You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by ri...@apache.org on 2007/04/12 09:16:55 UTC
svn commit: r527803 - in
/incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server:
management/ security/access/ security/auth/database/
Author: ritchiem
Date: Thu Apr 12 00:16:54 2007
New Revision: 527803
URL: http://svn.apache.org/viewvc?view=rev&rev=527803
Log:
QPID-446 Update to write accessRights file and correctly write Base64 MD5 Hashed password to password file.
MBeanInvocationHandlerImpl - made statics ADMIN,READONLY,READWRITE public so they can be used in writing the access file.
AMQUserManagementMBean - Update to write the access File.
PrincipalDatabase - create getUser(username) to retrieve a Principal from the database this is then implemented in all PDs. Used to check for existence of a user.
Modified:
incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/management/MBeanInvocationHandlerImpl.java
incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/AMQUserManagementMBean.java
incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/Base64MD5PasswordFilePrincipalDatabase.java
incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java
incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PrincipalDatabase.java
incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PropertiesPrincipalDatabase.java
Modified: incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/management/MBeanInvocationHandlerImpl.java
URL: http://svn.apache.org/viewvc/incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/management/MBeanInvocationHandlerImpl.java?view=diff&rev=527803&r1=527802&r2=527803
==============================================================================
--- incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/management/MBeanInvocationHandlerImpl.java (original)
+++ incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/management/MBeanInvocationHandlerImpl.java Thu Apr 12 00:16:54 2007
@@ -52,9 +52,9 @@
{
private static final Logger _logger = Logger.getLogger(MBeanInvocationHandlerImpl.class);
- private final static String ADMIN = "admin";
- private final static String READWRITE = "readwrite";
- private final static String READONLY = "readonly";
+ public final static String ADMIN = "admin";
+ public final static String READWRITE = "readwrite";
+ public final static String READONLY = "readonly";
private final static String DELEGATE = "JMImplementation:type=MBeanServerDelegate";
private MBeanServer mbs;
private static Properties _userRoles = new Properties();
Modified: incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/AMQUserManagementMBean.java
URL: http://svn.apache.org/viewvc/incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/AMQUserManagementMBean.java?view=diff&rev=527803&r1=527802&r2=527803
==============================================================================
--- incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/AMQUserManagementMBean.java (original)
+++ incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/access/AMQUserManagementMBean.java Thu Apr 12 00:16:54 2007
@@ -36,10 +36,8 @@
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
+import java.io.FileOutputStream;
import java.util.Properties;
-import java.util.Map;
-import java.util.HashMap;
-import java.security.Principal;
/** MBean class for AMQUserManagementMBean. It implements all the management features exposed for managing users. */
@MBeanDescription("User Management Interface")
@@ -49,9 +47,9 @@
private static final Logger _logger = Logger.getLogger(AMQUserManagementMBean.class);
private PrincipalDatabase _principalDatabase;
- private String _accessFile;
-
- Map<String, Principal> _users = new HashMap<String, Principal>();
+ private String _accessFileName;
+ private Properties _accessRights;
+ private File _accessFile;
public AMQUserManagementMBean() throws JMException
{
@@ -82,6 +80,40 @@
@MBeanOperationParameter(name = "write", description = "Administration write")boolean write,
@MBeanOperationParameter(name = "admin", description = "Administration rights")boolean admin)
{
+
+ if (_accessRights.get(username) == null)
+ {
+ if (_principalDatabase.getUser(username) == null)
+ {
+ return false;
+ }
+ }
+
+ if (admin)
+ {
+ _accessRights.put(username, MBeanInvocationHandlerImpl.ADMIN);
