You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@activemq.apache.org by "Aaron Mulder (JIRA)" <ji...@apache.org> on 2006/09/01 16:57:23 UTC
[jira] Created: (AMQ-908) Authorization plugin should have
configurable principal classes
Authorization plugin should have configurable principal classes
---------------------------------------------------------------
Key: AMQ-908
URL: https://issues.apache.org/activemq/browse/AMQ-908
Project: ActiveMQ
Issue Type: Improvement
Components: Broker
Affects Versions: 4.0.1
Reporter: Aaron Mulder
Fix For: 4.0.3, 4.1
Currently, if you configure the authorization plugin, it assumes that all principals listed should be of type {{org.apache.activemq.jaas.GroupPrincipal}}. This is OK if you're using ActiveMQ LoginModules, but since there's a fairly small supply of those, it would be great if you could use arbitrary login modules and tell the authorization plugin which principal classes to use. For example, {{groupClass="weblogic.security.principal.WLSGroupImpl}} or something like that. A good first step would be to let you change the group class. A good second step would be to let you specify user and group classes and then somehow indicate which names are which (e.g. {{admin="administrators,user:aaron,user:bob"}} or whatever). Someday maybe it will be nice to support any arbitrary combination of principal classes but that seems far away.
When instantiating the principal classes, I imagine we should use a constructor with a single String argument if available, or else a default constructor plus a "setName" method, or else I guess bail.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/activemq/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (AMQ-908) Authorization plugin should have
configurable principal classes
Posted by "Ken Gallo (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/AMQ-908?page=all ]
Ken Gallo updated AMQ-908:
--------------------------
Attachment: AuthorizationPlugin.patch
Implemented like so:
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry queue=">" read="admins" write="admins" admin="admins" groupClass="org.apache.activemq.jaas.GroupPrincipal" />
<authorizationEntry queue="USERS.>" read="users" write="users" admin="users" groupClass="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" />
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
Creates an instance of the groupClass through the constructor with String name as a parameter.
If the groupClass doesn't have a constructor then it uses the setName() method.
If both fail, an exception is thrown.
> Authorization plugin should have configurable principal classes
> ---------------------------------------------------------------
>
> Key: AMQ-908
> URL: https://issues.apache.org/activemq/browse/AMQ-908
> Project: ActiveMQ
> Issue Type: Improvement
> Components: Broker
> Affects Versions: 4.0.1
> Reporter: Aaron Mulder
> Fix For: 4.2.0, 4.0.3
>
> Attachments: AuthorizationPlugin.patch
>
>
> Currently, if you configure the authorization plugin, it assumes that all principals listed should be of type {{org.apache.activemq.jaas.GroupPrincipal}}. This is OK if you're using ActiveMQ LoginModules, but since there's a fairly small supply of those, it would be great if you could use arbitrary login modules and tell the authorization plugin which principal classes to use. For example, {{groupClass="weblogic.security.principal.WLSGroupImpl}} or something like that. A good first step would be to let you change the group class. A good second step would be to let you specify user and group classes and then somehow indicate which names are which (e.g. {{admin="administrators,user:aaron,user:bob"}} or whatever). Someday maybe it will be nice to support any arbitrary combination of principal classes but that seems far away.
> When instantiating the principal classes, I imagine we should use a constructor with a single String argument if available, or else a default constructor plus a "setName" method, or else I guess bail.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/activemq/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (AMQ-908) Authorization plugin should have
configurable principal classes
Posted by "Aaron Mulder (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/AMQ-908?page=comments#action_37459 ]
Aaron Mulder commented on AMQ-908:
----------------------------------
Here are the Geronimo ones:
[GeronimoUserPrincipal|http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/GeronimoUserPrincipal.java?view=markup]
[GeronimoGroupPrincipal|http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/GeronimoGroupPrincipal.java?view=markup]
I'm sure Glassfish has some too, though I don't know where. Perhaps Harmony as well?
