You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by kw...@apache.org on 2016/10/06 15:08:56 UTC
svn commit: r1763605 - in
/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server:
model/AbstractConfiguredObject.java model/BrokerImpl.java
security/SubjectFixedResultAccessControl.java
virtualhost/AbstractVirtualHost.java
Author: kwall
Date: Thu Oct 6 15:08:56 2016
New Revision: 1763605
URL: http://svn.apache.org/viewvc?rev=1763605&view=rev
Log:
QPID-7449: [Java Broker] Cache the result of the system-user ACL provider htoo
Added:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SubjectFixedResultAccessControl.java
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/AbstractConfiguredObject.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/BrokerImpl.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/virtualhost/AbstractVirtualHost.java
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/AbstractConfiguredObject.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/AbstractConfiguredObject.java?rev=1763605&r1=1763604&r2=1763605&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/AbstractConfiguredObject.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/AbstractConfiguredObject.java Thu Oct 6 15:08:56 2016
@@ -2993,7 +2993,7 @@ public abstract class AbstractConfigured
return isSystemSubject(subject);
}
- private boolean isSystemSubject(final Subject subject)
+ protected boolean isSystemSubject(final Subject subject)
{
return subject != null && subject.getPrincipals().contains(getSystemPrincipal());
}
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/BrokerImpl.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/BrokerImpl.java?rev=1763605&r1=1763604&r2=1763605&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/BrokerImpl.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/BrokerImpl.java Thu Oct 6 15:08:56 2016
@@ -68,8 +68,8 @@ import org.apache.qpid.server.plugin.Sys
import org.apache.qpid.server.security.AccessControl;
import org.apache.qpid.server.security.CompoundAccessControl;
import org.apache.qpid.server.security.Result;
-import org.apache.qpid.server.security.SecurityToken;
-import org.apache.qpid.server.security.access.Operation;
+import org.apache.qpid.server.security.SubjectFixedResultAccessControl;
+import org.apache.qpid.server.security.SubjectFixedResultAccessControl.ResultCalculator;
import org.apache.qpid.server.security.auth.AuthenticatedPrincipal;
import org.apache.qpid.server.security.auth.UsernamePrincipal;
import org.apache.qpid.server.security.auth.manager.SimpleAuthenticationManager;
@@ -97,44 +97,14 @@ public class BrokerImpl extends Abstract
public static final String MANAGEMENT_MODE_AUTHENTICATION = "MANAGEMENT_MODE_AUTHENTICATION";
- private final AccessControl<SecurityToken> _systemUserAllowed = new AccessControl<SecurityToken>()
+ private final AccessControl _systemUserAllowed = new SubjectFixedResultAccessControl(new ResultCalculator()
{
@Override
- public Result getDefault()
+ public Result getResult(final Subject subject)
{
- return Result.DEFER;
+ return isSystemSubject(subject) ? Result.ALLOWED : Result.DEFER;
}
-
- @Override
- public SecurityToken newToken()
- {
- return null;
- }
-
- @Override
- public SecurityToken newToken(final Subject subject)
- {
- return null;
- }
-
- @Override
- public Result authorise(final SecurityToken token,
- final Operation operation,
- final ConfiguredObject<?> configuredObject)
- {
- return isSystemProcess() ? Result.ALLOWED : Result.DEFER;
- }
-
- @Override
- public Result authorise(final SecurityToken token,
- final Operation operation,
- final ConfiguredObject<?> configuredObject,
- final Map<String, Object> arguments)
- {
- return isSystemProcess() ? Result.ALLOWED : Result.DEFER;
- }
- };
-
+ }, Result.DEFER);
private final BrokerPrincipal _principal;
Added: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SubjectFixedResultAccessControl.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SubjectFixedResultAccessControl.java?rev=1763605&view=auto
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SubjectFixedResultAccessControl.java (added)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SubjectFixedResultAccessControl.java Thu Oct 6 15:08:56 2016
