You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by ri...@apache.org on 2009/04/13 13:19:29 UTC
svn commit: r764412 - in /qpid/branches/0.5-fix/qpid: ./
cpp/src/qpid/cluster/ dotnet/ java/broker/etc/
java/broker/src/main/java/org/apache/qpid/server/plugins/
java/broker/src/main/java/org/apache/qpid/server/registry/
java/broker/src/main/java/org/a...
Author: ritchiem
Date: Mon Apr 13 11:19:27 2009
New Revision: 764412
URL: http://svn.apache.org/viewvc?rev=764412&view=rev
Log:
QPID-1626: Add per-virtualhost authorization plugins.
Merged from trunk r742626
Added:
qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ACLPluginFactory.java
- copied unchanged from r742626, qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ACLPluginFactory.java
qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/AuthorizationManager.java
- copied unchanged from r742626, qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/AuthorizationManager.java
qpid/branches/0.5-fix/qpid/java/broker/src/test/java/org/apache/qpid/server/plugins/MockPluginManager.java
- copied unchanged from r742626, qpid/trunk/qpid/java/broker/src/test/java/org/apache/qpid/server/plugins/MockPluginManager.java
qpid/branches/0.5-fix/qpid/java/broker/src/test/java/org/apache/qpid/server/security/access/ACLManagerTest.java
- copied unchanged from r742626, qpid/trunk/qpid/java/broker/src/test/java/org/apache/qpid/server/security/access/ACLManagerTest.java
qpid/branches/0.5-fix/qpid/java/broker/src/test/java/org/apache/qpid/server/security/access/ExchangeDenier.java
- copied unchanged from r742626, qpid/trunk/qpid/java/broker/src/test/java/org/apache/qpid/server/security/access/ExchangeDenier.java
qpid/branches/0.5-fix/qpid/java/broker/src/test/java/org/apache/qpid/server/security/access/QueueDenier.java
- copied unchanged from r742626, qpid/trunk/qpid/java/broker/src/test/java/org/apache/qpid/server/security/access/QueueDenier.java
Modified:
qpid/branches/0.5-fix/qpid/ (props changed)
qpid/branches/0.5-fix/qpid/cpp/src/qpid/cluster/UpdateClient.cpp (props changed)
qpid/branches/0.5-fix/qpid/cpp/src/qpid/cluster/UpdateClient.h (props changed)
qpid/branches/0.5-fix/qpid/dotnet/build-msbuild.bat (props changed)
qpid/branches/0.5-fix/qpid/dotnet/build-nant-release (props changed)
qpid/branches/0.5-fix/qpid/dotnet/build-nant.bat (props changed)
qpid/branches/0.5-fix/qpid/java/broker/etc/acl.config.xml
qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/plugins/PluginManager.java
qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/registry/ApplicationRegistry.java
qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/registry/ConfigurationFileApplicationRegistry.java
qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/registry/IApplicationRegistry.java
qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ACLManager.java
qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ACLPlugin.java
qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/AccessResult.java
qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalPermissions.java
qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/AllowAll.java
qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/BasicACLPlugin.java
qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/DenyAll.java
qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/SimpleXML.java
qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/HashedUser.java (props changed)
qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/util/NullApplicationRegistry.java
qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/virtualhost/VirtualHost.java
qpid/branches/0.5-fix/qpid/java/broker/src/test/java/org/apache/qpid/server/plugins/PluginTest.java
qpid/branches/0.5-fix/qpid/java/broker/src/test/java/org/apache/qpid/server/queue/MockAMQQueue.java
qpid/branches/0.5-fix/qpid/java/broker/src/test/java/org/apache/qpid/server/security/access/PrincipalPermissionsTest.java
qpid/branches/0.5-fix/qpid/java/broker/src/test/java/org/apache/qpid/server/security/auth/database/HashedUserTest.java (props changed)
qpid/branches/0.5-fix/qpid/java/broker/src/test/java/org/apache/qpid/server/util/TestApplicationRegistry.java
qpid/branches/0.5-fix/qpid/java/lib/org.osgi.core_1.0.0.jar (props changed)
qpid/branches/0.5-fix/qpid/java/management/client/src/main/java/org/apache/qpid/management/ (props changed)
qpid/branches/0.5-fix/qpid/java/management/client/src/test/java/org/apache/qpid/management/ (props changed)
qpid/branches/0.5-fix/qpid/java/management/eclipse-plugin/src/main/resources/macosx/Contents/MacOS/qpidmc (props changed)
qpid/branches/0.5-fix/qpid/java/systests/src/main/java/org/apache/qpid/client/MultipleJCAProviderRegistrationTest.java (props changed)
qpid/branches/0.5-fix/qpid/ruby/ext/sasl/extconf.rb (props changed)
Propchange: qpid/branches/0.5-fix/qpid/
------------------------------------------------------------------------------
svn:mergeinfo = /qpid/trunk/qpid:742626
Propchange: qpid/branches/0.5-fix/qpid/cpp/src/qpid/cluster/UpdateClient.cpp
('svn:mergeinfo' removed)
Propchange: qpid/branches/0.5-fix/qpid/cpp/src/qpid/cluster/UpdateClient.h
('svn:mergeinfo' removed)
Propchange: qpid/branches/0.5-fix/qpid/dotnet/build-msbuild.bat
('svn:mergeinfo' removed)
Propchange: qpid/branches/0.5-fix/qpid/dotnet/build-nant-release
('svn:mergeinfo' removed)
Propchange: qpid/branches/0.5-fix/qpid/dotnet/build-nant.bat
('svn:mergeinfo' removed)
Modified: qpid/branches/0.5-fix/qpid/java/broker/etc/acl.config.xml
URL: http://svn.apache.org/viewvc/qpid/branches/0.5-fix/qpid/java/broker/etc/acl.config.xml?rev=764412&r1=764411&r2=764412&view=diff
==============================================================================
--- qpid/branches/0.5-fix/qpid/java/broker/etc/acl.config.xml (original)
+++ qpid/branches/0.5-fix/qpid/java/broker/etc/acl.config.xml Mon Apr 13 11:19:27 2009
@@ -105,7 +105,6 @@
<access>
<class>org.apache.qpid.server.security.access.plugins.SimpleXML</class>
</access>
-
<access_control_list>
<!-- This section grants pubish rights to an exchange + routing key pair -->
<publish>
Modified: qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/plugins/PluginManager.java
URL: http://svn.apache.org/viewvc/qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/plugins/PluginManager.java?rev=764412&r1=764411&r2=764412&view=diff
==============================================================================
--- qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/plugins/PluginManager.java (original)
+++ qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/plugins/PluginManager.java Mon Apr 13 11:19:27 2009
@@ -30,6 +30,11 @@
import org.apache.felix.framework.util.FelixConstants;
import org.apache.felix.framework.util.StringMap;
import org.apache.qpid.server.exchange.ExchangeType;
+import org.apache.qpid.server.security.access.ACLPlugin;
+import org.apache.qpid.server.security.access.ACLPluginFactory;
+import org.apache.qpid.server.security.access.plugins.AllowAll;
+import org.apache.qpid.server.security.access.plugins.DenyAll;
+import org.apache.qpid.server.security.access.plugins.SimpleXML;
import org.osgi.framework.BundleActivator;
import org.osgi.framework.BundleException;
import org.osgi.util.tracker.ServiceTracker;
@@ -46,8 +51,10 @@
private Felix _felix = null;
private ServiceTracker _exchangeTracker = null;
+ private ServiceTracker _securityTracker = null;
private Activator _activator = null;
private boolean _empty;
+ private Map<String, ACLPluginFactory> _securityPlugins;
public PluginManager(String plugindir) throws Exception
{
@@ -115,8 +122,13 @@
try
{
_felix.start();
+
_exchangeTracker = new ServiceTracker(_activator.getContext(), ExchangeType.class.getName(), null);
_exchangeTracker.open();
+
+ _securityTracker = new ServiceTracker(_activator.getContext(), ACLPlugin.class.getName(), null);
+ _exchangeTracker.open();
+
}
catch (BundleException e)
{
@@ -124,22 +136,37 @@
}
}
- public Map<String, ExchangeType<?>> getExchanges()
- {
- if (_empty)
- {
- return null;
- }
- Map<String, ExchangeType<?>>exchanges = new HashMap<String, ExchangeType<?>>();
- for (Object service : _exchangeTracker.getServices())
+ private <type> Map<String, type> getServices(ServiceTracker tracker)
+ {
+ Map<String, type>exchanges = new HashMap<String, type>();
+
+ if (tracker != null)
{
- if (service instanceof ExchangeType<?>)
+ for (Object service : tracker.getServices())
{
- exchanges.put(service.getClass().getName(), (ExchangeType<?>) service);
+ exchanges.put(service.getClass().getName(), (type) service);
}
}
return exchanges;
}
+
+ public Map<String, ExchangeType<?>> getExchanges()
+ {
+ return getServices(_exchangeTracker);
+ }
+
+ public Map<String, ACLPluginFactory> getSecurityPlugins()
+ {
+ if (_securityPlugins == null)
+ {
+ _securityPlugins = getServices(_securityTracker);
+ // A little gross that we have to add them here, but not all the plugins are OSGIfied
+ _securityPlugins.put(SimpleXML.class.getName(), SimpleXML.FACTORY);
+ _securityPlugins.put(AllowAll.class.getName(), AllowAll.FACTORY);
+ _securityPlugins.put(DenyAll.class.getName(), DenyAll.FACTORY);
+ }
+ return _securityPlugins;
+ }
}
Modified: qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/registry/ApplicationRegistry.java
