(operation, configuredObject))
{
@@ -109,7 +110,7 @@ class LegacyAccessControlAdapter
}
- private boolean isAllowedOperation(LegacyOperation operation, ConfiguredObject<?> configuredObject)
+ private boolean isAllowedOperation(LegacyOperation operation, PermissionedObject configuredObject)
{
if (configuredObject instanceof Session && (operation == LegacyOperation.CREATE || operation == LegacyOperation.UPDATE
|| operation == LegacyOperation.DELETE))
@@ -206,18 +207,18 @@ class LegacyAccessControlAdapter
}
- private ObjectProperties getACLObjectProperties(ConfiguredObject<?> configuredObject, LegacyOperation configuredObjectOperation)
+ private ObjectProperties getACLObjectProperties(PermissionedObject configuredObject, LegacyOperation configuredObjectOperation)
{
- String objectName = (String)configuredObject.getAttribute(ConfiguredObject.NAME);
+ String objectName = configuredObject.getName();
Class<? extends ConfiguredObject> configuredObjectType = configuredObject.getCategoryClass();
ObjectProperties properties = new ObjectProperties(objectName);
if (configuredObject instanceof Binding)
{
- Exchange<?> exchange = (Exchange<?>)configuredObject.getParent(Exchange.class);
- Queue<?> queue = (Queue<?>)configuredObject.getParent(Queue.class);
+ Exchange<?> exchange = (Exchange<?>)((Binding)configuredObject).getParent(Exchange.class);
+ Queue<?> queue = (Queue<?>)((Binding)configuredObject).getParent(Queue.class);
properties.setName((String)exchange.getAttribute(Exchange.NAME));
properties.put(ObjectProperties.Property.QUEUE_NAME, (String)queue.getAttribute(Queue.NAME));
- properties.put(ObjectProperties.Property.ROUTING_KEY, (String)configuredObject.getAttribute(Binding.NAME));
+ properties.put(ObjectProperties.Property.ROUTING_KEY, objectName);
properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, (String)queue.getParent(VirtualHost.class).getAttribute(VirtualHost.NAME));
// The temporary attribute (inherited from the binding's queue) seems to exist to allow the user to
@@ -227,21 +228,22 @@ class LegacyAccessControlAdapter
}
else if (configuredObject instanceof Queue)
{
- setQueueProperties(configuredObject, properties);
+ setQueueProperties((Queue)configuredObject, properties);
}
else if (configuredObject instanceof Exchange)
{
- Object lifeTimePolicy = configuredObject.getAttribute(ConfiguredObject.LIFETIME_POLICY);
+ Exchange<?> exchange = (Exchange<?>)configuredObject;
+ Object lifeTimePolicy = exchange.getAttribute(ConfiguredObject.LIFETIME_POLICY);
properties.put(ObjectProperties.Property.AUTO_DELETE, lifeTimePolicy != LifetimePolicy.PERMANENT);
properties.put(ObjectProperties.Property.TEMPORARY, lifeTimePolicy != LifetimePolicy.PERMANENT);
- properties.put(ObjectProperties.Property.DURABLE, (Boolean) configuredObject.getAttribute(ConfiguredObject.DURABLE));
- properties.put(ObjectProperties.Property.TYPE, (String) configuredObject.getAttribute(Exchange.TYPE));
- VirtualHost virtualHost = configuredObject.getParent(VirtualHost.class);
+ properties.put(ObjectProperties.Property.DURABLE, (Boolean) exchange.getAttribute(ConfiguredObject.DURABLE));
+ properties.put(ObjectProperties.Property.TYPE, (String) exchange.getAttribute(Exchange.TYPE));
+ VirtualHost virtualHost = exchange.getParent(VirtualHost.class);
properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, (String)virtualHost.getAttribute(virtualHost.NAME));
}
else if (configuredObject instanceof QueueConsumer)
{
- Queue<?> queue = (Queue<?>)configuredObject.getParent(Queue.class);
+ Queue<?> queue = (Queue<?>)((QueueConsumer)configuredObject).getParent(Queue.class);
setQueueProperties(queue, properties);
}
else if (isBrokerType(configuredObjectType))
@@ -254,7 +256,7 @@ class LegacyAccessControlAdapter
}
else if (isVirtualHostType(configuredObjectType))
{
- ConfiguredObject<?> virtualHost = getModel().getAncestor(VirtualHost.class, configuredObject);
+ ConfiguredObject<?> virtualHost = getModel().getAncestor(VirtualHost.class, (ConfiguredObject<?>)configuredObject);
