activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jstrac...@apache.org
Subject svn commit: r377995 - in /incubator/activemq/trunk/activemq-core/src: main/java/org/apache/activemq/filter/ main/java/org/apache/activemq/security/ test/java/org/apache/activemq/security/ test/resources/org/apache/activemq/security/
Date Wed, 15 Feb 2006 12:38:42 GMT
Author: jstrachan
Date: Wed Feb 15 04:38:40 2006
New Revision: 377995

URL: http://svn.apache.org/viewcvs?rev=377995&view=rev
Log:
refactor of the authorization plugin to make it easier to create alternative data structures
for capturing the different ACLs; such as a single tree based authorization map

Added:
    incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/filter/DefaultDestinationMapEntry.java
  (with props)
    incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationBroker.java
  (with props)
    incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationEntry.java
  (with props)
    incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationMap.java
  (with props)
    incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationPlugin.java
  (with props)
    incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/DefaultAuthorizationMap.java
  (with props)
    incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/SimpleAuthorizationMap.java
  (with props)
Removed:
    incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/SimpleAuthorizationBroker.java
    incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/SimpleAuthorizationPlugin.java
Modified:
    incubator/activemq/trunk/activemq-core/src/test/java/org/apache/activemq/security/SimpleSecurityBrokerSystemTest.java
    incubator/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/jaas-broker.xml

Added: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/filter/DefaultDestinationMapEntry.java
URL: http://svn.apache.org/viewcvs/incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/filter/DefaultDestinationMapEntry.java?rev=377995&view=auto
==============================================================================
--- incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/filter/DefaultDestinationMapEntry.java
(added)
+++ incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/filter/DefaultDestinationMapEntry.java
Wed Feb 15 04:38:40 2006
@@ -0,0 +1,37 @@
+/**
+ *
+ * Copyright 2005-2006 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.filter;
+
+/**
+ * A default entry in a DestinationMap which holds a single value.
+ * 
+ * @org.apache.xbean.XBean element="destinationEntry"
+ * 
+ * @version $Revision$
+ */
+public class DefaultDestinationMapEntry extends DestinationMapEntry {
+    private Object value;
+
+    public Object getValue() {
+        return value;
+    }
+
+    public void setValue(Object value) {
+        this.value = value;
+    }
+
+}

Propchange: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/filter/DefaultDestinationMapEntry.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/filter/DefaultDestinationMapEntry.java
------------------------------------------------------------------------------
    svn:keywords = Date Author Id Revision HeadURL

Propchange: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/filter/DefaultDestinationMapEntry.java
------------------------------------------------------------------------------
    svn:mime-type = text/plain