URL: http://svn.apache.org/viewvc/qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/registry/ApplicationRegistry.java?rev=764412&r1=764411&r2=764412&view=diff
==============================================================================
--- qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/registry/ApplicationRegistry.java (original)
+++ qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/registry/ApplicationRegistry.java Mon Apr 13 11:19:27 2009
@@ -67,7 +67,7 @@
protected VirtualHostRegistry _virtualHostRegistry;
- protected ACLPlugin _accessManager;
+ protected ACLManager _accessManager;
protected PrincipalDatabaseManager _databaseManager;
@@ -285,9 +285,9 @@
return _virtualHostRegistry;
}
- public ACLPlugin getAccessManager()
+ public ACLManager getAccessManager()
{
- return _accessManager;
+ return new ACLManager(_configuration, _pluginManager);
}
public ManagedObjectRegistry getManagedObjectRegistry()
Modified: qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/registry/ConfigurationFileApplicationRegistry.java
URL: http://svn.apache.org/viewvc/qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/registry/ConfigurationFileApplicationRegistry.java?rev=764412&r1=764411&r2=764412&view=diff
==============================================================================
--- qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/registry/ConfigurationFileApplicationRegistry.java (original)
+++ qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/registry/ConfigurationFileApplicationRegistry.java Mon Apr 13 11:19:27 2009
@@ -94,8 +94,10 @@
_virtualHostRegistry = new VirtualHostRegistry();
- _accessManager = ACLManager.loadACLManager("default", _configuration);
+ _pluginManager = new PluginManager(_configuration.getString("plugin-directory"));
+ _accessManager = new ACLManager(_configuration, _pluginManager);
+
_databaseManager = new ConfigurationFilePrincipalDatabaseManager(_configuration);
_authenticationManager = new PrincipalDatabaseAuthenticationManager(null, null);
@@ -104,8 +106,6 @@
_managedObjectRegistry.start();
- _pluginManager = new PluginManager(_configuration.getString("plugin-directory"));
-
initialiseVirtualHosts();
}
Modified: qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/registry/IApplicationRegistry.java
URL: http://svn.apache.org/viewvc/qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/registry/IApplicationRegistry.java?rev=764412&r1=764411&r2=764412&view=diff
==============================================================================
--- qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/registry/IApplicationRegistry.java (original)
+++ qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/registry/IApplicationRegistry.java Mon Apr 13 11:19:27 2009
@@ -28,6 +28,7 @@
import org.apache.qpid.server.plugins.PluginManager;
import org.apache.qpid.server.security.auth.manager.AuthenticationManager;
import org.apache.qpid.server.security.auth.database.PrincipalDatabaseManager;
+import org.apache.qpid.server.security.access.ACLManager;
import org.apache.qpid.server.security.access.ACLPlugin;
import org.apache.qpid.server.virtualhost.VirtualHostRegistry;
import org.apache.mina.common.IoAcceptor;
@@ -74,7 +75,7 @@
VirtualHostRegistry getVirtualHostRegistry();
- ACLPlugin getAccessManager();
+ ACLManager getAccessManager();
PluginManager getPluginManager();
Modified: qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ACLManager.java
URL: http://svn.apache.org/viewvc/qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ACLManager.java?rev=764412&r1=764411&r2=764412&view=diff
==============================================================================
--- qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ACLManager.java (original)
+++ qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ACLManager.java Mon Apr 13 11:19:27 2009
@@ -20,142 +20,300 @@
*/
package org.apache.qpid.server.security.access;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.Map;
+import java.util.Map.Entry;
+
import org.apache.commons.configuration.Configuration;
-import org.apache.commons.configuration.ConfigurationException;
-import org.apache.qpid.server.registry.ApplicationRegistry;
-import org.apache.qpid.server.security.access.plugins.DenyAll;
-import org.apache.qpid.configuration.PropertyUtils;
import org.apache.log4j.Logger;
-
-import java.util.List;
-import java.lang.reflect.Method;
+import org.apache.qpid.framing.AMQShortString;
+import org.apache.qpid.server.exchange.Exchange;
+import org.apache.qpid.server.plugins.PluginManager;
+import org.apache.qpid.server.protocol.AMQProtocolSession;
+import org.apache.qpid.server.queue.AMQQueue;
+import org.apache.qpid.server.security.access.ACLPlugin.AuthzResult;
+import org.apache.qpid.server.security.access.plugins.SimpleXML;
+import org.apache.qpid.server.virtualhost.VirtualHost;
public class ACLManager
{
private static final Logger _logger = Logger.getLogger(ACLManager.class);
+ private PluginManager _pluginManager;
+ private Map<String, ACLPluginFactory> _allSecurityPlugins = new HashMap<String, ACLPluginFactory>();
+ private Map<String, ACLPlugin> _globalPlugins = new HashMap<String, ACLPlugin>();
+ private Map<String, ACLPlugin> _hostPlugins = new HashMap<String, ACLPlugin>();
- public static ACLPlugin loadACLManager(String name, Configuration hostConfig) throws ConfigurationException
+ public ACLManager(Configuration configuration, PluginManager manager)
{
- ACLPlugin aclPlugin = ApplicationRegistry.getInstance().getAccessManager();
+ this(configuration, manager, null);
+ }
- if (hostConfig == null)
- {
- _logger.warn("No Configuration specified. Using default ACLPlugin '" + aclPlugin.getPluginName()
- + "' for VirtualHost:'" + name + "'");
- return aclPlugin;
- }
+ public ACLManager(Configuration configuration, PluginManager manager, ACLPluginFactory securityPlugin)
+ {
+ _pluginManager = manager;
- String accessClass = hostConfig.getString("security.access.class");
- if (accessClass == null)
+ if (manager == null) // No plugin manager, no plugins
{
-
- _logger.warn("No ACL Plugin specified. Using default ACL Plugin '" + aclPlugin.getPluginName() +
- "' for VirtualHost:'" + name + "'");
- return aclPlugin;
+ return;
}
- Object o;
- try
+ _allSecurityPlugins = _pluginManager.getSecurityPlugins();
+ if (securityPlugin != null)
{
- o = Class.forName(accessClass).newInstance();
- }
- catch (Exception e)
- {
- throw new ConfigurationException("Error initialising ACL: " + e, e);
+ _allSecurityPlugins.put(securityPlugin.getClass().getName(), securityPlugin);
}
- if (!(o instanceof ACLPlugin))
- {
- throw new ConfigurationException("ACL Plugins must implement the ACLPlugin interface");
- }
+ _globalPlugins = configurePlugins(configuration);
+ }
- initialiseAccessControl((ACLPlugin) o, hostConfig);
- aclPlugin = getManager((ACLPlugin) o);
- if (_logger.isInfoEnabled())
+ public void configureHostPlugins(Configuration hostConfig)
+ {
+ _hostPlugins = configurePlugins(hostConfig);
+ }
+
+ public Map<String, ACLPlugin> configurePlugins(Configuration configuration)
+ {
+ Configuration securityConfig = configuration.subset("security");
+ Map<String, ACLPlugin> plugins = new HashMap<String, ACLPlugin>();
+ Iterator keys = securityConfig.getKeys();
+ Collection<String> handledTags = new HashSet();
+ while (keys.hasNext())
{
- _logger.info("Initialised ACL Plugin '" + aclPlugin.getPluginName()
- + "' for virtualhost '" + name + "' successfully");
+ // Splitting the string is necessary here because of the way that getKeys() returns only
+ // bottom level children
+ String tag = ((String) keys.next()).split("\\.", 2)[0];
+
+ if (!handledTags.contains(tag))
+ {
+ for (ACLPluginFactory plugin : _allSecurityPlugins.values())
+ {
+ if (plugin.supportsTag(tag))
+ {
+ _logger.warn("Plugin handling security section "+tag+" is "+plugin.getClass().getSimpleName());
+ handledTags.add(tag);
+ plugins.put(plugin.getClass().getName(), plugin.newInstance(securityConfig));
+ }
+ }
+ }
+ if (!handledTags.contains(tag))
+ {
+ _logger.warn("No plugin handled security section "+tag);
+ }
}
+ return plugins;
+ }
- return aclPlugin;
+ public static Logger getLogger()
+ {
+ return _logger;
}
-
- private static void initialiseAccessControl(ACLPlugin accessManager, Configuration config)
- throws ConfigurationException
+ private abstract class AccessCheck
{
- //First provide the ACLPlugin with the host configuration
+ abstract AuthzResult allowed(ACLPlugin plugin);
+ }
- accessManager.setConfiguaration(config);
+ private boolean checkAllPlugins(AccessCheck checker)
+ {
+ AuthzResult result = AuthzResult.ABSTAIN;
+ HashMap<String, ACLPlugin> remainingPlugins = new HashMap<String, ACLPlugin>();
+ remainingPlugins.putAll(_globalPlugins);
+ for (Entry<String, ACLPlugin> plugin : _hostPlugins.entrySet())
+ {
+ result = checker.allowed(plugin.getValue());
+ if (result == AuthzResult.DENIED)
+ {
+ // Something vetoed the access, we're done
+ return false;
+ }
+ else if (result == AuthzResult.ALLOWED)
+ {
+ // Remove plugin from global check list since
+ // host allow overrides global allow
+ remainingPlugins.remove(plugin.getKey());
+ }
+ }
+
+ for (ACLPlugin plugin : remainingPlugins.values())
+ {
+ result = checker.allowed(plugin);
+ if (result == AuthzResult.DENIED)
+ {
+ return false;
+ }
+ }
+ return true;
+ }
- //Provide additional attribute customisation.