+ }
+ else
+ {
+ if (read | write)
+ {
+ if (read)
+ {
+ _accessRights.put(username, MBeanInvocationHandlerImpl.READONLY);
+ }
+ if (write)
+ {
+ _accessRights.put(username, MBeanInvocationHandlerImpl.READWRITE);
+ }
+ }
+ else
+ {
+ return false;
+ }
+ }
+
+ saveAccessFile();
+
return true;
}
@@ -95,8 +127,9 @@
{
if (_principalDatabase.createPrincipal(new UsernamePrincipal(username), password))
{
- _users.remove(username);
- return true;
+ _accessRights.put(username, "");
+
+ return setRights(username, read, write, admin);
}
}
catch (AccountNotFoundException e)
@@ -114,7 +147,8 @@
{
if (_principalDatabase.deletePrincipal(new UsernamePrincipal(username)))
{
- _users.remove(username);
+ _accessRights.remove(username);
+
return true;
}
}
@@ -180,9 +214,9 @@
*/
public void setAccessFile(String accessFile) throws IOException, ConfigurationException
{
- _accessFile = accessFile;
+ _accessFileName = accessFile;
- if (_accessFile != null)
+ if (_accessFileName != null)
{
loadAccessFile();
}
@@ -196,27 +230,39 @@
{
Properties accessRights = new Properties();
- File access = new File(_accessFile);
+ _accessFile = new File(_accessFileName);
- if (!access.exists())
+ if (!_accessFile.exists())
{
- throw new ConfigurationException("'" + _accessFile + "' does not exist");
+ throw new ConfigurationException("'" + _accessFileName + "' does not exist");
}
- if (!access.canRead())
+ if (!_accessFile.canRead())
{
- throw new ConfigurationException("Cannot read '" + _accessFile + "'.");
+ throw new ConfigurationException("Cannot read '" + _accessFileName + "'.");
}
- if (!access.canWrite())
+ if (!_accessFile.canWrite())
{
- _logger.warn("Unable to write to access file '" + _accessFile + "' changes will not be preserved.");
+ _logger.warn("Unable to write to access file '" + _accessFileName + "' changes will not be preserved.");
}
- accessRights.load(new FileInputStream(access));
+ accessRights.load(new FileInputStream(_accessFileName));
processAccessRights(accessRights);
}
+ private void saveAccessFile()
+ {
+ try
+ {
+ _accessRights.store(new FileOutputStream(_accessFile), "");
+ }
+ catch (IOException e)
+ {
+ _logger.warn("Unable to write to access file '" + _accessFileName + "' changes will not be preserved.");
+ }
+ }
+
/**
* user=read user=write user=readwrite user=admin
*
@@ -225,6 +271,7 @@
private void processAccessRights(Properties accessRights)
{
_logger.info("Processing Access Rights:" + accessRights);
- MBeanInvocationHandlerImpl.setAccessRights(accessRights);
+ _accessRights = accessRights;
+ MBeanInvocationHandlerImpl.setAccessRights(_accessRights);
}
}
Modified: incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/Base64MD5PasswordFilePrincipalDatabase.java
URL: http://svn.apache.org/viewvc/incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/Base64MD5PasswordFilePrincipalDatabase.java?view=diff&rev=527803&r1=527802&r2=527803
==============================================================================
--- incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/Base64MD5PasswordFilePrincipalDatabase.java (original)
+++ incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/Base64MD5PasswordFilePrincipalDatabase.java Thu Apr 12 00:16:54 2007
@@ -22,6 +22,7 @@
import org.apache.log4j.Logger;
import org.apache.qpid.server.security.auth.sasl.AuthenticationProviderInitialiser;
+import org.apache.qpid.server.security.auth.sasl.UsernamePrincipal;
import org.apache.qpid.server.security.auth.sasl.crammd5.CRAMMD5HashedInitialiser;
import org.apache.qpid.server.security.access.AMQUserManagementMBean;
import org.apache.qpid.server.security.Passwd;
@@ -46,6 +47,7 @@
import java.util.List;
import java.security.Principal;
import java.security.NoSuchAlgorithmException;
+import java.security.MessageDigest;
/**
* Represents a user database where the account information is stored in a simple flat file.
@@ -270,6 +272,15 @@
return _saslServers;
}
+ public Principal getUser(String username)
+ {
+ if (_users.containsKey(username))
+ {
+ return new UsernamePrincipal(username);
+ }
+ return null;
+ }
+
/**
* Looks up the password for a specified user in the password file. Note this code is <b>not</b> secure since it
* creates strings of passwords. It should be modified to create only char arrays which get nulled out.