properties = new ObjectProperties((String)virtualHost.getAttribute(ConfiguredObject.NAME));
}
return properties;
@@ -333,19 +335,19 @@ class LegacyAccessControlAdapter
return operation;
}
- Result authoriseAction(final ConfiguredObject<?> configuredObject,
+ Result authoriseAction(final PermissionedObject configuredObject,
String actionName,
final Map<String, Object> arguments)
{
Class<? extends ConfiguredObject> categoryClass = configuredObject.getCategoryClass();
if(categoryClass == Exchange.class)
{
- Exchange exchange = (Exchange) configuredObject;
+ MessageDestination exchange = (MessageDestination) configuredObject;
if("publish".equals(actionName))
{
final ObjectProperties _props =
- new ObjectProperties(exchange.getParent(VirtualHost.class).getName(), exchange.getName(), (String)arguments.get("routingKey"), (Boolean)arguments.get("immediate"));
+ new ObjectProperties(exchange.getAddressSpace().getName(), exchange.getName(), (String)arguments.get("routingKey"), (Boolean)arguments.get("immediate"));
return _accessControl.authorise(PUBLISH, EXCHANGE, _props);
}
}
@@ -386,7 +388,7 @@ class LegacyAccessControlAdapter
}
- Result authoriseMethod(final ConfiguredObject<?> configuredObject,
+ Result authoriseMethod(final PermissionedObject configuredObject,
final String methodName,
final Map<String, Object> arguments)
{
@@ -461,7 +463,7 @@ class LegacyAccessControlAdapter
{
if(BDB_VIRTUAL_HOST_NODE_OPERATIONS.contains(methodName))
{
- ObjectProperties properties = getACLObjectProperties(configuredObject.getParent(Broker.class), LegacyOperation.UPDATE);
+ ObjectProperties properties = getACLObjectProperties(((ConfiguredObject)configuredObject).getParent(Broker.class), LegacyOperation.UPDATE);
return _accessControl.authorise(LegacyOperation.UPDATE, ObjectType.BROKER, properties);
}
}
@@ -490,7 +492,7 @@ class LegacyAccessControlAdapter
Result authorise(final Operation operation,
- final ConfiguredObject<?> configuredObject,
+ final PermissionedObject configuredObject,
final Map<String, Object> arguments)
{
switch(operation.getType())
Modified: qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleBasedAccessControl.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleBasedAccessControl.java?rev=1764308&r1=1764307&r2=1764308&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleBasedAccessControl.java (original)
+++ qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleBasedAccessControl.java Tue Oct 11 17:01:54 2016
@@ -116,7 +116,7 @@ public class RuleBasedAccessControl impl
@Override
public Result authorise(final CachingSecurityToken token,
final Operation operation,
- final ConfiguredObject<?> configuredObject)
+ final PermissionedObject configuredObject)
{
return authorise(token, operation, configuredObject, Collections.<String,Object>emptyMap());
}
@@ -124,7 +124,7 @@ public class RuleBasedAccessControl impl
@Override
public Result authorise(final CachingSecurityToken token,
final Operation operation,
- final ConfiguredObject<?> configuredObject,
+ final PermissionedObject configuredObject,
final Map<String, Object> arguments)
{
if(token != null)
@@ -138,7 +138,7 @@ public class RuleBasedAccessControl impl
}
Result authorise(final Operation operation,
- final ConfiguredObject<?> configuredObject,
+ final PermissionedObject configuredObject,
final Map<String, Object> arguments)
{
return _adapter.authorise(operation, configuredObject, arguments);
Modified: qpid/java/trunk/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerSessionDelegate.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerSessionDelegate.java?rev=1764308&r1=1764307&r2=1764308&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerSessionDelegate.java (original)
+++ qpid/java/trunk/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerSessionDelegate.java Tue Oct 11 17:01:54 2016
@@ -41,36 +41,32 @@ import org.apache.qpid.bytebuffer.QpidBy
import org.apache.qpid.common.AMQPFilterTypes;
import org.apache.qpid.exchange.ExchangeDefaults;
