You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by ri...@apache.org on 2007/04/06 12:42:12 UTC
svn commit: r526117 - in /incubator/qpid/branches/M2/java: broker/etc/
broker/src/main/java/org/apache/qpid/server/handler/
broker/src/main/java/org/apache/qpid/server/protocol/
broker/src/main/java/org/apache/qpid/server/security/access/ broker/src/ma...
Author: ritchiem
Date: Fri Apr 6 03:42:11 2007
New Revision: 526117
URL: http://svn.apache.org/viewvc?view=rev&rev=526117
Log:
QPID-416 Update to Access control to allow simply read/write permissions per Virtual host.
access - updated file to have examples of access control.
Changed AMQProtocolSession to record an authorized Principal not just a String.
- Required
Added AccessRights files needed for VirtualHostAccess control.
Updated ConnectionOpenMethodHandler to allow Principals with any access to connect not just read.
UsernamePrincipal - Added a toString
Added:
incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/AccessRights.java (with props)
incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/VirtualHostAccess.java (with props)
Modified:
incubator/qpid/branches/M2/java/broker/etc/access
incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/handler/ConnectionOpenMethodHandler.java
incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/handler/ConnectionSecureOkMethodHandler.java
incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/handler/ConnectionStartOkMethodHandler.java
incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/protocol/AMQMinaProtocolSession.java
incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/protocol/AMQProtocolSession.java
incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/protocol/AMQProtocolSessionMBean.java
incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/protocol/ManagedConnection.java
incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/UsernamePrincipal.java
incubator/qpid/branches/M2/java/systests/src/main/java/org/apache/qpid/server/queue/MockProtocolSession.java
Modified: incubator/qpid/branches/M2/java/broker/etc/access
URL: http://svn.apache.org/viewvc/incubator/qpid/branches/M2/java/broker/etc/access?view=diff&rev=526117&r1=526116&r2=526117
==============================================================================
--- incubator/qpid/branches/M2/java/broker/etc/access (original)
+++ incubator/qpid/branches/M2/java/broker/etc/access Fri Apr 6 03:42:11 2007
@@ -1 +1 @@
-guest:localhost(w),test(rw)
+guest:localhost(rw),test(rw)
\ No newline at end of file
Modified: incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/handler/ConnectionOpenMethodHandler.java
URL: http://svn.apache.org/viewvc/incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/handler/ConnectionOpenMethodHandler.java?view=diff&rev=526117&r1=526116&r2=526117
==============================================================================
--- incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/handler/ConnectionOpenMethodHandler.java (original)
+++ incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/handler/ConnectionOpenMethodHandler.java Fri Apr 6 03:42:11 2007
@@ -33,6 +33,7 @@
import org.apache.qpid.server.state.StateAwareMethodListener;
import org.apache.qpid.server.virtualhost.VirtualHost;
import org.apache.qpid.server.security.access.AccessResult;
+import org.apache.qpid.server.security.access.AccessRights;
import org.apache.log4j.Logger;
public class ConnectionOpenMethodHandler implements StateAwareMethodListener<ConnectionOpenBody>
@@ -75,23 +76,26 @@
if (virtualHost == null)
{
- throw body.getConnectionException(AMQConstant.NOT_FOUND, "Unknown virtual host: '" + virtualHostName+"'");
+ throw body.getConnectionException(AMQConstant.NOT_FOUND, "Unknown virtual host: '" + virtualHostName + "'");
}
else
{
session.setVirtualHost(virtualHost);
- AccessResult result = virtualHost.getAccessManager().isAuthorized(virtualHost, session.getAuthorizedID());
+ AccessResult result = virtualHost.getAccessManager().isAuthorized(virtualHost, session.getAuthorizedID(), AccessRights.Rights.ANY);
switch (result.getStatus())
{
default:
case REFUSED:
- throw body.getConnectionException(AMQConstant.ACCESS_REFUSED,
- "Access denied to vHost '" + virtualHostName + "' by "
- + result.getAuthorizer());
+ String error = "Any access denied to vHost '" + virtualHostName + "' by "
+ + result.getAuthorizer();
+
+ _logger.warn(error);
+
+ throw body.getConnectionException(AMQConstant.ACCESS_REFUSED, error);