- String baseName = "security.access.attributes.attribute.";
- List<String> argumentNames = config.getList(baseName + "name");
- List<String> argumentValues = config.getList(baseName + "value");
- for (int i = 0; i < argumentNames.size(); i++)
+ public boolean authoriseBind(final AMQProtocolSession session, final Exchange exch, final AMQQueue queue,
+ final AMQShortString routingKey)
+ {
+ return checkAllPlugins(new AccessCheck()
{
- String argName = argumentNames.get(i);
- if (argName == null || argName.length() == 0)
+
+ @Override
+ AuthzResult allowed(ACLPlugin plugin)
{
- throw new ConfigurationException("Access Control argument names must have length >= 1 character");
+ return plugin.authoriseBind(session, exch, queue, routingKey);
}
- if (Character.isLowerCase(argName.charAt(0)))
+
+ });
+ }
+
+ public boolean authoriseConnect(final AMQProtocolSession session, final VirtualHost virtualHost)
+ {
+ return checkAllPlugins(new AccessCheck()
+ {
+
+ @Override
+ AuthzResult allowed(ACLPlugin plugin)
{
- argName = Character.toUpperCase(argName.charAt(0)) + argName.substring(1);
+ return plugin.authoriseConnect(session, virtualHost);
}
- String methodName = "set" + argName;
- Method method = null;
- try
+
+ });
+ }
+
+ public boolean authoriseConsume(final AMQProtocolSession session, final boolean noAck, final AMQQueue queue)
+ {
+ return checkAllPlugins(new AccessCheck()
+ {
+
+ @Override
+ AuthzResult allowed(ACLPlugin plugin)
{
- method = accessManager.getClass().getMethod(methodName, String.class);
+ return plugin.authoriseConsume(session, noAck, queue);
}
- catch (NoSuchMethodException e)
+
+ });
+ }
+
+ public boolean authoriseConsume(final AMQProtocolSession session, final boolean exclusive, final boolean noAck,
+ final boolean noLocal, final boolean nowait, final AMQQueue queue)
+ {
+ return checkAllPlugins(new AccessCheck()
+ {
+
+ @Override
+ AuthzResult allowed(ACLPlugin plugin)
{
- //do nothing as method will be null
+ return plugin.authoriseConsume(session, exclusive, noAck, noLocal, nowait, queue);
}
- if (method == null)
+ });
+ }
+
+ public boolean authoriseCreateExchange(final AMQProtocolSession session, final boolean autoDelete,
+ final boolean durable, final AMQShortString exchangeName, final boolean internal, final boolean nowait,
+ final boolean passive, final AMQShortString exchangeType)
+ {
+ return checkAllPlugins(new AccessCheck()
+ {
+
+ @Override
+ AuthzResult allowed(ACLPlugin plugin)
{
- throw new ConfigurationException("No method " + methodName + " found in class " + accessManager.getClass() +
- " hence unable to configure access control. The method must be public and " +
- "have a single String argument with a void return type");
+ return plugin.authoriseCreateExchange(session, autoDelete, durable, exchangeName, internal, nowait,
+ passive, exchangeType);
}
- try
+
+ });
+ }
+
+ public boolean authoriseCreateQueue(final AMQProtocolSession session, final boolean autoDelete,
+ final boolean durable, final boolean exclusive, final boolean nowait, final boolean passive,
+ final AMQShortString queue)
+ {
+ return checkAllPlugins(new AccessCheck()
+ {
+
+ @Override
+ AuthzResult allowed(ACLPlugin plugin)
{
- method.invoke(accessManager, PropertyUtils.replaceProperties(argumentValues.get(i)));
+ return plugin.authoriseCreateQueue(session, autoDelete, durable, exclusive, nowait, passive, queue);
}
- catch (Exception e)
+
+ });
+ }
+
+ public boolean authoriseDelete(final AMQProtocolSession session, final AMQQueue queue)
+ {
+ return checkAllPlugins(new AccessCheck()
+ {
+
+ @Override
+ AuthzResult allowed(ACLPlugin plugin)
{
- ConfigurationException ce = new ConfigurationException(e.getMessage(), e.getCause());
- ce.initCause(e);
- throw ce;
+ return plugin.authoriseDelete(session, queue);
}
- }
+
+ });
}
+ public boolean authoriseDelete(final AMQProtocolSession session, final Exchange exchange)
+ {
+ return checkAllPlugins(new AccessCheck()
+ {
+
+ @Override
+ AuthzResult allowed(ACLPlugin plugin)
+ {
+ return plugin.authoriseDelete(session, exchange);
+ }
- private static ACLPlugin getManager(ACLPlugin manager)
+ });
+ }
+
+ public boolean authorisePublish(final AMQProtocolSession session, final boolean immediate, final boolean mandatory,
+ final AMQShortString routingKey, final Exchange e)
{
- if (manager == null)
+ return checkAllPlugins(new AccessCheck()
{
- if (ApplicationRegistry.getInstance().getAccessManager() == null)
+
+ @Override
+ AuthzResult allowed(ACLPlugin plugin)
{
- return new DenyAll();
+ return plugin.authorisePublish(session, immediate, mandatory, routingKey, e);
}
- else
+
+ });
+ }
+
+ public boolean authorisePurge(final AMQProtocolSession session, final AMQQueue queue)
+ {
+ return checkAllPlugins(new AccessCheck()
+ {
+
+ @Override
+ AuthzResult allowed(ACLPlugin plugin)
{
- return ApplicationRegistry.getInstance().getAccessManager();
+ return plugin.authorisePurge(session, queue);
}
- }
- else
+
+ });
+ }
+
+ public boolean authoriseUnbind(final AMQProtocolSession session, final Exchange exch,
+ final AMQShortString routingKey, final AMQQueue queue)
+ {
+ return checkAllPlugins(new AccessCheck()
{
- return manager;
- }
+
+ @Override
+ AuthzResult allowed(ACLPlugin plugin)
+ {
+ return plugin.authoriseUnbind(session, exch, routingKey, queue);
+ }
+
+ });
}
- public static Logger getLogger()
+ public void addHostPlugin(ACLPlugin aclPlugin)
{
- return _logger;
+ _hostPlugins.put(aclPlugin.getClass().getName(), aclPlugin);
}
}
Modified: qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ACLPlugin.java
URL: http://svn.apache.org/viewvc/qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ACLPlugin.java?rev=764412&r1=764411&r2=764412&view=diff
==============================================================================
--- qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ACLPlugin.java (original)
+++ qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ACLPlugin.java Mon Apr 13 11:19:27 2009
@@ -29,36 +29,41 @@
public interface ACLPlugin
{
- String getPluginName();
+ public enum AuthzResult
+ {
+ ALLOWED,
+ DENIED,
+ ABSTAIN
+ }
- void setConfiguaration(Configuration config);
+ void setConfiguration(Configuration config);
// These return true if the plugin thinks the action should be allowed, and false if not.
