You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by jl...@apache.org on 2006/11/27 15:35:35 UTC
svn commit: r479639 - in /incubator/activemq/trunk/activemq-core/src:
main/java/org/apache/activemq/security/
test/java/org/apache/activemq/security/
test/resources/org/apache/activemq/security/
Author: jlim
Date: Mon Nov 27 06:35:34 2006
New Revision: 479639
URL: http://svn.apache.org/viewvc?view=rev&rev=479639
Log:
updates for http://issues.apache.org/activemq/browse/AMQ-795
Added:
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/TempDestinationAuthorizationEntry.java
Modified:
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationBroker.java
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationMap.java
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/DefaultAuthorizationMap.java
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/LDAPAuthorizationMap.java
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/SimpleAuthorizationMap.java
incubator/activemq/trunk/activemq-core/src/test/java/org/apache/activemq/security/AuthorizationMapTest.java
incubator/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/groups.properties
incubator/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/jaas-broker.xml
Modified: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationBroker.java
URL: http://svn.apache.org/viewvc/incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationBroker.java?view=diff&rev=479639&r1=479638&r2=479639
==============================================================================
--- incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationBroker.java (original)
+++ incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationBroker.java Mon Nov 27 06:35:34 2006
@@ -56,14 +56,19 @@
if( securityContext == null )
throw new SecurityException("User is not authenticated.");
- // You don't need to be an admin to create temp destinations.
- if( !destination.isTemporary()
- || !((ActiveMQTempDestination)destination).getConnectionId().equals(context.getConnectionId().getValue()) ) {
-
- Set allowedACLs = authorizationMap.getAdminACLs(destination);
- if(allowedACLs!=null && !securityContext.isInOneOf(allowedACLs))
- throw new SecurityException("User "+securityContext.getUserName()+" is not authorized to create: "+destination);
+
+ //if(!((ActiveMQTempDestination)destination).getConnectionId().equals(context.getConnectionId().getValue()) ) {
+ Set allowedACLs = null;
+ if(!destination.isTemporary()) {
+ allowedACLs = authorizationMap.getAdminACLs(destination);
+ } else {
+ allowedACLs = authorizationMap.getTempDestinationAdminACLs();
}
+
+ if(allowedACLs!=null && !securityContext.isInOneOf(allowedACLs))
+ throw new SecurityException("User "+securityContext.getUserName()+" is not authorized to create: "+destination);
+
+ // }
return super.addDestination(context, destination);
}
@@ -74,14 +79,15 @@
if( securityContext == null )
throw new SecurityException("User is not authenticated.");
- // You don't need to be an admin to remove temp destinations.
- if( !destination.isTemporary()
- || !((ActiveMQTempDestination)destination).getConnectionId().equals(context.getConnectionId().getValue()) ) {
-
- Set allowedACLs = authorizationMap.getAdminACLs(destination);
- if(allowedACLs!=null && !securityContext.isInOneOf(allowedACLs))
- throw new SecurityException("User "+securityContext.getUserName()+" is not authorized to remove: "+destination);
+ Set allowedACLs = null;
+ if(!destination.isTemporary()) {
+ allowedACLs = authorizationMap.getAdminACLs(destination);
+ } else {
+ allowedACLs = authorizationMap.getTempDestinationAdminACLs();
}
+
+ if(allowedACLs!=null && !securityContext.isInOneOf(allowedACLs))
+ throw new SecurityException("User "+securityContext.getUserName()+" is not authorized to remove: "+destination);
super.removeDestination(context, destination, timeout);
}
@@ -92,9 +98,16 @@
if( subject == null )
throw new SecurityException("User is not authenticated.");
- Set allowedACLs = authorizationMap.getReadACLs(info.getDestination());
+ Set allowedACLs = null;
+ if(!info.getDestination().isTemporary()) {
+ allowedACLs = authorizationMap.getReadACLs(info.getDestination());
+ }else {
+ allowedACLs = authorizationMap.getTempDestinationWriteACLs();
+ }
+
if(allowedACLs!=null && !subject.isInOneOf(allowedACLs))
throw new SecurityException("User "+subject.getUserName()+" is not authorized to read from: "+info.getDestination());
+
subject.getAuthorizedReadDests().put(info.getDestination(), info.getDestination());
/*
@@ -133,9 +146,17 @@
throw new SecurityException("User is not authenticated.");
