You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by ch...@apache.org on 2011/02/22 21:21:10 UTC
svn commit: r1073486 - in /activemq/activemq-apollo/trunk:
apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala
apollo-website/src/documentation/user-manual.md
Author: chirino
Date: Tue Feb 22 20:21:10 2011
New Revision: 1073486
URL: http://svn.apache.org/viewvc?rev=1073486&view=rev
Log:
Added a '+' wild card to match 1 or more principals and made '*' match zero or more.
Modified:
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala
activemq/activemq-apollo/trunk/apollo-website/src/documentation/user-manual.md
Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala?rev=1073486&r1=1073485&r2=1073486&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala (original)
+++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala Tue Feb 22 20:21:10 2011
@@ -62,6 +62,8 @@ class SecurityContext {
kind match {
case null=>
return !principles.map(_.kind).intersect(default_kinds.toSet).isEmpty
+ case "+"=>
+ return !principles.isEmpty
case "*"=>
return true;
case kind=>
@@ -78,6 +80,8 @@ class SecurityContext {
}
}
return false;
+ case "+"=>
+ return principles.map(_.allow).contains(p.allow)
case "*"=>
return principles.map(_.allow).contains(p.allow)
case kind=>
@@ -89,6 +93,8 @@ class SecurityContext {
p.deny match {
case null =>
case "*"=>
+ return false;
+ case "+"=>
return !kind_matches(p.kind)
case id =>
if( principal_matches(new PrincipalDTO(id, p.kind)) ) {
@@ -98,6 +104,8 @@ class SecurityContext {
p.allow match {
case null =>
case "*"=>
+ return true;
+ case "+"=>
return kind_matches(p.kind)
case id =>
if( principal_matches(new PrincipalDTO(id, p.kind)) ) {
Modified: activemq/activemq-apollo/trunk/apollo-website/src/documentation/user-manual.md
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-website/src/documentation/user-manual.md?rev=1073486&r1=1073485&r2=1073486&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-website/src/documentation/user-manual.md (original)
+++ activemq/activemq-apollo/trunk/apollo-website/src/documentation/user-manual.md Tue Feb 22 20:21:10 2011
@@ -523,12 +523,56 @@ definition. Example:
{pygmentize:: xml}
<acl>
<send deny="chirino" kind="org.apache.activemq.jaas.UserPrincipal"/>
- <send allow="*" kind="*"/>
+ <send allow="*"/>
</acl>
{pygmentize}
-The special `*` value acts like a wild card and can be used in the `deny`,
-`allow`, and `kind` attributes.
+#### Wildcards
+
+Wild cards can be used in the `deny`, `allow`, and `kind` attributes to match
+multiple values. Two types of wildcards are supported:
+
+> `*` : Matches any value on zero or more principles.
+> `+` : Matches any value on one or more principles.
+
+Examples of using the `*` wild card:
+
+{pygmentize:: xml}
+<acl>
+ <connect allow="*"/>
+</acl>
+{pygmentize}
+
+The previous example allows anyone to connect even if the subject they
+authenticated with has no principles associated with it.
+
+Examples of using the `+` wild card:
+
+{pygmentize:: xml}
+<acl>
+ <connect allow="+" kind="org.apache.activemq.jaas.UserPrincipal"/>
+</acl>
+{pygmentize}
+
+The previous example allows an `UserPrincipal` principal to connect. It
+would reject the connection if subject that has no `UserPrincipals`.
+
+You can also use the wildcard on the kind attribute. When the wild
+card is used on the kind attribute, then `*` acts like the `+` wild
+card and only matches for one or more principles.
+
+For example:
+
+{pygmentize:: xml}
+<acl>
+ <connect allow="Hiram" kind="*"/>
+</acl>
+{pygmentize}
+
+The previous example allows a subject with at least one `hiram` to
+principal connect. The principal can be of any type..
+
+#### Ordering
The order in which rule entries are defined are significant when the user
matches multiple entries. The first entry the user matches determines if he