Added: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationBroker.java
URL: http://svn.apache.org/viewcvs/incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationBroker.java?rev=377995&view=auto
==============================================================================
--- incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationBroker.java
(added)
+++ incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationBroker.java
Wed Feb 15 04:38:40 2006
@@ -0,0 +1,201 @@
+/**
+ *
+ * Copyright 2005-2006 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.security;
+
+import org.apache.activemq.broker.Broker;
+import org.apache.activemq.broker.BrokerFilter;
+import org.apache.activemq.broker.ConnectionContext;
+import org.apache.activemq.broker.region.Destination;
+import org.apache.activemq.command.ActiveMQDestination;
+import org.apache.activemq.command.ActiveMQQueue;
+import org.apache.activemq.command.ActiveMQTempDestination;
+import org.apache.activemq.command.ActiveMQTopic;
+import org.apache.activemq.command.ConsumerInfo;
+import org.apache.activemq.command.Message;
+import org.apache.activemq.command.ProducerInfo;
+import org.apache.activemq.filter.BooleanExpression;
+import org.apache.activemq.filter.MessageEvaluationContext;
+
+import javax.jms.JMSException;
+
+import java.util.Set;
+
+
+/**
+ * Verifies if a authenticated user can do an operation against the broker using an authorization
map.
+ * 
+ * @version $Revision$
+ */
+public class AuthorizationBroker extends BrokerFilter implements SecurityAdminMBean {
+    
+    private final AuthorizationMap authorizationMap;
+    private boolean filterReads = true;
+
+    public AuthorizationBroker(Broker next, AuthorizationMap authorizationMap) {
+        super(next);
+        this.authorizationMap = authorizationMap;
+    }
+    
+    public Destination addDestination(ConnectionContext context, ActiveMQDestination destination)
throws Throwable {
+        final SecurityContext securityContext = (SecurityContext) context.getSecurityContext();
+        if( securityContext == null )
+            throw new SecurityException("User is not authenticated.");
+
+        // You don't need to be an admin to create temp destinations.
+        if( !destination.isTemporary() 
+            || !((ActiveMQTempDestination)destination).getConnectionId().equals(context.getConnectionId().getValue())
) {
+            
+            Set allowedACLs = authorizationMap.getAdminACLs(destination);
+            if(allowedACLs!=null && !securityContext.isInOneOf(allowedACLs))
+                throw new SecurityException("User "+securityContext.getUserName()+" is not
authorized to create: "+destination);
+        }
+        
+        return super.addDestination(context, destination);
+    }
+    
+    public void removeDestination(ConnectionContext context, ActiveMQDestination destination,
long timeout) throws Throwable {
+        
+        final SecurityContext securityContext = (SecurityContext) context.getSecurityContext();
+        if( securityContext == null )
+            throw new SecurityException("User is not authenticated.");
+
+        // You don't need to be an admin to remove temp destinations.
+        if( !destination.isTemporary() 
+            || !((ActiveMQTempDestination)destination).getConnectionId().equals(context.getConnectionId().getValue())
) {
+            
+            Set allowedACLs = authorizationMap.getAdminACLs(destination);
+            if(allowedACLs!=null && !securityContext.isInOneOf(allowedACLs))
+                throw new SecurityException("User "+securityContext.getUserName()+" is not
authorized to remove: "+destination);
+        }
+
+        super.removeDestination(context, destination, timeout);
+    }
+    
+    public void addConsumer(ConnectionContext context, ConsumerInfo info) throws Throwable
{
+        
+        final SecurityContext subject = (SecurityContext) context.getSecurityContext();
+        if( subject == null )
+            throw new SecurityException("User is not authenticated.");
+        
+        Set allowedACLs = authorizationMap.getReadACLs(info.getDestination());
+        if(allowedACLs!=null && !subject.isInOneOf(allowedACLs))
+            throw new SecurityException("User "+subject.getUserName()+" is not authorized
to read from: "+info.getDestination());
+        subject.getAuthorizedReadDests().put(info.getDestination(), info.getDestination());
+        
+        // Should we install a additional predicate on the consumer?
+        // This adds a little more overhead, but is more secure.
+        if( filterReads ) {
+            
+            info.setAdditionalPredicate(new BooleanExpression() {
+                public boolean matches(MessageEvaluationContext message) throws JMSException
{
+                    if( !subject.getAuthorizedReadDests().contains(message.getDestination())
) {
+                        Set allowedACLs = authorizationMap.getReadACLs(message.getDestination());
+                        if(allowedACLs!=null && !subject.isInOneOf(allowedACLs))
+                            return false;
+                        subject.getAuthorizedReadDests().put(message.getDestination(), message.getDestination());
+                    }
+                    return true;
+                }
+                public Object evaluate(MessageEvaluationContext message) throws JMSException
{
+                    return matches(message) ? Boolean.TRUE : Boolean.FALSE;
+                }
+            });
+            
+        }
+        
+        super.addConsumer(context, info);
+    }
+    
+    public void addProducer(ConnectionContext context, ProducerInfo info) throws Throwable
{
+        
+        SecurityContext subject = (SecurityContext) context.getSecurityContext();
+        if( subject == null )
+            throw new SecurityException("User is not authenticated.");
+        
+        if( info.getDestination()!=null ) {
+            Set allowedACLs = authorizationMap.getWriteACLs(info.getDestination());
+            if(allowedACLs!=null && !subject.isInOneOf(allowedACLs))
+                throw new SecurityException("User "+subject.getUserName()+" is not authorized
to write to: "+info.getDestination());
+            subject.getAuthorizedWriteDests().put(info.getDestination(), info.getDestination());
+        }
+        
+        super.addProducer(context, info);
+    }
+        
+    public void send(ConnectionContext context, Message messageSend) throws Throwable {
+        SecurityContext subject = (SecurityContext) context.getSecurityContext();
+        if( subject == null )
+            throw new SecurityException("User is not authenticated.");
+        
+        if( !subject.getAuthorizedWriteDests().contains(messageSend.getDestination()) ) {
+            Set allowedACLs = authorizationMap.getWriteACLs(messageSend.getDestination());
           