import org.apache.qpid.protocol.AMQConstant;
-import org.apache.qpid.server.logging.EventLogger;
-import org.apache.qpid.server.model.ConfiguredObject;
-import org.apache.qpid.server.model.Exchange;
-import org.apache.qpid.server.model.NamedAddressSpace;
-import org.apache.qpid.server.security.access.Operation;
-import org.apache.qpid.server.transport.ProtocolEngine;
import org.apache.qpid.server.consumer.ConsumerImpl;
-import org.apache.qpid.server.store.MessageHandle;
-import org.apache.qpid.server.util.ConnectionScopedRuntimeException;
-import org.apache.qpid.server.virtualhost.VirtualHostUnavailableException;
import org.apache.qpid.server.filter.AMQInvalidArgumentException;
import org.apache.qpid.server.filter.ArrivalTimeFilter;
import org.apache.qpid.server.filter.FilterManager;
import org.apache.qpid.server.filter.FilterManagerFactory;
import org.apache.qpid.server.filter.MessageFilter;
+import org.apache.qpid.server.logging.EventLogger;
import org.apache.qpid.server.logging.messages.ChannelMessages;
import org.apache.qpid.server.logging.messages.ExchangeMessages;
import org.apache.qpid.server.message.InstanceProperties;
import org.apache.qpid.server.message.MessageDestination;
import org.apache.qpid.server.message.MessageReference;
import org.apache.qpid.server.message.MessageSource;
+import org.apache.qpid.server.model.Exchange;
import org.apache.qpid.server.model.ExclusivityPolicy;
import org.apache.qpid.server.model.LifetimePolicy;
+import org.apache.qpid.server.model.NamedAddressSpace;
import org.apache.qpid.server.model.NoFactoryForTypeException;
import org.apache.qpid.server.model.Queue;
import org.apache.qpid.server.model.UnknownConfiguredObjectException;
import org.apache.qpid.server.queue.QueueArgumentsConverter;
+import org.apache.qpid.server.store.MessageHandle;
import org.apache.qpid.server.store.MessageStore;
import org.apache.qpid.server.store.StoreException;
import org.apache.qpid.server.store.StoredMessage;
+import org.apache.qpid.server.transport.ProtocolEngine;
import org.apache.qpid.server.txn.AlreadyKnownDtxException;
import org.apache.qpid.server.txn.DtxNotSelectedException;
import org.apache.qpid.server.txn.IncorrectDtxStateException;
@@ -81,12 +77,14 @@ import org.apache.qpid.server.txn.Server
import org.apache.qpid.server.txn.SuspendAndFailDtxException;
import org.apache.qpid.server.txn.TimeoutDtxException;
import org.apache.qpid.server.txn.UnknownDtxBranchException;
+import org.apache.qpid.server.util.ConnectionScopedRuntimeException;
import org.apache.qpid.server.util.ServerScopedRuntimeException;
import org.apache.qpid.server.virtualhost.ExchangeExistsException;
import org.apache.qpid.server.virtualhost.ExchangeIsAlternateException;
import org.apache.qpid.server.virtualhost.QueueExistsException;
import org.apache.qpid.server.virtualhost.RequiredExchangeException;
import org.apache.qpid.server.virtualhost.ReservedExchangeNameException;
+import org.apache.qpid.server.virtualhost.VirtualHostUnavailableException;
import org.apache.qpid.transport.*;
public class ServerSessionDelegate extends SessionDelegate
@@ -445,15 +443,11 @@ public class ServerSessionDelegate exten
try
{
serverSession.getAMQPConnection().checkAuthorizedMessagePrincipal(getMessageUserId(xfr));
- if(destination instanceof ConfiguredObject)
- {
+ destination.authorisePublish(serverSession.getToken(),
+ PUBLISH_ACTION_MAP_CREATOR.createMap(messageMetaData.getRoutingKey(),
+ messageMetaData.isImmediate()));
- ((ConfiguredObject)destination).authorise(serverSession.getToken(),
- Operation.ACTION("publish"),
- PUBLISH_ACTION_MAP_CREATOR.createMap(messageMetaData.getRoutingKey(),
- messageMetaData.isImmediate()));
- };
}
catch (AccessControlException e)
{
Modified: qpid/java/trunk/broker-plugins/amqp-0-8-protocol/src/main/java/org/apache/qpid/server/protocol/v0_8/AMQChannel.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/amqp-0-8-protocol/src/main/java/org/apache/qpid/server/protocol/v0_8/AMQChannel.java?rev=1764308&r1=1764307&r2=1764308&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/amqp-0-8-protocol/src/main/java/org/apache/qpid/server/protocol/v0_8/AMQChannel.java (original)