- boolean authoriseBind(AMQProtocolSession session, Exchange exch, AMQQueue queue, AMQShortString routingKey);
+ AuthzResult authoriseBind(AMQProtocolSession session, Exchange exch, AMQQueue queue, AMQShortString routingKey);
- boolean authoriseCreateExchange(AMQProtocolSession session, boolean autoDelete, boolean durable,
+ AuthzResult authoriseCreateExchange(AMQProtocolSession session, boolean autoDelete, boolean durable,
AMQShortString exchangeName, boolean internal, boolean nowait, boolean passive, AMQShortString exchangeType);
- boolean authoriseCreateQueue(AMQProtocolSession session, boolean autoDelete, boolean durable, boolean exclusive,
+ AuthzResult authoriseCreateQueue(AMQProtocolSession session, boolean autoDelete, boolean durable, boolean exclusive,
boolean nowait, boolean passive, AMQShortString queue);
- boolean authoriseConnect(AMQProtocolSession session, VirtualHost virtualHost);
+ AuthzResult authoriseConnect(AMQProtocolSession session, VirtualHost virtualHost);
- boolean authoriseConsume(AMQProtocolSession session, boolean noAck, AMQQueue queue);
+ AuthzResult authoriseConsume(AMQProtocolSession session, boolean noAck, AMQQueue queue);
- boolean authoriseConsume(AMQProtocolSession session, boolean exclusive, boolean noAck, boolean noLocal,
+ AuthzResult authoriseConsume(AMQProtocolSession session, boolean exclusive, boolean noAck, boolean noLocal,
boolean nowait, AMQQueue queue);
- boolean authoriseDelete(AMQProtocolSession session, AMQQueue queue);
+ AuthzResult authoriseDelete(AMQProtocolSession session, AMQQueue queue);
- boolean authoriseDelete(AMQProtocolSession session, Exchange exchange);
+ AuthzResult authoriseDelete(AMQProtocolSession session, Exchange exchange);
- boolean authorisePublish(AMQProtocolSession session, boolean immediate, boolean mandatory,
+ AuthzResult authorisePublish(AMQProtocolSession session, boolean immediate, boolean mandatory,
AMQShortString routingKey, Exchange e);
- boolean authorisePurge(AMQProtocolSession session, AMQQueue queue);
+ AuthzResult authorisePurge(AMQProtocolSession session, AMQQueue queue);
- boolean authoriseUnbind(AMQProtocolSession session, Exchange exch, AMQShortString routingKey, AMQQueue queue);
+ AuthzResult authoriseUnbind(AMQProtocolSession session, Exchange exch, AMQShortString routingKey, AMQQueue queue);
}
Modified: qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/AccessResult.java
URL: http://svn.apache.org/viewvc/qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/AccessResult.java?rev=764412&r1=764411&r2=764412&view=diff
==============================================================================
--- qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/AccessResult.java (original)
+++ qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/AccessResult.java Mon Apr 13 11:19:27 2009
@@ -33,12 +33,12 @@
public AccessResult(ACLPlugin authorizer, AccessStatus status)
{
_status = status;
- _authorizer = authorizer.getPluginName();
+ _authorizer = authorizer.getClass().getSimpleName();
}
public void setAuthorizer(ACLPlugin authorizer)
{
- _authorizer += authorizer.getPluginName();
+ _authorizer += authorizer.getClass().getSimpleName();
}
public String getAuthorizer()
@@ -58,7 +58,7 @@
public void addAuthorizer(ACLPlugin accessManager)
{
- _authorizer = accessManager.getPluginName() + "->" + _authorizer;
+ _authorizer = accessManager.getClass().getSimpleName() + "->" + _authorizer;
}
Modified: qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalPermissions.java
URL: http://svn.apache.org/viewvc/qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalPermissions.java?rev=764412&r1=764411&r2=764412&view=diff
==============================================================================
--- qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalPermissions.java (original)
+++ qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalPermissions.java Mon Apr 13 11:19:27 2009
@@ -25,6 +25,7 @@
import org.apache.qpid.framing.QueueDeclareBody;
import org.apache.qpid.framing.ExchangeDeclareBody;
import org.apache.qpid.server.queue.AMQQueue;
+import org.apache.qpid.server.security.access.ACLPlugin.AuthzResult;
import org.apache.qpid.server.exchange.Exchange;
import java.util.*;
@@ -336,13 +337,13 @@
* PURGE: none
* UNBIND: none
*/
- public boolean authorise(Permission permission, Object... parameters)
+ public AuthzResult authorise(Permission permission, Object... parameters)
{
switch (permission)
{
case ACCESS:
- return true; // This is here for completeness but the SimpleXML ACLManager never calls it.
+ return AuthzResult.ALLOWED; // This is here for completeness but the SimpleXML ACLManager never calls it.
// The existence of this user specific PP can be validated in the map SimpleXML maintains.
case BIND: // Parameters : QueueBindMethod , Exchange , AMQQueue, AMQShortString routingKey
@@ -368,7 +369,7 @@
if (exchangeDetails == null) //Then all queue can be bound to all exchanges.
{
- return true;
+ return AuthzResult.ALLOWED;
}
// Check to see if we have a white list of routingkeys to check
@@ -378,7 +379,7 @@
if (rkeys == null)
{
// There is no routingkey white list
- return true;
+ return AuthzResult.ALLOWED;
}
else
{
@@ -400,7 +401,7 @@
}
- return matched;
+ return (matched) ? AuthzResult.ALLOWED : AuthzResult.DENIED;
}
@@ -425,14 +426,14 @@
// Check to see if the requested exchange is allowed.
Map exchangeDetails = (Map) bind_exchanges.get(exchange.getName());
- return (Boolean) exchangeDetails.get(CREATE_QUEUE_EXCHANGES_TEMPORARY_KEY);
+ return ((Boolean) exchangeDetails.get(CREATE_QUEUE_EXCHANGES_TEMPORARY_KEY)) ? AuthzResult.ALLOWED : AuthzResult.DENIED;
}
//no white list so all allowed, drop through to return true below.
}
// not a temporary queue and no white list so all allowed.
- return true;
+ return AuthzResult.ALLOWED;
}
case CREATEQUEUE:// Parameters : boolean autodelete, AMQShortString name
@@ -442,7 +443,7 @@
// If there are no create rights then deny request
if (createRights == null)
{
- return false;
+ return AuthzResult.DENIED;
}
//Look up the Queue Creation Rights
@@ -457,12 +458,20 @@
if (autoDelete)// we have a temporary queue
{
- return (Boolean) create_queues.get(CREATE_QUEUE_TEMPORARY_KEY);
+ return ((Boolean) create_queues.get(CREATE_QUEUE_TEMPORARY_KEY)) ? AuthzResult.ALLOWED : AuthzResult.DENIED;
}
else
{
// If there is a white list then check
- return create_queues_queues == null || create_queues_queues.containsKey(queueName);
+ if (create_queues_queues == null || create_queues_queues.containsKey(queueName))
+ {
+ return AuthzResult.ALLOWED;
+ }
+ else
+ {
+ return AuthzResult.DENIED;
+ }
+
}
case CREATEEXCHANGE:
Map rights = (Map) _permissions.get(permission);
@@ -471,7 +480,14 @@
// If the exchange list is doesn't exist then all is allowed else
// check the valid exchanges
- return rights == null || rights.containsKey(exchangeName);
+ if (rights == null || rights.containsKey(exchangeName))
+ {
+ return AuthzResult.ALLOWED;
+ }
+ else
+ {
+ return AuthzResult.DENIED;
+ }
case CONSUME: // Parameters : AMQQueue
if (parameters.length == 1 && parameters[0] instanceof AMQQueue)
@@ -492,11 +508,11 @@
// Of course the exclusivity will not be broken.