+            if(allowedACLs!=null && !subject.isInOneOf(allowedACLs))
+                throw new SecurityException("User "+subject.getUserName()+" is not authorized
to write to: "+messageSend.getDestination());
+            subject.getAuthorizedWriteDests().put(messageSend.getDestination(), messageSend.getDestination());
+        }
+
+        super.send(context, messageSend);
+    }
+    
+    // SecurityAdminMBean interface
+    // -------------------------------------------------------------------------
+
+    public void addQueueRole(String queue, String operation, String role) {
+        addDestinationRole(new ActiveMQQueue(queue), operation, role);
+    }
+
+    public void addTopicRole(String topic, String operation, String role) {
+        addDestinationRole(new ActiveMQTopic(topic), operation, role);
+    }
+
+    public void removeQueueRole(String queue, String operation, String role) {
+        removeDestinationRole(new ActiveMQQueue(queue), operation, role);
+    }
+
+    public void removeTopicRole(String topic, String operation, String role) {
+        removeDestinationRole(new ActiveMQTopic(topic), operation, role);
+    }
+    
+    public void addDestinationRole(javax.jms.Destination destination, String operation, String
role) {
+    }
+    
+    public void removeDestinationRole(javax.jms.Destination destination, String operation,
String role) {
+    }
+
+
+    public void addRole(String role) {
+    }
+
+    public void addUserRole(String user, String role) {
+    }
+
+    public void removeRole(String role) {
+    }
+
+    public void removeUserRole(String user, String role) {
+    }
+
+    // Properties
+    // -------------------------------------------------------------------------
+    public boolean isFilterReads() {
+        return filterReads;
+    }
+
+    public void setFilterReads(boolean filterReads) {
+        this.filterReads = filterReads;
+    }
+}

Propchange: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationBroker.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationBroker.java
------------------------------------------------------------------------------
    svn:keywords = Date Author Id Revision HeadURL

Propchange: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationBroker.java
------------------------------------------------------------------------------
    svn:mime-type = text/plain

Added: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationEntry.java
URL: http://svn.apache.org/viewcvs/incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationEntry.java?rev=377995&view=auto
==============================================================================
--- incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationEntry.java
(added)
+++ incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationEntry.java
Wed Feb 15 04:38:40 2006
@@ -0,0 +1,63 @@
+/**
+ *
+ * Copyright 2005-2006 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.security;
+
+import org.apache.activemq.filter.DestinationMapEntry;
+
+import java.util.Collections;
+import java.util.Set;
+
+/**
+ * Represents an entry in a {@link DefaultAuthorizationMap} for assigning
+ * different operations (read, write, admin) of user roles to a specific
+ * destination or a hierarchical wildcard area of destinations.
+ * 
+ * @org.apache.xbean.XBean
+ * 
+ * @version $Revision$
+ */
+public class AuthorizationEntry extends DestinationMapEntry {
+
+    private Set readACLs = Collections.EMPTY_SET;
+    private Set writeACLs = Collections.EMPTY_SET;
+    private Set adminACLs = Collections.EMPTY_SET;
+
+    public Set getAdminACLs() {
+        return adminACLs;
+    }
+
+    public void setAdminACLs(Set adminACLs) {
+        this.adminACLs = adminACLs;
+    }
+
+    public Set getReadACLs() {
+        return readACLs;
+    }
+
+    public void setReadACLs(Set readACLs) {
+        this.readACLs = readACLs;
+    }
+
+    public Set getWriteACLs() {
+        return writeACLs;
+    }
+
+    public void setWriteACLs(Set writeACLs) {
+        this.writeACLs = writeACLs;
+    }
+
+}

Propchange: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationEntry.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationEntry.java
------------------------------------------------------------------------------
    svn:keywords = Date Author Id Revision HeadURL

Propchange: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationEntry.java
------------------------------------------------------------------------------
    svn:mime-type = text/plain

Added: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationMap.java
URL: http://svn.apache.org/viewcvs/incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationMap.java?rev=377995&view=auto
==============================================================================
--- incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationMap.java
(added)
+++ incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationMap.java
Wed Feb 15 04:38:40 2006
@@ -0,0 +1,44 @@
+/**
+ *
+ * Copyright 2005-2006 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.security;
+
+import org.apache.activemq.command.ActiveMQDestination;
+
+import java.util.Set;
+
+/**
+ *
+ * @version $Revision$
+ */
+public interface AuthorizationMap {
+
+    /**
+     * Returns the set of all ACLs capable of administering the given destination
+     */
+    Set getAdminACLs(ActiveMQDestination destination);
+
+    /**
+     * Returns the set of all ACLs capable of reading (consuming from) the given destination
+     */
+    Set getReadACLs(ActiveMQDestination destination);
+
+    /**
+     * Returns the set of all ACLs capable of writing to the given destination
+     */
+    Set getWriteACLs(ActiveMQDestination destination);
+
+}

Propchange: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationMap.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationMap.java
------------------------------------------------------------------------------
    svn:keywords = Date Author Id Revision HeadURL

Propchange: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationMap.java
------------------------------------------------------------------------------
    svn:mime-type = text/plain