+++ qpid/java/trunk/broker-plugins/amqp-0-8-protocol/src/main/java/org/apache/qpid/server/protocol/v0_8/AMQChannel.java Tue Oct 11 17:01:54 2016
@@ -98,7 +98,6 @@ import org.apache.qpid.server.protocol.C
import org.apache.qpid.server.protocol.ConsumerListener;
import org.apache.qpid.server.queue.QueueArgumentsConverter;
import org.apache.qpid.server.security.SecurityToken;
-import org.apache.qpid.server.security.access.Operation;
import org.apache.qpid.server.store.MessageHandle;
import org.apache.qpid.server.store.MessageStore;
import org.apache.qpid.server.store.StoredMessage;
@@ -428,16 +427,12 @@ public class AMQChannel
try
{
+ final MessageDestination destination = _currentMessage.getDestination();
+
ContentHeaderBody contentHeader = _currentMessage.getContentHeader();
_connection.checkAuthorizedMessagePrincipal(AMQShortString.toString(contentHeader.getProperties().getUserId()));
- if(_currentMessage.getDestination() instanceof ConfiguredObject)
- {
- ((ConfiguredObject)_currentMessage.getDestination()).authorise(_token,
- Operation.ACTION("publish"),
- AbstractAMQPConnection.PUBLISH_ACTION_MAP_CREATOR.createMap(routingKey, info.isImmediate()));
-
- };
+ destination.authorisePublish(_token, AbstractAMQPConnection.PUBLISH_ACTION_MAP_CREATOR.createMap(routingKey, info.isImmediate()));
if (_confirmOnPublish)
@@ -453,7 +448,6 @@ public class AMQChannel
{
final MessagePublishInfo messagePublishInfo = _currentMessage.getMessagePublishInfo();
- final MessageDestination destination = _currentMessage.getDestination();
final MessageMetaData messageMetaData =
new MessageMetaData(messagePublishInfo,
Modified: qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/ExchangeDestination.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/ExchangeDestination.java?rev=1764308&r1=1764307&r2=1764308&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/ExchangeDestination.java (original)
+++ qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/ExchangeDestination.java Tue Oct 11 17:01:54 2016
@@ -26,16 +26,15 @@ import java.util.Collections;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import org.apache.qpid.server.message.InstanceProperties;
+import org.apache.qpid.server.model.Exchange;
import org.apache.qpid.server.protocol.v1_0.type.Outcome;
import org.apache.qpid.server.protocol.v1_0.type.Symbol;
import org.apache.qpid.server.protocol.v1_0.type.messaging.Accepted;
import org.apache.qpid.server.protocol.v1_0.type.messaging.Rejected;
import org.apache.qpid.server.protocol.v1_0.type.messaging.TerminusDurability;
import org.apache.qpid.server.protocol.v1_0.type.messaging.TerminusExpiryPolicy;
-import org.apache.qpid.server.message.InstanceProperties;
-import org.apache.qpid.server.model.Exchange;
import org.apache.qpid.server.security.SecurityToken;
-import org.apache.qpid.server.security.access.Operation;
import org.apache.qpid.server.txn.ServerTransaction;
public class ExchangeDestination implements ReceivingDestination, SendingDestination
@@ -116,8 +115,7 @@ public class ExchangeDestination impleme
@Override
public void authorizePublish(final SecurityToken securityToken, final Message_1_0 message)
{
- _exchange.authorise(securityToken,
- Operation.ACTION("publish"),
+ _exchange.authorisePublish(securityToken,
Collections.<String,Object>singletonMap("routingKey", getRoutingAddress(message)));
Modified: qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/NodeReceivingDestination.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/NodeReceivingDestination.java?rev=1764308&r1=1764307&r2=1764308&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/NodeReceivingDestination.java (original)
+++ qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/NodeReceivingDestination.java Tue Oct 11 17:01:54 2016
@@ -23,7 +23,8 @@ package org.apache.qpid.server.protocol.