{
// if not limited to ownQueuesOnly then ok else check queue Owner.
- return !ownQueuesOnly || queue.getOwner().equals(_user);
+ return (!ownQueuesOnly || queue.getOwner().equals(_user)) ? AuthzResult.ALLOWED : AuthzResult.DENIED;
}
else
{
- return false;
+ return AuthzResult.DENIED;
}
}
@@ -508,21 +524,21 @@
{
if (queue.getOwner().equals(_user))
{
- return queues.size() == 0 || queues.contains(queue.getName());
+ return (queues.size() == 0 || queues.contains(queue.getName())) ? AuthzResult.ALLOWED : AuthzResult.DENIED;
}
else
{
- return false;
+ return AuthzResult.DENIED;
}
}
// If we are
- return queues.size() == 0 || queues.contains(queue.getName());
+ return (queues.size() == 0 || queues.contains(queue.getName())) ? AuthzResult.ALLOWED : AuthzResult.DENIED;
}
}
// Can't authenticate without the right parameters
- return false;
+ return AuthzResult.DENIED;
case DELETE:
break;
@@ -531,7 +547,7 @@
if (publishRights == null)
{
- return false;
+ return AuthzResult.DENIED;
}
Map exchanges = (Map) publishRights.get(PUBLISH_EXCHANGES_KEY);
@@ -539,14 +555,14 @@
// Having no exchanges listed gives full publish rights to all exchanges
if (exchanges == null)
{
- return true;
+ return AuthzResult.ALLOWED;
}
// Otherwise exchange must be listed in the white list
// If the map doesn't have the exchange then it isn't allowed
if (!exchanges.containsKey(((Exchange) parameters[0]).getName()))
{
- return false;
+ return AuthzResult.DENIED;
}
else
{
@@ -557,7 +573,7 @@
// Having no routingKeys in the map then all are allowed.
if (routingKeys == null)
{
- return true;
+ return AuthzResult.ALLOWED;
}
else
{
@@ -581,7 +597,7 @@
matched = publishRKey.equals(rkey);
}
}
- return matched;
+ return (matched) ? AuthzResult.ALLOWED : AuthzResult.DENIED;
}
}
case PURGE:
@@ -591,6 +607,6 @@
}
- return false;
+ return AuthzResult.DENIED;
}
}
Modified: qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/AllowAll.java
URL: http://svn.apache.org/viewvc/qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/AllowAll.java?rev=764412&r1=764411&r2=764412&view=diff
==============================================================================
--- qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/AllowAll.java (original)
+++ qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/AllowAll.java Mon Apr 13 11:19:27 2009
@@ -21,24 +21,34 @@
package org.apache.qpid.server.security.access.plugins;
import org.apache.commons.configuration.Configuration;
+import org.apache.qpid.server.security.access.ACLPlugin;
+import org.apache.qpid.server.security.access.ACLPluginFactory;
public class AllowAll extends BasicACLPlugin
{
- public String getPluginName()
+ public static final ACLPluginFactory FACTORY = new ACLPluginFactory()
{
- return "AllowAll";
- }
+ public boolean supportsTag(String name)
+ {
+ return false;
+ }
- public void setConfiguaration(Configuration config)
+ public ACLPlugin newInstance(Configuration config)
+ {
+ return new AllowAll();
+ }
+ };
+
+ public String getPluginName()
{
- // no-op
+ return this.getClass().getSimpleName();
}
@Override
- protected boolean getResult()
+ protected AuthzResult getResult()
{
// Always allow
- return true;
+ return AuthzResult.ALLOWED;
}
}
Modified: qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/BasicACLPlugin.java
URL: http://svn.apache.org/viewvc/qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/BasicACLPlugin.java?rev=764412&r1=764411&r2=764412&view=diff
==============================================================================
--- qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/BasicACLPlugin.java (original)
+++ qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/BasicACLPlugin.java Mon Apr 13 11:19:27 2009
@@ -33,31 +33,31 @@
{
// Returns true or false if the plugin should authorise or deny the request
- protected abstract boolean getResult();
+ protected abstract AuthzResult getResult();
@Override
- public boolean authoriseBind(AMQProtocolSession session, Exchange exch,
+ public AuthzResult authoriseBind(AMQProtocolSession session, Exchange exch,
AMQQueue queue, AMQShortString routingKey)
{
return getResult();
}
@Override
- public boolean authoriseConnect(AMQProtocolSession session,
+ public AuthzResult authoriseConnect(AMQProtocolSession session,
VirtualHost virtualHost)
{
return getResult();
}
@Override
- public boolean authoriseConsume(AMQProtocolSession session, boolean noAck,
+ public AuthzResult authoriseConsume(AMQProtocolSession session, boolean noAck,
AMQQueue queue)
{
return getResult();
}
@Override
- public boolean authoriseConsume(AMQProtocolSession session,
+ public AuthzResult authoriseConsume(AMQProtocolSession session,
boolean exclusive, boolean noAck, boolean noLocal, boolean nowait,
AMQQueue queue)
{
@@ -65,7 +65,7 @@
}
@Override
- public boolean authoriseCreateExchange(AMQProtocolSession session,
+ public AuthzResult authoriseCreateExchange(AMQProtocolSession session,
boolean autoDelete, boolean durable, AMQShortString exchangeName,
boolean internal, boolean nowait, boolean passive,
AMQShortString exchangeType)
@@ -74,7 +74,7 @@
}
@Override
- public boolean authoriseCreateQueue(AMQProtocolSession session,
+ public AuthzResult authoriseCreateQueue(AMQProtocolSession session,
boolean autoDelete, boolean durable, boolean exclusive,
boolean nowait, boolean passive, AMQShortString queue)
{
@@ -82,19 +82,19 @@
}
@Override
- public boolean authoriseDelete(AMQProtocolSession session, AMQQueue queue)
+ public AuthzResult authoriseDelete(AMQProtocolSession session, AMQQueue queue)
{
return getResult();
}
@Override
- public boolean authoriseDelete(AMQProtocolSession session, Exchange exchange)
+ public AuthzResult authoriseDelete(AMQProtocolSession session, Exchange exchange)
{
return getResult();
}
@Override
- public boolean authorisePublish(AMQProtocolSession session,
+ public AuthzResult authorisePublish(AMQProtocolSession session,
boolean immediate, boolean mandatory, AMQShortString routingKey,
Exchange e)
{
@@ -102,22 +102,28 @@
}
@Override
- public boolean authorisePurge(AMQProtocolSession session, AMQQueue queue)
+ public AuthzResult authorisePurge(AMQProtocolSession session, AMQQueue queue)
{
return getResult();
}
@Override
- public boolean authoriseUnbind(AMQProtocolSession session, Exchange exch,
+ public AuthzResult authoriseUnbind(AMQProtocolSession session, Exchange exch,
AMQShortString routingKey, AMQQueue queue)
{
return getResult();
}
@Override
- public void setConfiguaration(Configuration config)
+ public void setConfiguration(Configuration config)
{
// no-op
}
+ public boolean supportsTag(String name)
+ {
+ // This plugin doesn't support any tags
+ return false;
+ }
+
}
Modified: qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/DenyAll.java
URL: http://svn.apache.org/viewvc/qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/DenyAll.java?rev=764412&r1=764411&r2=764412&view=diff
==============================================================================
--- qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/DenyAll.java (original)
+++ qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/DenyAll.java Mon Apr 13 11:19:27 2009
@@ -26,11 +26,26 @@
import org.apache.qpid.protocol.AMQConstant;
import org.apache.qpid.server.protocol.AMQProtocolSession;
import org.apache.qpid.server.security.access.ACLManager;
+import org.apache.qpid.server.security.access.ACLPlugin;
+import org.apache.qpid.server.security.access.ACLPluginFactory;
import org.apache.qpid.server.security.access.AccessResult;
import org.apache.qpid.server.security.access.Permission;
public class DenyAll extends BasicACLPlugin
{
+ public static final ACLPluginFactory FACTORY = new ACLPluginFactory()
+ {
+ public boolean supportsTag(String name)
+ {
+ return false;
+ }
+
+ public ACLPlugin newInstance(Configuration config)
+ {
+ return new DenyAll();
+ }
+ };
+
public AccessResult authorise(AMQProtocolSession session,
Permission permission, AMQMethodBody body, Object... parameters)