@@ -374,7 +385,7 @@
user.saved();
}
- catch (EncoderException e)
+ catch (Exception e)
{
_logger.warn("Unable to encode new password reverting to old password.");
writer.write(line.getBytes(DEFAULT_ENCODING));
@@ -397,7 +408,7 @@
writer.println();
user.saved();
}
- catch (EncoderException e)
+ catch (Exception e)
{
_logger.warn("Unable to get Encoded password for user'" + user.getName() + "' password not saved");
}
@@ -490,7 +501,7 @@
}
- byte[] getEncodePassword() throws EncoderException, UnsupportedEncodingException
+ byte[] getEncodePassword() throws EncoderException, UnsupportedEncodingException, NoSuchAlgorithmException
{
if (_encodedPassword == null)
{
@@ -499,10 +510,10 @@
return _encodedPassword;
}
- private void encodePassword() throws EncoderException, UnsupportedEncodingException
+ private void encodePassword() throws EncoderException, UnsupportedEncodingException, NoSuchAlgorithmException
{
Base64 b64 = new Base64();
- _encodedPassword = b64.encode(new String(_password).getBytes(DEFAULT_ENCODING));
+ _encodedPassword = b64.encode(getHash(new String(_password)));
}
public boolean isModified()
@@ -523,6 +534,20 @@
public void saved()
{
_modified = false;
+ }
+
+ private byte[] getHash(String text) throws NoSuchAlgorithmException, UnsupportedEncodingException
+ {
+ byte[] data = text.getBytes(DEFAULT_ENCODING);
+
+ MessageDigest md = MessageDigest.getInstance("MD5");
+
+ for (byte b : data)
+ {
+ md.update(b);
+ }
+
+ return md.digest();
}
}
}
Modified: incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java
URL: http://svn.apache.org/viewvc/incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java?view=diff&rev=527803&r1=527802&r2=527803
==============================================================================
--- incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java (original)
+++ incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java Thu Apr 12 00:16:54 2007
@@ -23,6 +23,7 @@
import org.apache.log4j.Logger;
import org.apache.qpid.server.security.auth.database.PrincipalDatabase;
import org.apache.qpid.server.security.auth.sasl.AuthenticationProviderInitialiser;
+import org.apache.qpid.server.security.auth.sasl.UsernamePrincipal;
import org.apache.qpid.server.security.auth.sasl.amqplain.AmqPlainInitialiser;
import org.apache.qpid.server.security.auth.sasl.crammd5.CRAMMD5Initialiser;
import org.apache.qpid.server.security.auth.sasl.plain.PlainInitialiser;
@@ -143,7 +144,7 @@
int index = 0;
for (byte b : passwdBytes)
- {
+ {
passwd[index++] = (char) b;
}
@@ -168,6 +169,22 @@
public Map<String, AuthenticationProviderInitialiser> getMechanisms()
{
return _saslServers;
+ }
+
+ public Principal getUser(String username)
+ {
+ try
+ {
+ if (lookupPassword(username) != null)
+ {
+ return new UsernamePrincipal(username);
+ }
+ }
+ catch (IOException e)
+ {
+ //fall through to null return
+ }
+ return null;
}
private boolean compareCharArray(char[] a, char[] b)
Modified: incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PrincipalDatabase.java
URL: http://svn.apache.org/viewvc/incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PrincipalDatabase.java?view=diff&rev=527803&r1=527802&r2=527803
==============================================================================
--- incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PrincipalDatabase.java (original)
+++ incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PrincipalDatabase.java Thu Apr 12 00:16:54 2007
@@ -72,4 +72,6 @@
throws AccountNotFoundException;
public Map<String, AuthenticationProviderInitialiser> getMechanisms();
+
+ Principal getUser(String username);
}
Modified: incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PropertiesPrincipalDatabase.java
URL: http://svn.apache.org/viewvc/incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PropertiesPrincipalDatabase.java?view=diff&rev=527803&r1=527802&r2=527803
==============================================================================
--- incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PropertiesPrincipalDatabase.java (original)
+++ incubator/qpid/branches/M2/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PropertiesPrincipalDatabase.java Thu Apr 12 00:16:54 2007
@@ -21,6 +21,7 @@
package org.apache.qpid.server.security.auth.database;
import org.apache.qpid.server.security.auth.sasl.AuthenticationProviderInitialiser;
+import org.apache.qpid.server.security.auth.sasl.UsernamePrincipal;
import org.apache.qpid.server.security.auth.sasl.crammd5.CRAMMD5Initialiser;
import org.apache.qpid.server.security.auth.sasl.plain.PlainInitialiser;
@@ -142,5 +143,17 @@
public Map<String, AuthenticationProviderInitialiser> getMechanisms()
{
return _saslServers;
+ }
+
+ public Principal getUser(String username)
+ {
+ if (_users.getProperty(username) != null)
+ {
+ return new UsernamePrincipal(username);
+ }
+ else
+ {
+ return null;
+ }
}
}