import java.util.Arrays;
import java.util.Collections;
-import org.apache.qpid.server.model.ConfiguredObject;
+import org.apache.qpid.server.message.InstanceProperties;
+import org.apache.qpid.server.message.MessageDestination;
import org.apache.qpid.server.model.Exchange;
import org.apache.qpid.server.protocol.v1_0.type.Outcome;
import org.apache.qpid.server.protocol.v1_0.type.Symbol;
@@ -31,10 +32,7 @@ import org.apache.qpid.server.protocol.v
import org.apache.qpid.server.protocol.v1_0.type.messaging.Rejected;
import org.apache.qpid.server.protocol.v1_0.type.messaging.TerminusDurability;
import org.apache.qpid.server.protocol.v1_0.type.messaging.TerminusExpiryPolicy;
-import org.apache.qpid.server.message.InstanceProperties;
-import org.apache.qpid.server.message.MessageDestination;
import org.apache.qpid.server.security.SecurityToken;
-import org.apache.qpid.server.security.access.Operation;
import org.apache.qpid.server.txn.ServerTransaction;
public class NodeReceivingDestination implements ReceivingDestination
@@ -112,15 +110,8 @@ public class NodeReceivingDestination im
@Override
public void authorizePublish(final SecurityToken securityToken, final Message_1_0 message)
{
- if(_destination instanceof ConfiguredObject)
- {
- ConfiguredObject<?> object = (ConfiguredObject)_destination;
-
- object.authorise(securityToken,
- Operation.ACTION("publish"),
- Collections.<String, Object>singletonMap("routingKey", getRoutingAddress(message)));
- }
-
+ _destination.authorisePublish(securityToken,
+ Collections.<String, Object>singletonMap("routingKey", getRoutingAddress(message)));
}
Modified: qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/QueueDestination.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/QueueDestination.java?rev=1764308&r1=1764307&r2=1764308&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/QueueDestination.java (original)
+++ qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/QueueDestination.java Tue Oct 11 17:01:54 2016
@@ -22,12 +22,11 @@ package org.apache.qpid.server.protocol.
import java.util.Collections;
-import org.apache.qpid.server.protocol.v1_0.type.Outcome;
-import org.apache.qpid.server.protocol.v1_0.type.messaging.Accepted;
import org.apache.qpid.server.message.MessageReference;
import org.apache.qpid.server.model.Queue;
+import org.apache.qpid.server.protocol.v1_0.type.Outcome;
+import org.apache.qpid.server.protocol.v1_0.type.messaging.Accepted;
import org.apache.qpid.server.security.SecurityToken;
-import org.apache.qpid.server.security.access.Operation;
import org.apache.qpid.server.store.MessageEnqueueRecord;
import org.apache.qpid.server.txn.ServerTransaction;
@@ -102,9 +101,8 @@ public class QueueDestination extends Me
public void authorizePublish(final SecurityToken securityToken, final Message_1_0 message)
{
- _queue.authorise(securityToken,
- Operation.ACTION("publish"),
- Collections.<String,Object>singletonMap("routingKey", getRoutingAddress(message)));
+ _queue.authorisePublish(securityToken,
+ Collections.<String,Object>singletonMap("routingKey", getRoutingAddress(message)));
}
Modified: qpid/java/trunk/broker-plugins/management-amqp/src/main/java/org/apache/qpid/server/management/amqp/ManagementAddressSpace.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-amqp/src/main/java/org/apache/qpid/server/management/amqp/ManagementAddressSpace.java?rev=1764308&r1=1764307&r2=1764308&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-amqp/src/main/java/org/apache/qpid/server/management/amqp/ManagementAddressSpace.java (original)
+++ qpid/java/trunk/broker-plugins/management-amqp/src/main/java/org/apache/qpid/server/management/amqp/ManagementAddressSpace.java Tue Oct 11 17:01:54 2016