throws AMQConnectionException
@@ -47,19 +62,14 @@
public String getPluginName()
{
- return "DenyAll";
- }
-
- public void setConfiguaration(Configuration config)
- {
- // no-op
+ return getClass().getSimpleName();
}
@Override
- protected boolean getResult()
+ protected AuthzResult getResult()
{
// Always deny
- return false;
+ return AuthzResult.DENIED;
}
}
Modified: qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/SimpleXML.java
URL: http://svn.apache.org/viewvc/qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/SimpleXML.java?rev=764412&r1=764411&r2=764412&view=diff
==============================================================================
--- qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/SimpleXML.java (original)
+++ qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/SimpleXML.java Mon Apr 13 11:19:27 2009
@@ -35,9 +35,11 @@
import org.apache.qpid.server.queue.AMQQueue;
import org.apache.qpid.server.security.access.ACLManager;
import org.apache.qpid.server.security.access.ACLPlugin;
+import org.apache.qpid.server.security.access.ACLPluginFactory;
import org.apache.qpid.server.security.access.AccessResult;
import org.apache.qpid.server.security.access.Permission;
import org.apache.qpid.server.security.access.PrincipalPermissions;
+import org.apache.qpid.server.security.access.ACLPlugin.AuthzResult;
import org.apache.qpid.server.virtualhost.VirtualHost;
import java.util.Map;
@@ -48,6 +50,21 @@
*/
public class SimpleXML implements ACLPlugin
{
+ public static final ACLPluginFactory FACTORY = new ACLPluginFactory()
+ {
+ public boolean supportsTag(String name)
+ {
+ return name.startsWith("access_control_list");
+ }
+
+ public ACLPlugin newInstance(Configuration config)
+ {
+ SimpleXML plugin = new SimpleXML();
+ plugin.setConfiguration(config);
+ return plugin;
+ }
+ };
+
private Map<String, PrincipalPermissions> _users;
private final AccessResult GRANTED = new AccessResult(this, AccessResult.AccessStatus.GRANTED);
@@ -56,7 +73,7 @@
_users = new ConcurrentHashMap<String, PrincipalPermissions>();
}
- public void setConfiguaration(Configuration config)
+ public void setConfiguration(Configuration config)
{
processConfig(config);
}
@@ -78,7 +95,7 @@
*/
private void processPublish(Configuration config)
{
- Configuration publishConfig = config.subset("security.access_control_list.publish");
+ Configuration publishConfig = config.subset("access_control_list.publish");
// Process users that have full publish permission
String[] users = publishConfig.getStringArray("users.user");
@@ -149,7 +166,7 @@
private void processConsume(Configuration config)
{
- Configuration consumeConfig = config.subset("security.access_control_list.consume");
+ Configuration consumeConfig = config.subset("access_control_list.consume");
// Process queue limited users
int queueCount = 0;
@@ -186,7 +203,7 @@
private void processCreate(Configuration config)
{
- Configuration createConfig = config.subset("security.access_control_list.create");
+ Configuration createConfig = config.subset("access_control_list.create");
// Process create permissions for queue creation
int queueCount = 0;
@@ -273,13 +290,12 @@
return "Simple";
}
- @Override
- public boolean authoriseBind(AMQProtocolSession session, Exchange exch, AMQQueue queue, AMQShortString routingKey)
+ public AuthzResult authoriseBind(AMQProtocolSession session, Exchange exch, AMQQueue queue, AMQShortString routingKey)
{
PrincipalPermissions principalPermissions = _users.get(session.getAuthorizedID().getName());
if (principalPermissions == null)
{
- return false;
+ return AuthzResult.DENIED;
}
else
{
@@ -287,13 +303,12 @@
}
}
- @Override
- public boolean authoriseConnect(AMQProtocolSession session, VirtualHost virtualHost)
+ public AuthzResult authoriseConnect(AMQProtocolSession session, VirtualHost virtualHost)
{
PrincipalPermissions principalPermissions = _users.get(session.getAuthorizedID().getName());
if (principalPermissions == null)
{
- return false;
+ return AuthzResult.DENIED;
}
else
{
@@ -301,13 +316,12 @@
}
}
- @Override
- public boolean authoriseConsume(AMQProtocolSession session, boolean noAck, AMQQueue queue)
+ public AuthzResult authoriseConsume(AMQProtocolSession session, boolean noAck, AMQQueue queue)
{
PrincipalPermissions principalPermissions = _users.get(session.getAuthorizedID().getName());
if (principalPermissions == null)
{
- return false;
+ return AuthzResult.DENIED;
}
else
{
@@ -315,21 +329,19 @@
}
}
- @Override
- public boolean authoriseConsume(AMQProtocolSession session, boolean exclusive, boolean noAck, boolean noLocal,
+ public AuthzResult authoriseConsume(AMQProtocolSession session, boolean exclusive, boolean noAck, boolean noLocal,
boolean nowait, AMQQueue queue)
{
return authoriseConsume(session, noAck, queue);
}
- @Override
- public boolean authoriseCreateExchange(AMQProtocolSession session, boolean autoDelete, boolean durable,
+ public AuthzResult authoriseCreateExchange(AMQProtocolSession session, boolean autoDelete, boolean durable,
AMQShortString exchangeName, boolean internal, boolean nowait, boolean passive, AMQShortString exchangeType)
{
PrincipalPermissions principalPermissions = _users.get(session.getAuthorizedID().getName());
if (principalPermissions == null)
{
- return false;
+ return AuthzResult.DENIED;
}
else
{
@@ -337,14 +349,13 @@
}
}
- @Override
- public boolean authoriseCreateQueue(AMQProtocolSession session, boolean autoDelete, boolean durable, boolean exclusive,
+ public AuthzResult authoriseCreateQueue(AMQProtocolSession session, boolean autoDelete, boolean durable, boolean exclusive,
boolean nowait, boolean passive, AMQShortString queue)
{
PrincipalPermissions principalPermissions = _users.get(session.getAuthorizedID().getName());
if (principalPermissions == null)
{
- return false;
+ return AuthzResult.DENIED;
}
else
{
@@ -352,13 +363,12 @@
}
}
- @Override
- public boolean authoriseDelete(AMQProtocolSession session, AMQQueue queue)
+ public AuthzResult authoriseDelete(AMQProtocolSession session, AMQQueue queue)
{
PrincipalPermissions principalPermissions = _users.get(session.getAuthorizedID().getName());
if (principalPermissions == null)
{
- return false;
+ return AuthzResult.DENIED;
}
else
{
@@ -366,13 +376,12 @@
}
}
- @Override
- public boolean authoriseDelete(AMQProtocolSession session, Exchange exchange)
+ public AuthzResult authoriseDelete(AMQProtocolSession session, Exchange exchange)
{
PrincipalPermissions principalPermissions = _users.get(session.getAuthorizedID().getName());
if (principalPermissions == null)
{
- return false;
+ return AuthzResult.DENIED;
}
else
{
@@ -380,14 +389,13 @@
}
}
- @Override
- public boolean authorisePublish(AMQProtocolSession session, boolean immediate, boolean mandatory,
+ public AuthzResult authorisePublish(AMQProtocolSession session, boolean immediate, boolean mandatory,
AMQShortString routingKey, Exchange e)
{
PrincipalPermissions principalPermissions = _users.get(session.getAuthorizedID().getName());
if (principalPermissions == null)
{
- return false;
+ return AuthzResult.DENIED;
}
else
{
@@ -395,13 +403,12 @@
}
}
- @Override
- public boolean authorisePurge(AMQProtocolSession session, AMQQueue queue)
+ public AuthzResult authorisePurge(AMQProtocolSession session, AMQQueue queue)
{
PrincipalPermissions principalPermissions = _users.get(session.getAuthorizedID().getName());
if (principalPermissions == null)
{
- return false;
+ return AuthzResult.DENIED;
}
else
{
@@ -409,17 +416,17 @@
}
}
- @Override
- public boolean authoriseUnbind(AMQProtocolSession session, Exchange exch, AMQShortString routingKey, AMQQueue queue)
+ public AuthzResult authoriseUnbind(AMQProtocolSession session, Exchange exch, AMQShortString routingKey, AMQQueue queue)
{
PrincipalPermissions principalPermissions = _users.get(session.getAuthorizedID().getName());
if (principalPermissions == null)
{
- return false;
+ return AuthzResult.DENIED;
}
else
{
return principalPermissions.authorise(Permission.UNBIND);
}
}
+
}