if( info.getDestination()!=null ) {
- Set allowedACLs = authorizationMap.getWriteACLs(info.getDestination());
- if(allowedACLs!=null && !subject.isInOneOf(allowedACLs))
+
+ Set allowedACLs = null;
+ if(!info.getDestination().isTemporary()) {
+ allowedACLs = authorizationMap.getWriteACLs(info.getDestination());
+ }else {
+ allowedACLs = authorizationMap.getTempDestinationWriteACLs();
+ }
+ if(allowedACLs!=null && !subject.isInOneOf(allowedACLs))
throw new SecurityException("User "+subject.getUserName()+" is not authorized to write to: "+info.getDestination());
+
+
subject.getAuthorizedWriteDests().put(info.getDestination(), info.getDestination());
}
@@ -146,11 +167,19 @@
SecurityContext subject = (SecurityContext) context.getSecurityContext();
if( subject == null )
throw new SecurityException("User is not authenticated.");
-
+
if( !subject.getAuthorizedWriteDests().contains(messageSend.getDestination()) ) {
- Set allowedACLs = authorizationMap.getWriteACLs(messageSend.getDestination());
- if(allowedACLs!=null && !subject.isInOneOf(allowedACLs))
+
+ Set allowedACLs = null;
+ if(!messageSend.getDestination().isTemporary()) {
+ allowedACLs = authorizationMap.getWriteACLs(messageSend.getDestination());
+ }else {
+ allowedACLs = authorizationMap.getTempDestinationWriteACLs();
+ }
+
+ if(allowedACLs!=null && !subject.isInOneOf(allowedACLs))
throw new SecurityException("User "+subject.getUserName()+" is not authorized to write to: "+messageSend.getDestination());
+
subject.getAuthorizedWriteDests().put(messageSend.getDestination(), messageSend.getDestination());
}
Modified: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationMap.java
URL: http://svn.apache.org/viewvc/incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationMap.java?view=diff&rev=479639&r1=479638&r2=479639
==============================================================================
--- incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationMap.java (original)
+++ incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationMap.java Mon Nov 27 06:35:34 2006
@@ -28,6 +28,21 @@
public interface AuthorizationMap {
/**
+ * Returns the set of all ACLs capable of administering temp destination
+ */
+ Set getTempDestinationAdminACLs();
+
+ /**
+ * Returns the set of all ACLs capable of reading from temp destination
+ */
+ Set getTempDestinationReadACLs();
+
+ /**
+ * Returns the set of all ACLs capable of writing to temp destination
+ */
+ Set getTempDestinationWriteACLs();
+
+ /**
* Returns the set of all ACLs capable of administering the given destination
*/
Set getAdminACLs(ActiveMQDestination destination);
Modified: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/DefaultAuthorizationMap.java
URL: http://svn.apache.org/viewvc/incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/DefaultAuthorizationMap.java?view=diff&rev=479639&r1=479638&r2=479639
==============================================================================
--- incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/DefaultAuthorizationMap.java (original)
+++ incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/DefaultAuthorizationMap.java Mon Nov 27 06:35:34 2006
@@ -37,14 +37,46 @@
public class DefaultAuthorizationMap extends DestinationMap implements AuthorizationMap {
private AuthorizationEntry defaultEntry;
-
+
+ private TempDestinationAuthorizationEntry tempDestinationAuthorizationEntry;
+
public DefaultAuthorizationMap() {
}
public DefaultAuthorizationMap(List authorizationEntries) {
setAuthorizationEntries(authorizationEntries);
+
}
+
+ public void setTempDestinationAuthorizationEntry(TempDestinationAuthorizationEntry tempDestinationAuthorizationEntry) {
+ this.tempDestinationAuthorizationEntry = tempDestinationAuthorizationEntry;
+ }
+
+ public TempDestinationAuthorizationEntry getTempDestinationAuthorizationEntry() {
+ return this.tempDestinationAuthorizationEntry;
+ }
+
+ public Set getTempDestinationAdminACLs() {
+ if(tempDestinationAuthorizationEntry != null)
+ return tempDestinationAuthorizationEntry.getAdminACLs();
+ else
+ return null;
+ }
+
+ public Set getTempDestinationReadACLs() {
+ if(tempDestinationAuthorizationEntry != null)
+ return tempDestinationAuthorizationEntry.getReadACLs();
+ else
+ return null;
+ }
+
+ public Set getTempDestinationWriteACLs() {
+ if(tempDestinationAuthorizationEntry != null)
+ return tempDestinationAuthorizationEntry.getWriteACLs();
+ else
+ return null;
+ }
public Set getAdminACLs(ActiveMQDestination destination) {
Set entries = getAllEntries(destination);
Modified: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/LDAPAuthorizationMap.java