@@ -20,6 +20,7 @@
*/
package org.apache.qpid.server.management.amqp;
+import java.security.AccessControlException;
import java.security.Principal;
import java.util.Collection;
import java.util.Collections;
@@ -40,6 +41,7 @@ import org.apache.qpid.server.model.port
import org.apache.qpid.server.plugin.SystemAddressSpaceCreator;
import org.apache.qpid.server.protocol.LinkModel;
import org.apache.qpid.server.protocol.LinkRegistry;
+import org.apache.qpid.server.security.SecurityToken;
import org.apache.qpid.server.security.access.Operation;
import org.apache.qpid.server.store.MemoryMessageStore;
import org.apache.qpid.server.store.MessageStore;
@@ -212,6 +214,19 @@ public class ManagementAddressSpace impl
private class DefaultDestination implements MessageDestination
{
@Override
+ public NamedAddressSpace getAddressSpace()
+ {
+ return ManagementAddressSpace.this;
+ }
+
+ @Override
+ public void authorisePublish(final SecurityToken token, final Map<String, Object> arguments)
+ throws AccessControlException
+ {
+
+ }
+
+ @Override
public String getName()
{
return ExchangeDefaults.DEFAULT_EXCHANGE_NAME;
Modified: qpid/java/trunk/broker-plugins/management-amqp/src/main/java/org/apache/qpid/server/management/amqp/ManagementNode.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-amqp/src/main/java/org/apache/qpid/server/management/amqp/ManagementNode.java?rev=1764308&r1=1764307&r2=1764308&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-amqp/src/main/java/org/apache/qpid/server/management/amqp/ManagementNode.java (original)
+++ qpid/java/trunk/broker-plugins/management-amqp/src/main/java/org/apache/qpid/server/management/amqp/ManagementNode.java Tue Oct 11 17:01:54 2016
@@ -61,6 +61,7 @@ import org.apache.qpid.server.model.Stat
import org.apache.qpid.server.plugin.MessageConverter;
import org.apache.qpid.server.protocol.AMQSessionModel;
import org.apache.qpid.server.protocol.MessageConverterRegistry;
+import org.apache.qpid.server.security.SecurityToken;
import org.apache.qpid.server.store.MessageDurability;
import org.apache.qpid.server.store.MessageEnqueueRecord;
import org.apache.qpid.server.store.StorableMessageMetaData;
@@ -1017,6 +1018,20 @@ class ManagementNode implements MessageS
}
@Override
+ public NamedAddressSpace getAddressSpace()
+ {
+ return _addressSpace;
+ }
+
+
+ @Override
+ public void authorisePublish(final SecurityToken token, final Map<String, Object> arguments)
+ throws AccessControlException
+ {
+ // ? special permissions to publish to the management node
+ }
+
+ @Override
public String getName()
{
return MANAGEMENT_NODE_NAME;
Modified: qpid/java/trunk/broker-plugins/management-amqp/src/main/java/org/apache/qpid/server/management/amqp/ManagementNodeConsumer.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-amqp/src/main/java/org/apache/qpid/server/management/amqp/ManagementNodeConsumer.java?rev=1764308&r1=1764307&r2=1764308&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-amqp/src/main/java/org/apache/qpid/server/management/amqp/ManagementNodeConsumer.java (original)
+++ qpid/java/trunk/broker-plugins/management-amqp/src/main/java/org/apache/qpid/server/management/amqp/ManagementNodeConsumer.java Tue Oct 11 17:01:54 2016
@@ -20,9 +20,11 @@
*/
package org.apache.qpid.server.management.amqp;
+import java.security.AccessControlException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
+import java.util.Map;
import org.apache.qpid.server.consumer.ConsumerImpl;
import org.apache.qpid.server.consumer.ConsumerTarget;
@@ -32,7 +34,9 @@ import org.apache.qpid.server.message.Me
import org.apache.qpid.server.message.MessageSource;