Propchange: qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/HashedUser.java
('svn:mergeinfo' removed)
Modified: qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/util/NullApplicationRegistry.java
URL: http://svn.apache.org/viewvc/qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/util/NullApplicationRegistry.java?rev=764412&r1=764411&r2=764412&view=diff
==============================================================================
--- qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/util/NullApplicationRegistry.java (original)
+++ qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/util/NullApplicationRegistry.java Mon Apr 13 11:19:27 2009
@@ -27,16 +27,13 @@
import org.apache.commons.configuration.Configuration;
import org.apache.commons.configuration.MapConfiguration;
-import org.apache.qpid.server.management.ManagedObjectRegistry;
import org.apache.qpid.server.management.NoopManagedObjectRegistry;
import org.apache.qpid.server.plugins.PluginManager;
import org.apache.qpid.server.registry.ApplicationRegistry;
-import org.apache.qpid.server.security.auth.manager.AuthenticationManager;
-import org.apache.qpid.server.security.auth.manager.PrincipalDatabaseAuthenticationManager;
-import org.apache.qpid.server.security.auth.database.PrincipalDatabaseManager;
-import org.apache.qpid.server.security.auth.database.PropertiesPrincipalDatabaseManager;
-import org.apache.qpid.server.security.access.ACLPlugin;
+import org.apache.qpid.server.security.access.ACLManager;
import org.apache.qpid.server.security.access.plugins.AllowAll;
+import org.apache.qpid.server.security.auth.database.PropertiesPrincipalDatabaseManager;
+import org.apache.qpid.server.security.auth.manager.PrincipalDatabaseAuthenticationManager;
import org.apache.qpid.server.virtualhost.VirtualHost;
import org.apache.qpid.server.virtualhost.VirtualHostRegistry;
@@ -59,13 +56,13 @@
_databaseManager = new PropertiesPrincipalDatabaseManager("default", users);
- _accessManager = new AllowAll();
+ _accessManager = new ACLManager(_configuration, _pluginManager, AllowAll.FACTORY);
_authenticationManager = new PrincipalDatabaseAuthenticationManager(null, null);
_managedObjectRegistry = new NoopManagedObjectRegistry();
_virtualHostRegistry = new VirtualHostRegistry();
- VirtualHost dummyHost = new VirtualHost("test", getConfiguration());
+ VirtualHost dummyHost = new VirtualHost("test", _configuration);
_virtualHostRegistry.registerVirtualHost(dummyHost);
_virtualHostRegistry.setDefaultVirtualHostName("test");
_pluginManager = new PluginManager("");
Modified: qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/virtualhost/VirtualHost.java
URL: http://svn.apache.org/viewvc/qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/virtualhost/VirtualHost.java?rev=764412&r1=764411&r2=764412&view=diff
==============================================================================
--- qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/virtualhost/VirtualHost.java (original)
+++ qpid/branches/0.5-fix/qpid/java/broker/src/main/java/org/apache/qpid/server/virtualhost/VirtualHost.java Mon Apr 13 11:19:27 2009
@@ -20,35 +20,35 @@
*/
package org.apache.qpid.server.virtualhost;
+import java.util.Timer;
+import java.util.TimerTask;
+
import javax.management.NotCompliantMBeanException;
import org.apache.commons.configuration.Configuration;
import org.apache.commons.configuration.PropertiesConfiguration;
import org.apache.log4j.Logger;
+import org.apache.qpid.AMQException;
import org.apache.qpid.server.AMQBrokerManagerMBean;
+import org.apache.qpid.server.configuration.Configurator;
import org.apache.qpid.server.connection.ConnectionRegistry;
import org.apache.qpid.server.connection.IConnectionRegistry;
-import org.apache.qpid.server.security.access.ACLPlugin;
-import org.apache.qpid.server.security.access.ACLManager;
-import org.apache.qpid.server.security.access.Accessable;
-import org.apache.qpid.server.security.auth.manager.PrincipalDatabaseAuthenticationManager;
-import org.apache.qpid.server.security.auth.manager.AuthenticationManager;
-import org.apache.qpid.server.configuration.Configurator;
import org.apache.qpid.server.exchange.DefaultExchangeFactory;
import org.apache.qpid.server.exchange.DefaultExchangeRegistry;
import org.apache.qpid.server.exchange.ExchangeFactory;
import org.apache.qpid.server.exchange.ExchangeRegistry;
import org.apache.qpid.server.management.AMQManagedObject;
import org.apache.qpid.server.management.ManagedObject;
+import org.apache.qpid.server.queue.AMQQueue;
import org.apache.qpid.server.queue.DefaultQueueRegistry;
import org.apache.qpid.server.queue.QueueRegistry;
-import org.apache.qpid.server.queue.AMQQueue;
import org.apache.qpid.server.registry.ApplicationRegistry;
+import org.apache.qpid.server.security.access.ACLManager;
+import org.apache.qpid.server.security.access.Accessable;
+import org.apache.qpid.server.security.access.plugins.SimpleXML;
+import org.apache.qpid.server.security.auth.manager.AuthenticationManager;
+import org.apache.qpid.server.security.auth.manager.PrincipalDatabaseAuthenticationManager;
import org.apache.qpid.server.store.MessageStore;
-import org.apache.qpid.AMQException;
-
-import java.util.Timer;
-import java.util.TimerTask;
public class VirtualHost implements Accessable
{
@@ -73,7 +73,7 @@
private AuthenticationManager _authenticationManager;
- private ACLPlugin _accessManager;
+ private ACLManager _accessManager;
private final Timer _houseKeepingTimer;
@@ -183,8 +183,9 @@
_authenticationManager = new PrincipalDatabaseAuthenticationManager(name, hostConfig);
- _accessManager = ACLManager.loadACLManager(name, hostConfig);
-
+ _accessManager = ApplicationRegistry.getInstance().getAccessManager();
+ _accessManager.configureHostPlugins(hostConfig);
+
_brokerMBean = new AMQBrokerManagerMBean(_virtualHostMBean);
_brokerMBean.register();
initialiseHouseKeeping(hostConfig);
@@ -258,7 +259,6 @@
return instance;
}
-
public String getName()
{
return _name;
@@ -294,7 +294,7 @@
return _authenticationManager;
}
- public ACLPlugin getAccessManager()
+ public ACLManager getAccessManager()
{
return _accessManager;
}
Modified: qpid/branches/0.5-fix/qpid/java/broker/src/test/java/org/apache/qpid/server/plugins/PluginTest.java
URL: http://svn.apache.org/viewvc/qpid/branches/0.5-fix/qpid/java/broker/src/test/java/org/apache/qpid/server/plugins/PluginTest.java?rev=764412&r1=764411&r2=764412&view=diff
==============================================================================
--- qpid/branches/0.5-fix/qpid/java/broker/src/test/java/org/apache/qpid/server/plugins/PluginTest.java (original)
+++ qpid/branches/0.5-fix/qpid/java/broker/src/test/java/org/apache/qpid/server/plugins/PluginTest.java Mon Apr 13 11:19:27 2009
@@ -48,7 +48,6 @@
{
PluginManager manager = new PluginManager("/path/to/nowhere");
Map<String, ExchangeType<?>> exchanges = manager.getExchanges();
- assertNull("Exchanges found", exchanges);
- }
-
+ assertEquals("Exchanges found", 0, exchanges.size());
+ }
}
Modified: qpid/branches/0.5-fix/qpid/java/broker/src/test/java/org/apache/qpid/server/queue/MockAMQQueue.java
URL: http://svn.apache.org/viewvc/qpid/branches/0.5-fix/qpid/java/broker/src/test/java/org/apache/qpid/server/queue/MockAMQQueue.java?rev=764412&r1=764411&r2=764412&view=diff
==============================================================================
--- qpid/branches/0.5-fix/qpid/java/broker/src/test/java/org/apache/qpid/server/queue/MockAMQQueue.java (original)
+++ qpid/branches/0.5-fix/qpid/java/broker/src/test/java/org/apache/qpid/server/queue/MockAMQQueue.java Mon Apr 13 11:19:27 2009
@@ -40,10 +40,21 @@
public class MockAMQQueue implements AMQQueue
{
private boolean _deleted = false;
+ private AMQShortString _name;
+
+ public MockAMQQueue(String name)
+ {
+ _name = new AMQShortString(name);
+ }
+
+ public MockAMQQueue()
+ {
+
+ }
public AMQShortString getName()
{
- return null; //To change body of implemented methods use File | Settings | File Templates.