URL: http://svn.apache.org/viewvc/incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/LDAPAuthorizationMap.java?view=diff&rev=479639&r1=479638&r2=479639
==============================================================================
--- incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/LDAPAuthorizationMap.java (original)
+++ incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/LDAPAuthorizationMap.java Mon Nov 27 06:35:34 2006
@@ -137,6 +137,22 @@
queueSearchSubtreeBool = new Boolean(queueSearchSubtree).booleanValue();
}
+ public Set getTempDestinationAdminACLs() {
+ //TODO insert implementation
+
+ return null;
+ }
+
+ public Set getTempDestinationReadACLs() {
+ // TODO insert implementation
+ return null;
+ }
+
+ public Set getTempDestinationWriteACLs() {
+ // TODO insert implementation
+ return null;
+ }
+
public Set getAdminACLs(ActiveMQDestination destination) {
return getACLs(destination, adminBase, adminAttribute);
}
Modified: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/SimpleAuthorizationMap.java
URL: http://svn.apache.org/viewvc/incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/SimpleAuthorizationMap.java?view=diff&rev=479639&r1=479638&r2=479639
==============================================================================
--- incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/SimpleAuthorizationMap.java (original)
+++ incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/SimpleAuthorizationMap.java Mon Nov 27 06:35:34 2006
@@ -36,6 +36,8 @@
private DestinationMap readACLs;
private DestinationMap adminACLs;
+ private TempDestinationAuthorizationEntry tempDestinationAuthorizationEntry;
+
public SimpleAuthorizationMap() {
}
@@ -45,6 +47,42 @@
this.adminACLs = adminACLs;
}
+ /*
+ * Need to think how to retrieve the ACLs for temporary destinations since they are not map
+ * to a specific destination. For now we'll just retrieve it from a TempDestinationAuthorizationEntry
+ * same way as the DefaultAuthorizationMap. The ACLs retrieved here will be map to all temp destinations
+ */
+
+ public void setTempDestinationAuthorizationEntry(TempDestinationAuthorizationEntry tempDestinationAuthorizationEntry) {
+ this.tempDestinationAuthorizationEntry = tempDestinationAuthorizationEntry;
+ }
+
+ public TempDestinationAuthorizationEntry getTempDestinationAuthorizationEntry() {
+ return this.tempDestinationAuthorizationEntry;
+ }
+
+
+ public Set getTempDestinationAdminACLs() {
+ if(tempDestinationAuthorizationEntry != null)
+ return tempDestinationAuthorizationEntry.getAdminACLs();
+ else
+ return null;
+ }
+
+ public Set getTempDestinationReadACLs() {
+ if(tempDestinationAuthorizationEntry != null)
+ return tempDestinationAuthorizationEntry.getReadACLs();
+ else
+ return null;
+ }
+
+ public Set getTempDestinationWriteACLs() {
+ if(tempDestinationAuthorizationEntry != null)
+ return tempDestinationAuthorizationEntry.getWriteACLs();
+ else
+ return null;
+ }
+
public Set getAdminACLs(ActiveMQDestination destination) {
return adminACLs.get(destination);
}
Added: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/TempDestinationAuthorizationEntry.java
URL: http://svn.apache.org/viewvc/incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/TempDestinationAuthorizationEntry.java?view=auto&rev=479639
==============================================================================
--- incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/TempDestinationAuthorizationEntry.java (added)
+++ incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/TempDestinationAuthorizationEntry.java Mon Nov 27 06:35:34 2006
@@ -0,0 +1,45 @@
+/**
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.security;
+
+import org.apache.activemq.filter.DestinationMapEntry;
+import org.apache.activemq.jaas.GroupPrincipal;
+
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
+import java.util.StringTokenizer;
+
+/**
+ * Represents an entry in a {@link DefaultAuthorizationMap} for assigning
+ * different operations (read, write, admin) of user roles to
+ * a temporary destination
+ *
+ * @org.apache.xbean.XBean
+ *
+ * @version $Revision: 426366 $
+ */
+public class TempDestinationAuthorizationEntry extends AuthorizationEntry {
+
+
+ public void afterPropertiesSet() throws Exception {
+ //we don't need to check if destination is specified since
+ //the TempDestinationAuthorizationEntry should map to all temp destinations
+ }
+
+}
Modified: incubator/activemq/trunk/activemq-core/src/test/java/org/apache/activemq/security/AuthorizationMapTest.java