Added: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationPlugin.java
URL: http://svn.apache.org/viewcvs/incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationPlugin.java?rev=377995&view=auto
==============================================================================
--- incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationPlugin.java
(added)
+++ incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationPlugin.java
Wed Feb 15 04:38:40 2006
@@ -0,0 +1,56 @@
+/**
+ *
+ * Copyright 2005-2006 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.security;
+
+import org.apache.activemq.broker.Broker;
+import org.apache.activemq.broker.BrokerPlugin;
+
+/**
+ * An authorization plugin where each operation on a destination is checked
+ * against an authorizationMap
+ * 
+ * @org.apache.xbean.XBean
+ * 
+ * @version $Revision$
+ */
+public class AuthorizationPlugin implements BrokerPlugin {
+
+    private AuthorizationMap authorizationMap;
+
+    public AuthorizationPlugin() {
+    }
+
+    public AuthorizationPlugin(AuthorizationMap authorizationMap) {
+        this.authorizationMap = authorizationMap;
+    }
+
+    public Broker installPlugin(Broker broker) {
+        if (authorizationMap == null) {
+            throw new IllegalArgumentException("You must configure an 'authorizationMap'");
+        }
+        return new AuthorizationBroker(broker, authorizationMap);
+    }
+
+    public AuthorizationMap getAuthorizationMap() {
+        return authorizationMap;
+    }
+
+    public void setAuthorizationMap(AuthorizationMap authorizationMap) {
+        this.authorizationMap = authorizationMap;
+    }
+
+}

Propchange: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationPlugin.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationPlugin.java
------------------------------------------------------------------------------
    svn:keywords = Date Author Id Revision HeadURL

Propchange: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationPlugin.java
------------------------------------------------------------------------------
    svn:mime-type = text/plain

Added: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/DefaultAuthorizationMap.java
URL: http://svn.apache.org/viewcvs/incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/DefaultAuthorizationMap.java?rev=377995&view=auto
==============================================================================
--- incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/DefaultAuthorizationMap.java
(added)
+++ incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/DefaultAuthorizationMap.java
Wed Feb 15 04:38:40 2006
@@ -0,0 +1,115 @@
+/**
+ *
+ * Copyright 2005-2006 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.security;
+
+import org.apache.activemq.command.ActiveMQDestination;
+import org.apache.activemq.filter.DestinationMap;
+
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Set;
+
+/**
+ * Represents a destination based configuration of policies so that individual
+ * destinations or wildcard hierarchies of destinations can be configured using
+ * different policies. Each entry in the map represents the authorization ACLs for each operation.
+ * 
+ * @org.apache.xbean.XBean element="authorizationMap"
+ * 
+ * @version $Revision$
+ */
+public class DefaultAuthorizationMap extends DestinationMap implements AuthorizationMap {
+
+    private AuthorizationEntry defaultEntry;
+
+    public DefaultAuthorizationMap() {
+    }
+
+    public DefaultAuthorizationMap(List authorizationEntries) {
+        setAuthorizationEntries(authorizationEntries);
+    }
+
+    
+    public Set getAdminACLs(ActiveMQDestination destination) {
+        Set answer = new HashSet();
+        Set entries = get(destination);
+        entries.add(defaultEntry);
+        
+        // now lets go through each entry adding individual 
+        for (Iterator iter = entries.iterator(); iter.hasNext();) {
+            AuthorizationEntry entry = (AuthorizationEntry) iter.next();
+            answer.addAll(entry.getAdminACLs());
+        }
+        return answer;
+    }
+
+    public Set getReadACLs(ActiveMQDestination destination) {
+        Set answer = new HashSet();
+        Set entries = get(destination);
+        entries.add(defaultEntry);
+        
+        // now lets go through each entry adding individual 
+        for (Iterator iter = entries.iterator(); iter.hasNext();) {
+            AuthorizationEntry entry = (AuthorizationEntry) iter.next();
+            answer.addAll(entry.getReadACLs());
+        }
+        return answer;
+    }
+
+    public Set getWriteACLs(ActiveMQDestination destination) {
+        Set answer = new HashSet();
+        Set entries = get(destination);
+        entries.add(defaultEntry);
+        
+        // now lets go through each entry adding individual 
+        for (Iterator iter = entries.iterator(); iter.hasNext();) {
+            AuthorizationEntry entry = (AuthorizationEntry) iter.next();
+            answer.addAll(entry.getWriteACLs());
+        }
+        return answer;
+    }
+
+    public AuthorizationEntry getEntryFor(ActiveMQDestination destination) {
+        AuthorizationEntry answer = (AuthorizationEntry) chooseValue(destination);
+        if (answer == null) {
+            answer = getDefaultEntry();
+        }
+        return answer;
+    }
+
+    /**
+     * Sets the individual entries on the authorization map
+     * 
+     * @org.apache.xbean.ElementType class="org.apache.activemq.security.AuthorizationEntry"
+     */
+    public void setAuthorizationEntries(List entries) {
+        super.setEntries(entries);
+    }
+
+    public AuthorizationEntry getDefaultEntry() {
+        return defaultEntry;
+    }
+
+    public void setDefaultEntry(AuthorizationEntry defaultEntry) {
+        this.defaultEntry = defaultEntry;
+    }
+
+    protected Class getEntryClass() {
+        return AuthorizationEntry.class;
+    }
+}