import org.apache.qpid.server.message.ServerMessage;
import org.apache.qpid.server.message.internal.InternalMessage;
+import org.apache.qpid.server.model.NamedAddressSpace;
import org.apache.qpid.server.protocol.AMQSessionModel;
+import org.apache.qpid.server.security.SecurityToken;
import org.apache.qpid.server.store.StorableMessageMetaData;
import org.apache.qpid.server.txn.ServerTransaction;
import org.apache.qpid.server.util.Action;
@@ -159,6 +163,19 @@ class ManagementNodeConsumer implements
}
@Override
+ public NamedAddressSpace getAddressSpace()
+ {
+ return _managementNode.getAddressSpace();
+ }
+
+ @Override
+ public void authorisePublish(final SecurityToken token, final Map<String, Object> arguments)
+ throws AccessControlException
+ {
+ _managementNode.authorisePublish(token, arguments);
+ }
+
+ @Override
public String getName()
{
return _name;
Modified: qpid/java/trunk/systests/src/test/java/org/apache/qpid/server/security/acl/ExternalACLTest.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/systests/src/test/java/org/apache/qpid/server/security/acl/ExternalACLTest.java?rev=1764308&r1=1764307&r2=1764308&view=diff
==============================================================================
--- qpid/java/trunk/systests/src/test/java/org/apache/qpid/server/security/acl/ExternalACLTest.java (original)
+++ qpid/java/trunk/systests/src/test/java/org/apache/qpid/server/security/acl/ExternalACLTest.java Tue Oct 11 17:01:54 2016
@@ -485,4 +485,77 @@ public class ExternalACLTest extends Abs
// pass
}
}
+
+
+ public void setUpClientPublishToAnonymousSuccess() throws Exception
+ {
+ writeACLFile("ACL ALLOW-LOG client ACCESS VIRTUALHOST",
+ "ACL ALLOW-LOG client CREATE QUEUE",
+ "ACL ALLOW-LOG client BIND EXCHANGE" ,
+ "ACL ALLOW-LOG client PUBLISH EXCHANGE name=\"\" routingKey=\"example.RequestQueue\"",
+ "ACL DENY-LOG ALL ALL");
+ }
+
+ public void testClientPublishToAnonymousSuccess() throws Exception
+ {
+ Connection conn = getConnection("test", "client", "guest");
+
+ Session sess = conn.createSession(true, Session.SESSION_TRANSACTED);
+
+ conn.start();
+
+ Queue queue = sess.createQueue("example.RequestQueue");
+
+ ((AMQSession<?,?>)sess).declareAndBind((AMQDestination)queue);
+
+ MessageProducer sender = sess.createProducer(sess.createQueue("ADDR: example.RequestQueue"));
+
+ sender.send(sess.createTextMessage("test"));
+
+ //Send the message using a transaction as this will allow us to retrieve any errors that occur on the broker.
+ sess.commit();
+
+ conn.close();
+ }
+
+
+
+ public void setUpClientPublishToAnonymousFailure() throws Exception
+ {
+ writeACLFile("ACL ALLOW-LOG client ACCESS VIRTUALHOST",
+ "ACL ALLOW-LOG client CREATE QUEUE",
+ "ACL ALLOW-LOG client BIND EXCHANGE",
+ "ACL DENY-LOG ALL ALL");
+ }
+
+ public void testClientPublishToAnonymousFailure() throws Exception
+ {
+ try
+ {
+ Connection conn = getConnection("test", "client", "guest");
+
+ Session sess = conn.createSession(true, Session.SESSION_TRANSACTED);
+
+ conn.start();
+
+ Queue queue = sess.createQueue("example.RequestQueue");
+
+ ((AMQSession<?, ?>) sess).declareAndBind((AMQDestination) queue);
+
+ MessageProducer sender = sess.createProducer(sess.createQueue("ADDR: example.RequestQueue"));
+
+ sender.send(sess.createTextMessage("test"));
+
+ //Send the message using a transaction as this will allow us to retrieve any errors that occur on the broker.
+ sess.commit();
+
+ fail("Sending to the anonymousExchange without permission should fail");
+ }
+ catch (JMSException e)
+ {
+ assertEquals("403",e.getErrorCode());
+ }
+ }
+
+
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org