case GRANTED:
- _logger.info("Granted access to vHost '" + virtualHostName + "' for " + session.getAuthorizedID()
+ _logger.info("Granted any access to vHost '" + virtualHostName + "' for " + session.getAuthorizedID()
+ " by '" + result.getAuthorizer() + "'");
}
Modified: incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/handler/ConnectionSecureOkMethodHandler.java
URL: http://svn.apache.org/viewvc/incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/handler/ConnectionSecureOkMethodHandler.java?view=diff&rev=526117&r1=526116&r2=526117
==============================================================================
--- incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/handler/ConnectionSecureOkMethodHandler.java (original)
+++ incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/handler/ConnectionSecureOkMethodHandler.java Fri Apr 6 03:42:11 2007
@@ -37,6 +37,7 @@
import org.apache.qpid.server.registry.ApplicationRegistry;
import org.apache.qpid.server.security.auth.manager.AuthenticationManager;
import org.apache.qpid.server.security.auth.AuthenticationResult;
+import org.apache.qpid.server.security.auth.sasl.UsernamePrincipal;
import org.apache.qpid.server.state.AMQState;
import org.apache.qpid.server.state.AMQStateManager;
import org.apache.qpid.server.state.StateAwareMethodListener;
@@ -106,7 +107,7 @@
ConnectionStartOkMethodHandler.getConfiguredFrameSize(), // frameMax
HeartbeatConfig.getInstance().getDelay()); // heartbeat
session.writeFrame(tune);
- session.setAuthorizedID(ss.getAuthorizationID());
+ session.setAuthorizedID(new UsernamePrincipal(ss.getAuthorizationID()));
disposeSaslServer(session);
break;
case CONTINUE:
Modified: incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/handler/ConnectionStartOkMethodHandler.java
URL: http://svn.apache.org/viewvc/incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/handler/ConnectionStartOkMethodHandler.java?view=diff&rev=526117&r1=526116&r2=526117
==============================================================================
--- incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/handler/ConnectionStartOkMethodHandler.java (original)
+++ incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/handler/ConnectionStartOkMethodHandler.java Fri Apr 6 03:42:11 2007
@@ -37,6 +37,7 @@
import org.apache.qpid.server.registry.ApplicationRegistry;
import org.apache.qpid.server.security.auth.manager.AuthenticationManager;
import org.apache.qpid.server.security.auth.AuthenticationResult;
+import org.apache.qpid.server.security.auth.sasl.UsernamePrincipal;
import org.apache.qpid.server.state.AMQState;
import org.apache.qpid.server.state.AMQStateManager;
import org.apache.qpid.server.state.StateAwareMethodListener;
@@ -95,7 +96,7 @@
throw new AMQException("Authentication failed");
case SUCCESS:
_logger.info("Connected as: " + ss.getAuthorizationID());
- session.setAuthorizedID(ss.getAuthorizationID());
+ session.setAuthorizedID(new UsernamePrincipal(ss.getAuthorizationID()));
stateManager.changeState(AMQState.CONNECTION_NOT_TUNED);
// AMQP version change: Hardwire the version to 0-8 (major=8, minor=0)
Modified: incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/protocol/AMQMinaProtocolSession.java
URL: http://svn.apache.org/viewvc/incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/protocol/AMQMinaProtocolSession.java?view=diff&rev=526117&r1=526116&r2=526117
==============================================================================
--- incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/protocol/AMQMinaProtocolSession.java (original)
+++ incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/protocol/AMQMinaProtocolSession.java Fri Apr 6 03:42:11 2007
@@ -28,6 +28,7 @@
import java.util.Map;
import java.util.concurrent.CopyOnWriteArrayList;
import java.util.concurrent.CopyOnWriteArraySet;
+import java.security.Principal;
import javax.management.JMException;
import javax.security.sasl.SaslServer;
@@ -108,7 +109,7 @@
private VersionSpecificRegistry _registry = MainRegistry.getVersionSpecificRegistry(_protocolVersion);
private List<Integer> _closingChannelsList = new ArrayList<Integer>();
private ProtocolOutputConverter _protocolOutputConverter;
- private String _authorizedID;
+ private Principal _authorizedID;
public ManagedObject getManagedObject()
@@ -745,12 +746,12 @@
return _protocolOutputConverter;
}
- public void setAuthorizedID(String authorizedID)