Propchange: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/DefaultAuthorizationMap.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/DefaultAuthorizationMap.java
------------------------------------------------------------------------------
    svn:keywords = Date Author Id Revision HeadURL

Propchange: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/DefaultAuthorizationMap.java
------------------------------------------------------------------------------
    svn:mime-type = text/plain

Added: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/SimpleAuthorizationMap.java
URL: http://svn.apache.org/viewcvs/incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/SimpleAuthorizationMap.java?rev=377995&view=auto
==============================================================================
--- incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/SimpleAuthorizationMap.java
(added)
+++ incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/SimpleAuthorizationMap.java
Wed Feb 15 04:38:40 2006
@@ -0,0 +1,83 @@
+/**
+ *
+ * Copyright 2005-2006 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.security;
+
+import org.apache.activemq.command.ActiveMQDestination;
+import org.apache.activemq.filter.DestinationMap;
+
+import java.util.Set;
+
+/**
+ * An AuthorizationMap which is configured with individual DestinationMaps for
+ * each operation.
+ * 
+ * @org.apache.xbean.XBean
+ * 
+ * @version $Revision$
+ */
+public class SimpleAuthorizationMap implements AuthorizationMap {
+
+    private DestinationMap writeACLs;
+    private DestinationMap readACLs;
+    private DestinationMap adminACLs;
+
+    public SimpleAuthorizationMap() {
+    }
+
+    public SimpleAuthorizationMap(DestinationMap writeACLs, DestinationMap readACLs, DestinationMap
adminACLs) {
+        this.writeACLs = writeACLs;
+        this.readACLs = readACLs;
+        this.adminACLs = adminACLs;
+    }
+
+    public Set getAdminACLs(ActiveMQDestination destination) {
+        return adminACLs.get(destination);
+    }
+
+    public Set getReadACLs(ActiveMQDestination destination) {
+        return readACLs.get(destination);
+    }
+
+    public Set getWriteACLs(ActiveMQDestination destination) {
+        return writeACLs.get(destination);
+    }
+
+    public DestinationMap getAdminACLs() {
+        return adminACLs;
+    }
+
+    public void setAdminACLs(DestinationMap adminACLs) {
+        this.adminACLs = adminACLs;
+    }
+
+    public DestinationMap getReadACLs() {
+        return readACLs;
+    }
+
+    public void setReadACLs(DestinationMap readACLs) {
+        this.readACLs = readACLs;
+    }
+
+    public DestinationMap getWriteACLs() {
+        return writeACLs;
+    }
+
+    public void setWriteACLs(DestinationMap writeACLs) {
+        this.writeACLs = writeACLs;
+    }
+
+}

Propchange: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/SimpleAuthorizationMap.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/SimpleAuthorizationMap.java
------------------------------------------------------------------------------
    svn:keywords = Date Author Id Revision HeadURL

Propchange: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/SimpleAuthorizationMap.java
------------------------------------------------------------------------------
    svn:mime-type = text/plain

Modified: incubator/activemq/trunk/activemq-core/src/test/java/org/apache/activemq/security/SimpleSecurityBrokerSystemTest.java
URL: http://svn.apache.org/viewcvs/incubator/activemq/trunk/activemq-core/src/test/java/org/apache/activemq/security/SimpleSecurityBrokerSystemTest.java?rev=377995&r1=377994&r2=377995&view=diff
==============================================================================
--- incubator/activemq/trunk/activemq-core/src/test/java/org/apache/activemq/security/SimpleSecurityBrokerSystemTest.java
(original)
+++ incubator/activemq/trunk/activemq-core/src/test/java/org/apache/activemq/security/SimpleSecurityBrokerSystemTest.java
Wed Feb 15 04:38:40 2006
@@ -34,7 +34,7 @@
 /**
  * Tests that the broker allows/fails access to destinations based on the
  * security policy installed on the broker.
- *
+ * 
  * @version $Revision$
  */
 public class SimpleSecurityBrokerSystemTest extends SecurityTestSupport {
@@ -46,50 +46,43 @@
     public BrokerPlugin authorizationPlugin;
     public BrokerPlugin authenticationPlugin;
 