My assumption was that we should look for a constructor with a single String, and if we don't find that, look for an empty constructor and a setName method that takes a single String, and if we don't find that, throw an Exception. If someone complains that they got the exception, then I guess we'll look at their principal classes to determine the next fallback position. :)
> Authorization plugin should have configurable principal classes
> ---------------------------------------------------------------
>
> Key: AMQ-908
> URL: https://issues.apache.org/activemq/browse/AMQ-908
> Project: ActiveMQ
> Issue Type: Improvement
> Components: Broker
> Affects Versions: 4.0.1
> Reporter: Aaron Mulder
> Fix For: 4.2.0, 4.0.3
>
>
> Currently, if you configure the authorization plugin, it assumes that all principals listed should be of type {{org.apache.activemq.jaas.GroupPrincipal}}. This is OK if you're using ActiveMQ LoginModules, but since there's a fairly small supply of those, it would be great if you could use arbitrary login modules and tell the authorization plugin which principal classes to use. For example, {{groupClass="weblogic.security.principal.WLSGroupImpl}} or something like that. A good first step would be to let you change the group class. A good second step would be to let you specify user and group classes and then somehow indicate which names are which (e.g. {{admin="administrators,user:aaron,user:bob"}} or whatever). Someday maybe it will be nice to support any arbitrary combination of principal classes but that seems far away.
> When instantiating the principal classes, I imagine we should use a constructor with a single String argument if available, or else a default constructor plus a "setName" method, or else I guess bail.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/activemq/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (AMQ-908) Authorization plugin should have
configurable principal classes
Posted by "Ken Gallo (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/AMQ-908?page=all ]
Ken Gallo updated AMQ-908:
--------------------------
Attachment: AuthorizationPlugin.patch
Instead of my previous implementation of calling the Constructor or Method and then surrounding them with a try-catch, I've changed the implementation to reduce the try-catch blocks.
> Authorization plugin should have configurable principal classes
> ---------------------------------------------------------------
>
> Key: AMQ-908
> URL: https://issues.apache.org/activemq/browse/AMQ-908
> Project: ActiveMQ
> Issue Type: Improvement
> Components: Broker
> Affects Versions: 4.0.1
> Reporter: Aaron Mulder
> Fix For: 4.2.0, 4.0.3
>
> Attachments: AuthorizationPlugin.patch, AuthorizationPlugin.patch
>
>
> Currently, if you configure the authorization plugin, it assumes that all principals listed should be of type {{org.apache.activemq.jaas.GroupPrincipal}}. This is OK if you're using ActiveMQ LoginModules, but since there's a fairly small supply of those, it would be great if you could use arbitrary login modules and tell the authorization plugin which principal classes to use. For example, {{groupClass="weblogic.security.principal.WLSGroupImpl}} or something like that. A good first step would be to let you change the group class. A good second step would be to let you specify user and group classes and then somehow indicate which names are which (e.g. {{admin="administrators,user:aaron,user:bob"}} or whatever). Someday maybe it will be nice to support any arbitrary combination of principal classes but that seems far away.
> When instantiating the principal classes, I imagine we should use a constructor with a single String argument if available, or else a default constructor plus a "setName" method, or else I guess bail.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/activemq/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (AMQ-908) Authorization plugin should have
configurable principal classes
Posted by "Hiram Chirino (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/AMQ-908?page=all ]
Hiram Chirino updated AMQ-908:
------------------------------
Fix Version/s: 4.2
(was: 4.1.0)
> Authorization plugin should have configurable principal classes
> ---------------------------------------------------------------
>
> Key: AMQ-908
> URL: https://issues.apache.org/activemq/browse/AMQ-908
> Project: ActiveMQ
> Issue Type: Improvement
> Components: Broker
> Affects Versions: 4.0.1
> Reporter: Aaron Mulder
> Fix For: 4.2.0, 4.0.3
>
>
> Currently, if you configure the authorization plugin, it assumes that all principals listed should be of type {{org.apache.activemq.jaas.GroupPrincipal}}. This is OK if you're using ActiveMQ LoginModules, but since there's a fairly small supply of those, it would be great if you could use arbitrary login modules and tell the authorization plugin which principal classes to use. For example, {{groupClass="weblogic.security.principal.WLSGroupImpl}} or something like that. A good first step would be to let you change the group class. A good second step would be to let you specify user and group classes and then somehow indicate which names are which (e.g. {{admin="administrators,user:aaron,user:bob"}} or whatever). Someday maybe it will be nice to support any arbitrary combination of principal classes but that seems far away.