@@ -0,0 +1,101 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.server.security;
+
+import java.security.AccessController;
+import java.util.Map;
+
+import javax.security.auth.Subject;
+
+import org.apache.qpid.server.model.ConfiguredObject;
+import org.apache.qpid.server.security.access.Operation;
+
+public final class SubjectFixedResultAccessControl implements AccessControl<SubjectFixedResultAccessControl.FixedResultSecurityToken>
+{
+ private final Result _default;
+ private final ResultCalculator _calculator;
+
+ public SubjectFixedResultAccessControl(final ResultCalculator calculator,
+ final Result defaultResult)
+ {
+ _default = defaultResult;
+ _calculator = calculator;
+ }
+
+ @Override
+ public Result getDefault()
+ {
+ return _default;
+ }
+
+ @Override
+ public FixedResultSecurityToken newToken()
+ {
+ return newToken(Subject.getSubject(AccessController.getContext()));
+ }
+
+ @Override
+ public FixedResultSecurityToken newToken(final Subject subject)
+ {
+ return new FixedResultSecurityToken(_calculator.getResult(subject));
+ }
+
+ @Override
+ public Result authorise(final FixedResultSecurityToken token,
+ final Operation operation,
+ final ConfiguredObject<?> configuredObject)
+ {
+ return token == null
+ ? _calculator.getResult(Subject.getSubject(AccessController.getContext()))
+ : token.getResult();
+ }
+
+ @Override
+ public Result authorise(final FixedResultSecurityToken token,
+ final Operation operation,
+ final ConfiguredObject<?> configuredObject,
+ final Map<String, Object> arguments)
+ {
+ return token == null
+ ? _calculator.getResult(Subject.getSubject(AccessController.getContext()))
+ : token.getResult();
+ }
+
+ public interface ResultCalculator
+ {
+ Result getResult(Subject subject);
+ }
+
+ static final class FixedResultSecurityToken implements SecurityToken
+ {
+ private final Result _result;
+
+ private FixedResultSecurityToken(final Result result)
+ {
+ _result = result;
+ }
+
+ private Result getResult()
+ {
+ return _result;
+ }
+ }
+}
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/virtualhost/AbstractVirtualHost.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/virtualhost/AbstractVirtualHost.java?rev=1763605&r1=1763604&r2=1763605&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/virtualhost/AbstractVirtualHost.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/virtualhost/AbstractVirtualHost.java Thu Oct 6 15:08:56 2016
@@ -106,7 +106,8 @@ import org.apache.qpid.server.queue.Queu
import org.apache.qpid.server.security.AccessControl;
import org.apache.qpid.server.security.CompoundAccessControl;
import org.apache.qpid.server.security.Result;
-import org.apache.qpid.server.security.SecurityToken;
+import org.apache.qpid.server.security.SubjectFixedResultAccessControl;
+import org.apache.qpid.server.security.SubjectFixedResultAccessControl.ResultCalculator;
import org.apache.qpid.server.security.access.Operation;
import org.apache.qpid.server.security.auth.AuthenticatedPrincipal;
import org.apache.qpid.server.stats.StatisticsCounter;
@@ -206,44 +207,14 @@ public abstract class AbstractVirtualHos
private volatile boolean _createDefaultExchanges;
-
- private final AccessControl<SecurityToken> _systemUserAllowed = new AccessControl<SecurityToken>()
+ private final AccessControl _systemUserAllowed = new SubjectFixedResultAccessControl(new ResultCalculator()
{
@Override
- public Result getDefault()
- {
- return Result.DEFER;
- }
-
- @Override
- public SecurityToken newToken()
- {
- return null;
- }
-
- @Override
- public SecurityToken newToken(final Subject subject)
- {
- return null;
- }
-
- @Override
- public Result authorise(final SecurityToken token,
- final Operation operation,
- final ConfiguredObject<?> configuredObject)
- {
- return isSystemProcess() ? Result.ALLOWED : Result.DEFER;
- }
-
- @Override
- public Result authorise(final SecurityToken token,
- final Operation operation,
- final ConfiguredObject<?> configuredObject,
- final Map<String, Object> arguments)
+ public Result getResult(final Subject subject)
{
- return isSystemProcess() ? Result.ALLOWED : Result.DEFER;
+ return isSystemSubject(subject) ? Result.ALLOWED : Result.DEFER;
}
- };
+ }, Result.DEFER);
@ManagedAttributeField
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org