URL: http://svn.apache.org/viewvc/incubator/activemq/trunk/activemq-core/src/test/java/org/apache/activemq/security/AuthorizationMapTest.java?view=diff&rev=479639&r1=479638&r2=479639
==============================================================================
--- incubator/activemq/trunk/activemq-core/src/test/java/org/apache/activemq/security/AuthorizationMapTest.java (original)
+++ incubator/activemq/trunk/activemq-core/src/test/java/org/apache/activemq/security/AuthorizationMapTest.java Mon Nov 27 06:35:34 2006
@@ -18,10 +18,10 @@
package org.apache.activemq.security;
import org.apache.activemq.command.ActiveMQQueue;
+import org.apache.activemq.command.ActiveMQTempQueue;
import org.apache.activemq.jaas.GroupPrincipal;
import java.util.*;
-import java.util.Set;
import junit.framework.TestCase;
@@ -33,6 +33,7 @@
static final GroupPrincipal guests = new GroupPrincipal("guests");
static final GroupPrincipal users = new GroupPrincipal("users");
static final GroupPrincipal admins = new GroupPrincipal("admins");
+ static final GroupPrincipal tempDestinationAdmins = new GroupPrincipal("tempDestAdmins");
public void testAuthorizationMap() {
AuthorizationMap map = createAuthorizationMap();
@@ -41,8 +42,23 @@
assertEquals("set size: " + readACLs, 2, readACLs.size());
assertTrue("Contains users group", readACLs.contains(admins));
assertTrue("Contains users group", readACLs.contains(users));
+
}
+ public void testAuthorizationMapWithTempDest() {
+ AuthorizationMap map = createAuthorizationMapWithTempDest();
+
+ Set readACLs = map.getReadACLs(new ActiveMQQueue("USERS.FOO.BAR"));
+ assertEquals("set size: " + readACLs, 2, readACLs.size());
+ assertTrue("Contains users group", readACLs.contains(admins));
+ assertTrue("Contains users group", readACLs.contains(users));
+
+ Set tempAdminACLs = map.getTempDestinationAdminACLs();
+ assertEquals("set size: " + tempAdminACLs, 1, tempAdminACLs.size());
+ assertTrue("Contains users group", tempAdminACLs.contains(tempDestinationAdmins));
+
+ }
+
protected AuthorizationMap createAuthorizationMap() {
DefaultAuthorizationMap answer = new DefaultAuthorizationMap();
@@ -62,5 +78,31 @@
return answer;
}
+
+ protected AuthorizationMap createAuthorizationMapWithTempDest() {
+ DefaultAuthorizationMap answer = new DefaultAuthorizationMap();
+
+ List entries = new ArrayList();
+
+ AuthorizationEntry entry = new AuthorizationEntry();
+ entry.setQueue(">");
+ entry.setRead("admins");
+ entries.add(entry);
+
+ entry = new AuthorizationEntry();
+ entry.setQueue("USERS.>");
+ entry.setRead("users");
+ entries.add(entry);
+
+ answer.setAuthorizationEntries(entries);
+
+ //create entry for temporary queue
+ TempDestinationAuthorizationEntry tEntry = new TempDestinationAuthorizationEntry();
+ tEntry.setAdmin("tempDestAdmins");
+
+ answer.setTempDestinationAuthorizationEntry(tEntry);
+
+ return answer;
+ }
}
Modified: incubator/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/groups.properties
URL: http://svn.apache.org/viewvc/incubator/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/groups.properties?view=diff&rev=479639&r1=479638&r2=479639
==============================================================================
--- incubator/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/groups.properties (original)
+++ incubator/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/groups.properties Mon Nov 27 06:35:34 2006
@@ -16,5 +16,6 @@
## ---------------------------------------------------------------------------
admins=system
+tempDestinationAdmins=system,user
users=system,user
guests=guest
Modified: incubator/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/jaas-broker.xml
URL: http://svn.apache.org/viewvc/incubator/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/jaas-broker.xml?view=diff&rev=479639&r1=479638&r2=479639
==============================================================================
--- incubator/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/jaas-broker.xml (original)
+++ incubator/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/jaas-broker.xml Mon Nov 27 06:35:34 2006
@@ -42,6 +42,11 @@
<authorizationEntry topic="ActiveMQ.Advisory.>" read="guests,users" write="guests,users" admin="guests,users"/>
</authorizationEntries>
+
+ <!-- let's assign roles to temporary destinations. comment this entry if we don't want any roles assigned to temp destinations -->
+ <tempDestinationAuthorizationEntry>
+ <tempDestinationAuthorizationEntry read="tempDestinationAdmins" write="tempDestinationAdmins" admin="tempDestinationAdmins"/>
+ </tempDestinationAuthorizationEntry>
</authorizationMap>
</map>
</authorizationPlugin>