+ public void setAuthorizedID(Principal authorizedID)
{
_authorizedID = authorizedID;
}
- public String getAuthorizedID()
+ public Principal getAuthorizedID()
{
return _authorizedID;
}
Modified: incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/protocol/AMQProtocolSession.java
URL: http://svn.apache.org/viewvc/incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/protocol/AMQProtocolSession.java?view=diff&rev=526117&r1=526116&r2=526117
==============================================================================
--- incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/protocol/AMQProtocolSession.java (original)
+++ incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/protocol/AMQProtocolSession.java Fri Apr 6 03:42:11 2007
@@ -31,6 +31,8 @@
import org.apache.qpid.server.output.ProtocolOutputConverter;
import org.apache.qpid.server.virtualhost.VirtualHost;
+import java.security.Principal;
+
public interface AMQProtocolSession extends AMQVersionAwareProtocolSession
{
@@ -165,9 +167,9 @@
public ProtocolOutputConverter getProtocolOutputConverter();
- void setAuthorizedID(String authorizedID);
+ void setAuthorizedID(Principal authorizedID);
- /** @return a username string that was used to authorized this session */
- String getAuthorizedID();
+ /** @return a Principal that was used to authorized this session */
+ Principal getAuthorizedID();
}
Modified: incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/protocol/AMQProtocolSessionMBean.java
URL: http://svn.apache.org/viewvc/incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/protocol/AMQProtocolSessionMBean.java?view=diff&rev=526117&r1=526116&r2=526117
==============================================================================
--- incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/protocol/AMQProtocolSessionMBean.java (original)
+++ incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/protocol/AMQProtocolSessionMBean.java Fri Apr 6 03:42:11 2007
@@ -19,6 +19,7 @@
import java.util.Date;
import java.util.List;
+import java.security.Principal;
import javax.management.JMException;
import javax.management.MBeanException;
@@ -106,7 +107,7 @@
return _session.getContextKey() == null ? null : _session.getContextKey().toString();
}
- public String getAuthorizedId()
+ public Principal getAuthorizedId()
{
return _session.getAuthorizedID();
}
Modified: incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/protocol/ManagedConnection.java
URL: http://svn.apache.org/viewvc/incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/protocol/ManagedConnection.java?view=diff&rev=526117&r1=526116&r2=526117
==============================================================================
--- incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/protocol/ManagedConnection.java (original)
+++ incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/protocol/ManagedConnection.java Fri Apr 6 03:42:11 2007
@@ -23,6 +23,7 @@
import java.io.IOException;
import java.util.Date;
+import java.security.Principal;
import javax.management.JMException;
import javax.management.MBeanOperationInfo;
@@ -45,7 +46,7 @@
String getClientId();
@MBeanAttribute(name = "AuthorizedId", description = "User Name")
- String getAuthorizedId();
+ Principal getAuthorizedId();
@MBeanAttribute(name = "Version", description = "Client Version")
String getVersion();
Added: incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/AccessRights.java
URL: http://svn.apache.org/viewvc/incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/AccessRights.java?view=auto&rev=526117
==============================================================================
--- incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/AccessRights.java (added)
+++ incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/AccessRights.java Fri Apr 6 03:42:11 2007
@@ -0,0 +1,63 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ *
+ */
+package org.apache.qpid.server.security.access;
+
+public class AccessRights
+{
+ public enum Rights
+ {
+ ANY,
+ READ,
+ WRITE,
+ READWRITE
+ }
+
+ Rights _right;
+
+ public AccessRights(Rights right)
+ {
+ _right = right;
+ }
+
+ public boolean allows(Rights rights)
+ {
+ switch (_right)
+ {
+ case ANY:
+ return (rights.equals(Rights.WRITE)
+ || rights.equals(Rights.READ)
+ || rights.equals(Rights.READWRITE)
+ || rights.equals(Rights.ANY));
+ case READ:
+ return rights.equals(Rights.READ) || rights.equals(Rights.ANY);