> When instantiating the principal classes, I imagine we should use a constructor with a single String argument if available, or else a default constructor plus a "setName" method, or else I guess bail.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/activemq/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Resolved: (AMQ-908) Authorization plugin should have
configurable principal classes
Posted by "Jonas Lim (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/AMQ-908?page=all ]
Jonas Lim resolved AMQ-908.
---------------------------
Resolution: Fixed
call parseACL () is added in the afterPropertiesSet method . parseACL calls inside the helper methods is not removed for instances where authenticationentry configuration is done programatically (w/o xbean)
added fix at trunk : r486131
> Authorization plugin should have configurable principal classes
> ---------------------------------------------------------------
>
> Key: AMQ-908
> URL: https://issues.apache.org/activemq/browse/AMQ-908
> Project: ActiveMQ
> Issue Type: Improvement
> Components: Broker
> Affects Versions: 4.0.1
> Reporter: Aaron Mulder
> Assigned To: Jonas Lim
> Fix For: 4.2.0
>
> Attachments: authorizationPlugin.patch, authorizationPlugin.patch, AuthorizationPlugin.patch, AuthorizationPlugin.patch
>
>
> Currently, if you configure the authorization plugin, it assumes that all principals listed should be of type {{org.apache.activemq.jaas.GroupPrincipal}}. This is OK if you're using ActiveMQ LoginModules, but since there's a fairly small supply of those, it would be great if you could use arbitrary login modules and tell the authorization plugin which principal classes to use. For example, {{groupClass="weblogic.security.principal.WLSGroupImpl}} or something like that. A good first step would be to let you change the group class. A good second step would be to let you specify user and group classes and then somehow indicate which names are which (e.g. {{admin="administrators,user:aaron,user:bob"}} or whatever). Someday maybe it will be nice to support any arbitrary combination of principal classes but that seems far away.
> When instantiating the principal classes, I imagine we should use a constructor with a single String argument if available, or else a default constructor plus a "setName" method, or else I guess bail.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/activemq/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Reopened: (AMQ-908) Authorization plugin should have
configurable principal classes
Posted by "Adrian Co (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/AMQ-908?page=all ]
Adrian Co reopened AMQ-908:
---------------------------
Assignee: Jonas Lim
I think its much better if we perform parseACL in the afterPropertiesSet method (assuming it implements the InitializingBean), rather than relying on alphabetical properties.
Thoughts?
> Authorization plugin should have configurable principal classes
> ---------------------------------------------------------------
>
> Key: AMQ-908
> URL: https://issues.apache.org/activemq/browse/AMQ-908
> Project: ActiveMQ
> Issue Type: Improvement
> Components: Broker
> Affects Versions: 4.0.1
> Reporter: Aaron Mulder
> Assigned To: Jonas Lim
> Fix For: 4.2.0
>
> Attachments: authorizationPlugin.patch, authorizationPlugin.patch, AuthorizationPlugin.patch, AuthorizationPlugin.patch
>
>
> Currently, if you configure the authorization plugin, it assumes that all principals listed should be of type {{org.apache.activemq.jaas.GroupPrincipal}}. This is OK if you're using ActiveMQ LoginModules, but since there's a fairly small supply of those, it would be great if you could use arbitrary login modules and tell the authorization plugin which principal classes to use. For example, {{groupClass="weblogic.security.principal.WLSGroupImpl}} or something like that. A good first step would be to let you change the group class. A good second step would be to let you specify user and group classes and then somehow indicate which names are which (e.g. {{admin="administrators,user:aaron,user:bob"}} or whatever). Someday maybe it will be nice to support any arbitrary combination of principal classes but that seems far away.