+    public AuthorizationMap createAuthorizationMap() {
+        DestinationMap readAccess = new DestinationMap();
+        readAccess.put(new ActiveMQQueue(">"), admins);
+        readAccess.put(new ActiveMQQueue("USERS.>"), users);
+        readAccess.put(new ActiveMQQueue("GUEST.>"), guests);
+        readAccess.put(new ActiveMQTopic(">"), admins);
+        readAccess.put(new ActiveMQTopic("USERS.>"), users);
+        readAccess.put(new ActiveMQTopic("GUEST.>"), guests);
+
+        DestinationMap writeAccess = new DestinationMap();
+        writeAccess.put(new ActiveMQQueue(">"), admins);
+        writeAccess.put(new ActiveMQQueue("USERS.>"), users);
+        writeAccess.put(new ActiveMQQueue("GUEST.>"), users);
+        writeAccess.put(new ActiveMQQueue("GUEST.>"), guests);
+        writeAccess.put(new ActiveMQTopic(">"), admins);
+        writeAccess.put(new ActiveMQTopic("USERS.>"), users);
+        writeAccess.put(new ActiveMQTopic("GUEST.>"), users);
+        writeAccess.put(new ActiveMQTopic("GUEST.>"), guests);
+
+        readAccess.put(new ActiveMQTopic("ActiveMQ.Advisory.>"), guests);
+        readAccess.put(new ActiveMQTopic("ActiveMQ.Advisory.>"), users);
+        writeAccess.put(new ActiveMQTopic("ActiveMQ.Advisory.>"), guests);
+        writeAccess.put(new ActiveMQTopic("ActiveMQ.Advisory.>"), users);
+
+        DestinationMap adminAccess = new DestinationMap();
+        adminAccess.put(new ActiveMQTopic(">"), admins);
+        adminAccess.put(new ActiveMQTopic(">"), users);
+        adminAccess.put(new ActiveMQTopic(">"), guests);
+        adminAccess.put(new ActiveMQQueue(">"), admins);
+        adminAccess.put(new ActiveMQQueue(">"), users);
+        adminAccess.put(new ActiveMQQueue(">"), guests);
 
-    class SimpleAuthorizationFactory implements BrokerPlugin {
-        public  Broker installPlugin(Broker broker) {
-
-            DestinationMap readAccess = new DestinationMap();
-            readAccess.put(new ActiveMQQueue(">"), admins);
-            readAccess.put(new ActiveMQQueue("USERS.>"), users);
-            readAccess.put(new ActiveMQQueue("GUEST.>"), guests);
-            readAccess.put(new ActiveMQTopic(">"), admins);
-            readAccess.put(new ActiveMQTopic("USERS.>"), users);
-            readAccess.put(new ActiveMQTopic("GUEST.>"), guests);
-
-            DestinationMap writeAccess = new DestinationMap();
-            writeAccess.put(new ActiveMQQueue(">"), admins);
-            writeAccess.put(new ActiveMQQueue("USERS.>"), users);
-            writeAccess.put(new ActiveMQQueue("GUEST.>"), users);
-            writeAccess.put(new ActiveMQQueue("GUEST.>"), guests);
-            writeAccess.put(new ActiveMQTopic(">"), admins);
-            writeAccess.put(new ActiveMQTopic("USERS.>"), users);
-            writeAccess.put(new ActiveMQTopic("GUEST.>"), users);
-            writeAccess.put(new ActiveMQTopic("GUEST.>"), guests);
-
-            readAccess.put(new ActiveMQTopic("ActiveMQ.Advisory.>"), guests);
-            readAccess.put(new ActiveMQTopic("ActiveMQ.Advisory.>"), users);
-            writeAccess.put(new ActiveMQTopic("ActiveMQ.Advisory.>"), guests);
-            writeAccess.put(new ActiveMQTopic("ActiveMQ.Advisory.>"), users);
-
-            DestinationMap adminAccess = new DestinationMap();
-            adminAccess.put(new ActiveMQTopic(">"), admins);
-            adminAccess.put(new ActiveMQTopic(">"), users);
-            adminAccess.put(new ActiveMQTopic(">"), guests);
-            adminAccess.put(new ActiveMQQueue(">"), admins);
-            adminAccess.put(new ActiveMQQueue(">"), users);
-            adminAccess.put(new ActiveMQQueue(">"), guests);
-
-            return new SimpleAuthorizationBroker(broker, writeAccess, readAccess, adminAccess);
-        }
-        public String toString() {
-            return "SimpleAuthorizationBroker";
-        }
+        return new SimpleAuthorizationMap(writeAccess, readAccess, adminAccess);
     }
 
     class SimpleAuthenticationFactory implements BrokerPlugin {
-        public  Broker installPlugin(Broker broker) {
+        public Broker installPlugin(Broker broker) {
 
             HashMap u = new HashMap();
             u.put("system", "manager");
@@ -97,12 +90,13 @@
             u.put("guest", "password");
 