+ return _name;
}
public boolean isDurable()
Modified: qpid/branches/0.5-fix/qpid/java/broker/src/test/java/org/apache/qpid/server/security/access/PrincipalPermissionsTest.java
URL: http://svn.apache.org/viewvc/qpid/branches/0.5-fix/qpid/java/broker/src/test/java/org/apache/qpid/server/security/access/PrincipalPermissionsTest.java?rev=764412&r1=764411&r2=764412&view=diff
==============================================================================
--- qpid/branches/0.5-fix/qpid/java/broker/src/test/java/org/apache/qpid/server/security/access/PrincipalPermissionsTest.java (original)
+++ qpid/branches/0.5-fix/qpid/java/broker/src/test/java/org/apache/qpid/server/security/access/PrincipalPermissionsTest.java Mon Apr 13 11:19:27 2009
@@ -31,6 +31,7 @@
import org.apache.qpid.server.exchange.DirectExchange;
import org.apache.qpid.server.queue.AMQQueue;
import org.apache.qpid.server.queue.AMQQueueFactory;
+import org.apache.qpid.server.security.access.ACLPlugin.AuthzResult;
import org.apache.qpid.server.store.SkeletonMessageStore;
import org.apache.qpid.server.virtualhost.VirtualHost;
@@ -79,7 +80,7 @@
public void testPrincipalPermissions()
{
assertNotNull(_perms);
- assertTrue(_perms.authorise(Permission.ACCESS, (Object[]) null));
+ assertEquals(AuthzResult.ALLOWED, _perms.authorise(Permission.ACCESS, (Object[]) null));
}
// FIXME: test has been disabled since the permissions assume that the user has tried to create
@@ -89,9 +90,9 @@
QueueBindBodyImpl bind = new QueueBindBodyImpl(_ticket, _queueName, _exchangeName, _routingKey, _nowait, _arguments);
Object[] args = new Object[]{bind, _exchange, _queue, _routingKey};
- assertFalse(_perms.authorise(Permission.BIND, args));
+ assertEquals(AuthzResult.DENIED, _perms.authorise(Permission.BIND, args));
_perms.grant(Permission.BIND, (Object[]) null);
- assertTrue(_perms.authorise(Permission.BIND, args));
+ assertEquals(AuthzResult.ALLOWED, _perms.authorise(Permission.BIND, args));
}
public void testQueueCreate()
@@ -99,9 +100,9 @@
Object[] grantArgs = new Object[]{_temporary , _queueName, _exchangeName, _routingKey};
Object[] authArgs = new Object[]{_autoDelete, _queueName};
- assertFalse(_perms.authorise(Permission.CREATEQUEUE, authArgs));
+ assertEquals(AuthzResult.DENIED, _perms.authorise(Permission.CREATEQUEUE, authArgs));
_perms.grant(Permission.CREATEQUEUE, grantArgs);
- assertTrue(_perms.authorise(Permission.CREATEQUEUE, authArgs));
+ assertEquals(AuthzResult.ALLOWED, _perms.authorise(Permission.CREATEQUEUE, authArgs));
}
@@ -114,9 +115,9 @@
Object[] authArgs = new Object[]{exchangeDeclare};
Object[] grantArgs = new Object[]{_exchangeName, _exchangeType};
- assertFalse(_perms.authorise(Permission.CREATEEXCHANGE, authArgs));
+ assertEquals(AuthzResult.DENIED, _perms.authorise(Permission.CREATEEXCHANGE, authArgs));
_perms.grant(Permission.CREATEEXCHANGE, grantArgs);
- assertTrue(_perms.authorise(Permission.CREATEEXCHANGE, authArgs));
+ assertEquals(AuthzResult.ALLOWED, _perms.authorise(Permission.CREATEEXCHANGE, authArgs));
}
public void testConsume()
@@ -128,7 +129,7 @@
* assertFalse(_perms.authorise(Permission.CONSUME, authArgs));
*/
_perms.grant(Permission.CONSUME, grantArgs);
- assertTrue(_perms.authorise(Permission.CONSUME, authArgs));
+ assertEquals(AuthzResult.ALLOWED, _perms.authorise(Permission.CONSUME, authArgs));
}
public void testPublish()
@@ -136,9 +137,9 @@
Object[] authArgs = new Object[]{_exchange, _routingKey};
Object[] grantArgs = new Object[]{_exchange.getName(), _routingKey};
- assertFalse(_perms.authorise(Permission.PUBLISH, authArgs));
+ assertEquals(AuthzResult.DENIED, _perms.authorise(Permission.PUBLISH, authArgs));
_perms.grant(Permission.PUBLISH, grantArgs);
- assertTrue(_perms.authorise(Permission.PUBLISH, authArgs));
+ assertEquals(AuthzResult.ALLOWED, _perms.authorise(Permission.PUBLISH, authArgs));
}
}
Propchange: qpid/branches/0.5-fix/qpid/java/broker/src/test/java/org/apache/qpid/server/security/auth/database/HashedUserTest.java
('svn:mergeinfo' removed)
Modified: qpid/branches/0.5-fix/qpid/java/broker/src/test/java/org/apache/qpid/server/util/TestApplicationRegistry.java
URL: http://svn.apache.org/viewvc/qpid/branches/0.5-fix/qpid/java/broker/src/test/java/org/apache/qpid/server/util/TestApplicationRegistry.java?rev=764412&r1=764411&r2=764412&view=diff
==============================================================================
--- qpid/branches/0.5-fix/qpid/java/broker/src/test/java/org/apache/qpid/server/util/TestApplicationRegistry.java (original)
+++ qpid/branches/0.5-fix/qpid/java/broker/src/test/java/org/apache/qpid/server/util/TestApplicationRegistry.java Mon Apr 13 11:19:27 2009
@@ -26,6 +26,7 @@
import org.apache.qpid.server.management.NoopManagedObjectRegistry;
import org.apache.qpid.server.queue.QueueRegistry;
import org.apache.qpid.server.registry.ApplicationRegistry;
+import org.apache.qpid.server.security.access.ACLManager;
import org.apache.qpid.server.security.access.ACLPlugin;
import org.apache.qpid.server.security.access.plugins.AllowAll;
import org.apache.qpid.server.security.auth.database.PropertiesPrincipalDatabaseManager;
@@ -66,7 +67,7 @@
_databaseManager = new PropertiesPrincipalDatabaseManager("default", users);
- _accessManager = new AllowAll();
+ _accessManager = new ACLManager(_configuration, _pluginManager, AllowAll.FACTORY);
_authenticationManager = new PrincipalDatabaseAuthenticationManager(null, null);
@@ -108,7 +109,7 @@
return Arrays.asList(hosts);
}
- public void setAccessManager(ACLPlugin newManager)
+ public void setAccessManager(ACLManager newManager)
{
_accessManager = newManager;
}
Propchange: qpid/branches/0.5-fix/qpid/java/lib/org.osgi.core_1.0.0.jar
('svn:mergeinfo' removed)
Propchange: qpid/branches/0.5-fix/qpid/java/management/client/src/main/java/org/apache/qpid/management/
('svn:mergeinfo' removed)
Propchange: qpid/branches/0.5-fix/qpid/java/management/client/src/test/java/org/apache/qpid/management/
('svn:mergeinfo' removed)
Propchange: qpid/branches/0.5-fix/qpid/java/management/eclipse-plugin/src/main/resources/macosx/Contents/MacOS/qpidmc
('svn:mergeinfo' removed)
Propchange: qpid/branches/0.5-fix/qpid/java/systests/src/main/java/org/apache/qpid/client/MultipleJCAProviderRegistrationTest.java
('svn:mergeinfo' removed)
Propchange: qpid/branches/0.5-fix/qpid/ruby/ext/sasl/extconf.rb
('svn:mergeinfo' removed)
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:commits-subscribe@qpid.apache.org