> When instantiating the principal classes, I imagine we should use a constructor with a single String argument if available, or else a default constructor plus a "setName" method, or else I guess bail.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/activemq/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (AMQ-908) Authorization plugin should have
configurable principal classes
Posted by "Ken Gallo (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/AMQ-908?page=all ]
Ken Gallo updated AMQ-908:
--------------------------
Attachment: authorizationPlugin.patch
In:
<authorizationEntry queue="USERS.>" read="users" write="users" admin="users" groupClass="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" />
I've noticed that xbean sets "admin" before "groupClass" in the xml config of authorizationEntry (I think its alphabetical), so even if you set the principal class, admin is intialized with the default org.apache.activemq.jaas.GroupPrincipal class.
I've renamed "groupClass" to "ACLPrincipal" so the principal class to be used can be set first before xbean sets admin.
So it should be:
<authorizationEntry queue="USERS.>" read="users" write="users" admin="users" ACLPrincipal="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" />
> Authorization plugin should have configurable principal classes
> ---------------------------------------------------------------
>
> Key: AMQ-908
> URL: https://issues.apache.org/activemq/browse/AMQ-908
> Project: ActiveMQ
> Issue Type: Improvement
> Components: Broker
> Affects Versions: 4.0.1
> Reporter: Aaron Mulder
> Fix For: 4.2.0
>
> Attachments: authorizationPlugin.patch, authorizationPlugin.patch, AuthorizationPlugin.patch, AuthorizationPlugin.patch
>
>
> Currently, if you configure the authorization plugin, it assumes that all principals listed should be of type {{org.apache.activemq.jaas.GroupPrincipal}}. This is OK if you're using ActiveMQ LoginModules, but since there's a fairly small supply of those, it would be great if you could use arbitrary login modules and tell the authorization plugin which principal classes to use. For example, {{groupClass="weblogic.security.principal.WLSGroupImpl}} or something like that. A good first step would be to let you change the group class. A good second step would be to let you specify user and group classes and then somehow indicate which names are which (e.g. {{admin="administrators,user:aaron,user:bob"}} or whatever). Someday maybe it will be nice to support any arbitrary combination of principal classes but that seems far away.
> When instantiating the principal classes, I imagine we should use a constructor with a single String argument if available, or else a default constructor plus a "setName" method, or else I guess bail.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/activemq/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (AMQ-908) Authorization plugin should have
configurable principal classes
Posted by "Ken Gallo (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/AMQ-908?page=comments#action_37458 ]
Ken Gallo commented on AMQ-908:
-------------------------------
Hi!
I am currrently working on this improvement and I'm wondering what are the other possible principal implementations available out there aside from Jaas' GroupPrincipal and Weblogic's WLSGroupImpl so that I can test them. I assume they all have a constructor with a single String parameter for the name?
Thanks,
Ken
> Authorization plugin should have configurable principal classes
> ---------------------------------------------------------------
>
> Key: AMQ-908
> URL: https://issues.apache.org/activemq/browse/AMQ-908
> Project: ActiveMQ
> Issue Type: Improvement
> Components: Broker
> Affects Versions: 4.0.1
> Reporter: Aaron Mulder
> Fix For: 4.2.0, 4.0.3
>
>
> Currently, if you configure the authorization plugin, it assumes that all principals listed should be of type {{org.apache.activemq.jaas.GroupPrincipal}}. This is OK if you're using ActiveMQ LoginModules, but since there's a fairly small supply of those, it would be great if you could use arbitrary login modules and tell the authorization plugin which principal classes to use. For example, {{groupClass="weblogic.security.principal.WLSGroupImpl}} or something like that. A good first step would be to let you change the group class. A good second step would be to let you specify user and group classes and then somehow indicate which names are which (e.g. {{admin="administrators,user:aaron,user:bob"}} or whatever). Someday maybe it will be nice to support any arbitrary combination of principal classes but that seems far away.