             HashMap groups = new HashMap();
-            groups.put("system", new HashSet(Arrays.asList(new Object[]{admins, users})));
-            groups.put("user", new HashSet(Arrays.asList(new Object[]{users})));
-            groups.put("guest", new HashSet(Arrays.asList(new Object[]{guests})));
+            groups.put("system", new HashSet(Arrays.asList(new Object[] { admins, users })));
+            groups.put("user", new HashSet(Arrays.asList(new Object[] { users })));
+            groups.put("guest", new HashSet(Arrays.asList(new Object[] { guests })));
 
             return new SimpleAuthenticationBroker(broker, u, groups);
         }
+
         public String toString() {
             return "SimpleAuthenticationBroker";
         }
@@ -110,14 +104,14 @@
 
     static {
         String path = System.getProperty("java.security.auth.login.config");
-        if( path == null ) {
+        if (path == null) {
             URL resource = SimpleSecurityBrokerSystemTest.class.getClassLoader().getResource("login.config");
-            if( resource!=null ) {
+            if (resource != null) {
                 path = resource.getFile();
                 System.setProperty("java.security.auth.login.config", path);
             }
         }
-        System.out.println("Path to login config: "+path);
+        System.out.println("Path to login config: " + path);
     }
 
     public static Test suite() {
@@ -129,96 +123,71 @@
     }
 
     public void initCombos() {
-        addCombinationValues("authorizationPlugin", new Object[] {
-                new SimpleAuthorizationFactory(),
-        });
-        addCombinationValues("authenticationPlugin", new Object[] {
-                new SimpleAuthenticationFactory(),
-                new JassAuthenticationPlugin(),
-        });
+        addCombinationValues("authorizationPlugin", new Object[] { new AuthorizationPlugin(createAuthorizationMap()),
});
+        addCombinationValues("authenticationPlugin", new Object[] { new SimpleAuthenticationFactory(),
new JassAuthenticationPlugin(), });
     }
 
     protected BrokerService createBroker() throws Exception {
         BrokerService broker = new BrokerService();
-        broker.setPlugins(new BrokerPlugin[] {authorizationPlugin, authenticationPlugin});
+        broker.setPlugins(new BrokerPlugin[] { authorizationPlugin, authenticationPlugin
});
         broker.setPersistent(false);
         return broker;
     }
 