+ case WRITE:
+ return rights.equals(Rights.WRITE) || rights.equals(Rights.ANY);
+ case READWRITE:
+ return true;
+ }
+ return false;
+ }
+
+ public Rights getRights()
+ {
+ return _right;
+ }
+}
Propchange: incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/AccessRights.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/AccessRights.java
------------------------------------------------------------------------------
svn:keywords = Rev Date
Added: incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/VirtualHostAccess.java
URL: http://svn.apache.org/viewvc/incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/VirtualHostAccess.java?view=auto&rev=526117
==============================================================================
--- incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/VirtualHostAccess.java (added)
+++ incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/VirtualHostAccess.java Fri Apr 6 03:42:11 2007
@@ -0,0 +1,68 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ *
+ */
+package org.apache.qpid.server.security.access;
+
+public class VirtualHostAccess
+{
+ private String _vhost;
+ private AccessRights _rights;
+
+ public VirtualHostAccess(String vhostaccess)
+ {
+ //format <vhost>(<rights>)
+ int hostend = vhostaccess.indexOf('(');
+
+ if (hostend == -1)
+ {
+ throw new IllegalArgumentException("VirtualHostAccess format string contains no access _rights");
+ }
+
+ _vhost = vhostaccess.substring(0, hostend);
+
+ String rights = vhostaccess.substring(hostend);
+
+ if (rights.indexOf('r') != -1)
+ {
+ if (rights.indexOf('w') != -1)
+ {
+ _rights = new AccessRights(AccessRights.Rights.READWRITE);
+ }
+ else
+ {
+ _rights = new AccessRights(AccessRights.Rights.READ);
+ }
+ }
+ else if (rights.indexOf('w') != -1)
+ {
+ _rights = new AccessRights(AccessRights.Rights.WRITE);
+ }
+ }
+
+ public AccessRights getAccessRights()
+ {
+ return _rights;
+ }
+
+ public String getVirtualHost()
+ {
+ return _vhost;
+ }
+}
Propchange: incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/VirtualHostAccess.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/VirtualHostAccess.java
------------------------------------------------------------------------------
svn:keywords = Rev Date
Modified: incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/UsernamePrincipal.java
URL: http://svn.apache.org/viewvc/incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/UsernamePrincipal.java?view=diff&rev=526117&r1=526116&r2=526117
==============================================================================
--- incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/UsernamePrincipal.java (original)
+++ incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/UsernamePrincipal.java Fri Apr 6 03:42:11 2007
@@ -22,10 +22,7 @@
import java.security.Principal;
-/**
- * A principal that is just a wrapper for a simple username.
- *
- */
+/** A principal that is just a wrapper for a simple username. */
public class UsernamePrincipal implements Principal
{
private String _name;
@@ -36,6 +33,11 @@
}
public String getName()
+ {
+ return _name;
+ }
+
+ public String toString()
{
return _name;
}
Modified: incubator/qpid/branches/M2/java/systests/src/main/java/org/apache/qpid/server/queue/MockProtocolSession.java
URL: http://svn.apache.org/viewvc/incubator/qpid/branches/M2/java/systests/src/main/java/org/apache/qpid/server/queue/MockProtocolSession.java?view=diff&rev=526117&r1=526116&r2=526117
==============================================================================
--- incubator/qpid/branches/M2/java/systests/src/main/java/org/apache/qpid/server/queue/MockProtocolSession.java (original)
+++ incubator/qpid/branches/M2/java/systests/src/main/java/org/apache/qpid/server/queue/MockProtocolSession.java Fri Apr 6 03:42:11 2007
@@ -35,6 +35,7 @@
import javax.security.sasl.SaslServer;
import java.util.HashMap;
import java.util.Map;
+import java.security.Principal;
/**
* A protocol session that can be used for testing purposes.
@@ -177,12 +178,12 @@
return ProtocolOutputConverterRegistry.getConverter(this);
}
- public void setAuthorizedID(String authorizedID)
+ public void setAuthorizedID(Principal authorizedID)
{
//To change body of implemented methods use File | Settings | File Templates.
}
- public String getAuthorizedID()
+ public Principal getAuthorizedID()
{
return null; //To change body of implemented methods use File | Settings | File Templates.
}