> When instantiating the principal classes, I imagine we should use a constructor with a single String argument if available, or else a default constructor plus a "setName" method, or else I guess bail.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/activemq/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Resolved: (AMQ-908) Authorization plugin should have
configurable principal classes
Posted by "Jonas Lim (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/AMQ-908?page=all ]
Jonas Lim resolved AMQ-908.
---------------------------
Fix Version/s: (was: 4.0.3)
Resolution: Fixed
Thanks Ken!
patch applied to trunk: r480575
> Authorization plugin should have configurable principal classes
> ---------------------------------------------------------------
>
> Key: AMQ-908
> URL: https://issues.apache.org/activemq/browse/AMQ-908
> Project: ActiveMQ
> Issue Type: Improvement
> Components: Broker
> Affects Versions: 4.0.1
> Reporter: Aaron Mulder
> Fix For: 4.2.0
>
> Attachments: AuthorizationPlugin.patch, AuthorizationPlugin.patch
>
>
> Currently, if you configure the authorization plugin, it assumes that all principals listed should be of type {{org.apache.activemq.jaas.GroupPrincipal}}. This is OK if you're using ActiveMQ LoginModules, but since there's a fairly small supply of those, it would be great if you could use arbitrary login modules and tell the authorization plugin which principal classes to use. For example, {{groupClass="weblogic.security.principal.WLSGroupImpl}} or something like that. A good first step would be to let you change the group class. A good second step would be to let you specify user and group classes and then somehow indicate which names are which (e.g. {{admin="administrators,user:aaron,user:bob"}} or whatever). Someday maybe it will be nice to support any arbitrary combination of principal classes but that seems far away.
> When instantiating the principal classes, I imagine we should use a constructor with a single String argument if available, or else a default constructor plus a "setName" method, or else I guess bail.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/activemq/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (AMQ-908) Authorization plugin should have
configurable principal classes
Posted by "Ken Gallo (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/AMQ-908?page=all ]
Ken Gallo updated AMQ-908:
--------------------------
Attachment: authorizationPlugin.patch
In:
<authorizationEntry queue="USERS.>" read="users" write="users" admin="users" groupClass="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" />
I've noticed that xbean sets "admin" before "groupClass" in the xml config of authorizationEntry (I think its alphabetical), so even if you set the principal class, admin is intialized with the default org.apache.activemq.jaas.GroupPrincipal class.
I've renamed "groupClass" to "ACLPrincipal" so the principal class to be used can be set first before xbean sets admin.
So it should be:
> Authorization plugin should have configurable principal classes
> ---------------------------------------------------------------
>
> Key: AMQ-908
> URL: https://issues.apache.org/activemq/browse/AMQ-908
> Project: ActiveMQ
> Issue Type: Improvement
> Components: Broker
> Affects Versions: 4.0.1
> Reporter: Aaron Mulder
> Fix For: 4.2.0
>
> Attachments: authorizationPlugin.patch, authorizationPlugin.patch, AuthorizationPlugin.patch, AuthorizationPlugin.patch
>
>
> Currently, if you configure the authorization plugin, it assumes that all principals listed should be of type {{org.apache.activemq.jaas.GroupPrincipal}}. This is OK if you're using ActiveMQ LoginModules, but since there's a fairly small supply of those, it would be great if you could use arbitrary login modules and tell the authorization plugin which principal classes to use. For example, {{groupClass="weblogic.security.principal.WLSGroupImpl}} or something like that. A good first step would be to let you change the group class. A good second step would be to let you specify user and group classes and then somehow indicate which names are which (e.g. {{admin="administrators,user:aaron,user:bob"}} or whatever). Someday maybe it will be nice to support any arbitrary combination of principal classes but that seems far away.
> When instantiating the principal classes, I imagine we should use a constructor with a single String argument if available, or else a default constructor plus a "setName" method, or else I guess bail.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/activemq/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira