You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by ch...@apache.org on 2011/02/22 21:21:10 UTC
svn commit: r1073486 - in /activemq/activemq-apollo/trunk: apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala apollo-website/src/documentation/user-manual.md

Author: chirino
Date: Tue Feb 22 20:21:10 2011
New Revision: 1073486

URL: http://svn.apache.org/viewvc?rev=1073486&view=rev
Log:
Added a '+' wild card to match 1 or more principals and made '*' match zero or more.

Modified:
    activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala
    activemq/activemq-apollo/trunk/apollo-website/src/documentation/user-manual.md

Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala?rev=1073486&r1=1073485&r2=1073486&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala (original)
+++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala Tue Feb 22 20:21:10 2011
@@ -62,6 +62,8 @@ class SecurityContext {
       kind match {
         case null=>
           return !principles.map(_.kind).intersect(default_kinds.toSet).isEmpty
+        case "+"=>
+          return !principles.isEmpty
         case "*"=>
           return true;
         case kind=>
@@ -78,6 +80,8 @@ class SecurityContext {
             }
           }
           return false;
+        case "+"=>
+          return principles.map(_.allow).contains(p.allow)
         case "*"=>
           return principles.map(_.allow).contains(p.allow)
         case kind=>
@@ -89,6 +93,8 @@ class SecurityContext {
       p.deny match {
         case null =>
         case "*"=>
+          return false;
+        case "+"=>
           return !kind_matches(p.kind)
         case id =>
           if( principal_matches(new PrincipalDTO(id, p.kind)) ) {
@@ -98,6 +104,8 @@ class SecurityContext {
       p.allow match {
         case null =>
         case "*"=>
+          return true;
+        case "+"=>
           return kind_matches(p.kind)
         case id =>
           if( principal_matches(new PrincipalDTO(id, p.kind)) ) {

Modified: activemq/activemq-apollo/trunk/apollo-website/src/documentation/user-manual.md
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-website/src/documentation/user-manual.md?rev=1073486&r1=1073485&r2=1073486&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-website/src/documentation/user-manual.md (original)
+++ activemq/activemq-apollo/trunk/apollo-website/src/documentation/user-manual.md Tue Feb 22 20:21:10 2011
@@ -523,12 +523,56 @@ definition. Example:
 {pygmentize:: xml}
 <acl>
   <send deny="chirino" kind="org.apache.activemq.jaas.UserPrincipal"/>
-  <send allow="*" kind="*"/>
+  <send allow="*"/>
 </acl>
 {pygmentize}
 
-The special `*` value acts like a wild card and can be used in the `deny`,
-`allow`, and `kind` attributes.
+#### Wildcards
+
+Wild cards can be used in the `deny`, `allow`, and `kind` attributes to match 
+multiple values.  Two types of wildcards are supported:
+
+> `*` : Matches any value on zero or more principles. 
+> `+` : Matches any value on one or more principles.
+
+Examples of using the `*` wild card:
+
+{pygmentize:: xml}
+<acl>
+  <connect allow="*"/>
+</acl>
+{pygmentize}
+
+The previous example allows anyone to connect even if the subject they 
+authenticated with has no principles associated with it.
+
+Examples of using the `+` wild card:
+
+{pygmentize:: xml}
+<acl>
+  <connect allow="+" kind="org.apache.activemq.jaas.UserPrincipal"/>
+</acl>
+{pygmentize}
+
+The previous example allows an `UserPrincipal` principal to connect. It
+would reject the connection if subject that has no `UserPrincipals`.
+
+You can also use the wildcard on the kind attribute.  When the wild
+card is used on the kind attribute, then `*` acts like the `+` wild 
+card and only matches for one or more principles.
+
+For example:
+
+{pygmentize:: xml}
+<acl>
+  <connect allow="Hiram" kind="*"/>
+</acl>
+{pygmentize}
+
+The previous example allows a subject with at least one `hiram` to 
+principal connect.  The principal can be of any type..
+
+#### Ordering
 
 The order in which rule entries are defined are significant when the user
 matches multiple entries. The first entry the user matches determines if he