     public void initCombosForTestUserReceiveFails() {
-        addCombinationValues("userName", new Object[] {"user"});
-        addCombinationValues("password", new Object[] {"password"});
-        addCombinationValues("destination", new Object[] {
-                new ActiveMQQueue("TEST"),
-                new ActiveMQTopic("TEST"),
-                new ActiveMQQueue("GUEST.BAR"),
-                new ActiveMQTopic("GUEST.BAR"),
-        });
+        addCombinationValues("userName", new Object[] { "user" });
+        addCombinationValues("password", new Object[] { "password" });
+        addCombinationValues("destination", new Object[] { new ActiveMQQueue("TEST"), new
ActiveMQTopic("TEST"), new ActiveMQQueue("GUEST.BAR"),
+                new ActiveMQTopic("GUEST.BAR"), });
     }
+
     public void initCombosForTestInvalidAuthentication() {
-        addCombinationValues("userName", new Object[] {"user"});
-        addCombinationValues("password", new Object[] {"password"});
+        addCombinationValues("userName", new Object[] { "user" });
+        addCombinationValues("password", new Object[] { "password" });
     }
+
     public void initCombosForTestUserReceiveSucceeds() {
-        addCombinationValues("userName", new Object[] {"user"});
-        addCombinationValues("password", new Object[] {"password"});
-        addCombinationValues("destination", new Object[] {
-                new ActiveMQQueue("USERS.FOO"),
-                new ActiveMQTopic("USERS.FOO"),
-        });
+        addCombinationValues("userName", new Object[] { "user" });
+        addCombinationValues("password", new Object[] { "password" });
+        addCombinationValues("destination", new Object[] { new ActiveMQQueue("USERS.FOO"),
new ActiveMQTopic("USERS.FOO"), });
     }
+
     public void initCombosForTestGuestReceiveSucceeds() {
-        addCombinationValues("userName", new Object[] {"guest"});
-        addCombinationValues("password", new Object[] {"password"});
-        addCombinationValues("destination", new Object[] {
-                new ActiveMQQueue("GUEST.BAR"),
-                new ActiveMQTopic("GUEST.BAR"),
-        });
+        addCombinationValues("userName", new Object[] { "guest" });
+        addCombinationValues("password", new Object[] { "password" });
+        addCombinationValues("destination", new Object[] { new ActiveMQQueue("GUEST.BAR"),
new ActiveMQTopic("GUEST.BAR"), });
     }
+
     public void initCombosForTestGuestReceiveFails() {
-        addCombinationValues("userName", new Object[] {"guest"});
-        addCombinationValues("password", new Object[] {"password"});
-        addCombinationValues("destination", new Object[] {
-                new ActiveMQQueue("TEST"),
-                new ActiveMQTopic("TEST"),
-                new ActiveMQQueue("USERS.FOO"),
-                new ActiveMQTopic("USERS.FOO"),
-        });
+        addCombinationValues("userName", new Object[] { "guest" });
+        addCombinationValues("password", new Object[] { "password" });
+        addCombinationValues("destination", new Object[] { new ActiveMQQueue("TEST"), new
ActiveMQTopic("TEST"), new ActiveMQQueue("USERS.FOO"),
+                new ActiveMQTopic("USERS.FOO"), });
     }
+
     public void initCombosForTestUserSendSucceeds() {
-        addCombinationValues("userName", new Object[] {"user"});
-        addCombinationValues("password", new Object[] {"password"});
-        addCombinationValues("destination", new Object[] {
-                new ActiveMQQueue("USERS.FOO"),
-                new ActiveMQQueue("GUEST.BAR"),
-                new ActiveMQTopic("USERS.FOO"),
-                new ActiveMQTopic("GUEST.BAR"),
-        });
+        addCombinationValues("userName", new Object[] { "user" });
+        addCombinationValues("password", new Object[] { "password" });
+        addCombinationValues("destination", new Object[] { new ActiveMQQueue("USERS.FOO"),
new ActiveMQQueue("GUEST.BAR"), new ActiveMQTopic("USERS.FOO"),
+                new ActiveMQTopic("GUEST.BAR"), });
     }
+
     public void initCombosForTestUserSendFails() {
-        addCombinationValues("userName", new Object[] {"user"});
-        addCombinationValues("password", new Object[] {"password"});
-        addCombinationValues("destination", new Object[] {
-                new ActiveMQQueue("TEST"),
-                new ActiveMQTopic("TEST"),
-        });
+        addCombinationValues("userName", new Object[] { "user" });
+        addCombinationValues("password", new Object[] { "password" });
+        addCombinationValues("destination", new Object[] { new ActiveMQQueue("TEST"), new
ActiveMQTopic("TEST"), });
     }
+
     public void initCombosForTestGuestSendFails() {
-        addCombinationValues("userName", new Object[] {"guest"});
-        addCombinationValues("password", new Object[] {"password"});
-        addCombinationValues("destination", new Object[] {
-                new ActiveMQQueue("TEST"),
-                new ActiveMQTopic("TEST"),
-                new ActiveMQQueue("USERS.FOO"),
-                new ActiveMQTopic("USERS.FOO"),
-        });
+        addCombinationValues("userName", new Object[] { "guest" });
+        addCombinationValues("password", new Object[] { "password" });
+        addCombinationValues("destination", new Object[] { new ActiveMQQueue("TEST"), new
ActiveMQTopic("TEST"), new ActiveMQQueue("USERS.FOO"),
+                new ActiveMQTopic("USERS.FOO"), });
     }
+
     public void initCombosForTestGuestSendSucceeds() {
-        addCombinationValues("userName", new Object[] {"guest"});
-        addCombinationValues("password", new Object[] {"password"});
-        addCombinationValues("destination", new Object[] {
-                new ActiveMQQueue("GUEST.BAR"),
-                new ActiveMQTopic("GUEST.BAR"),
-        });
+        addCombinationValues("userName", new Object[] { "guest" });
+        addCombinationValues("password", new Object[] { "password" });
+        addCombinationValues("destination", new Object[] { new ActiveMQQueue("GUEST.BAR"),
new ActiveMQTopic("GUEST.BAR"), });
     }
 }

Modified: incubator/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/jaas-broker.xml
URL: http://svn.apache.org/viewcvs/incubator/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/jaas-broker.xml?rev=377995&r1=377994&r2=377995&view=diff
==============================================================================
--- incubator/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/jaas-broker.xml
(original)
+++ incubator/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/jaas-broker.xml
Wed Feb 15 04:38:40 2006
@@ -24,6 +24,14 @@
     <plugins>
       <!--  use JAAS to authenticate using the login.config file on the classpath to configure
JAAS -->
       <jassAuthenticationPlugin configuration="activemq-domain"/>
+      
+      <!--  lets configure a simple authorization mechanism -->
+      <authorizationPlugin>
+        <authorizationEntries>
+          <authorizationEntry topic=">" read="" write="" admin=""/>
+          <authorizationEntry queue=">" read="" write="" admin=""/>
+        </authorizationEntries>
+      </authorizationPlugin>
     </plugins>
   </broker>
 



Mime
View raw message