activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From j...@apache.org
Subject svn commit: r479639 - in /incubator/activemq/trunk/activemq-core/src: main/java/org/apache/activemq/security/ test/java/org/apache/activemq/security/ test/resources/org/apache/activemq/security/
Date Mon, 27 Nov 2006 14:35:35 GMT
Author: jlim
Date: Mon Nov 27 06:35:34 2006
New Revision: 479639

URL: http://svn.apache.org/viewvc?view=rev&rev=479639
Log:
updates for http://issues.apache.org/activemq/browse/AMQ-795

Added:
    incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/TempDestinationAuthorizationEntry.java
Modified:
    incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationBroker.java
    incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationMap.java
    incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/DefaultAuthorizationMap.java
    incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/LDAPAuthorizationMap.java
    incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/SimpleAuthorizationMap.java
    incubator/activemq/trunk/activemq-core/src/test/java/org/apache/activemq/security/AuthorizationMapTest.java
    incubator/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/groups.properties
    incubator/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/jaas-broker.xml

Modified: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationBroker.java
URL: http://svn.apache.org/viewvc/incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationBroker.java?view=diff&rev=479639&r1=479638&r2=479639
==============================================================================
--- incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationBroker.java
(original)
+++ incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationBroker.java
Mon Nov 27 06:35:34 2006
@@ -56,14 +56,19 @@
         if( securityContext == null )
             throw new SecurityException("User is not authenticated.");
 
-        // You don't need to be an admin to create temp destinations.
-        if( !destination.isTemporary() 
-            || !((ActiveMQTempDestination)destination).getConnectionId().equals(context.getConnectionId().getValue())
) {
-            
-            Set allowedACLs = authorizationMap.getAdminACLs(destination);
-            if(allowedACLs!=null && !securityContext.isInOneOf(allowedACLs))
-                throw new SecurityException("User "+securityContext.getUserName()+" is not
authorized to create: "+destination);
+
+        //if(!((ActiveMQTempDestination)destination).getConnectionId().equals(context.getConnectionId().getValue())
) {
+        Set allowedACLs = null;
+        if(!destination.isTemporary()) {
+            allowedACLs = authorizationMap.getAdminACLs(destination);
+        } else {
+        	allowedACLs = authorizationMap.getTempDestinationAdminACLs();
         }
+     
+        if(allowedACLs!=null && !securityContext.isInOneOf(allowedACLs))
+            throw new SecurityException("User "+securityContext.getUserName()+" is not authorized
to create: "+destination);
+
+       // }
         
         return super.addDestination(context, destination);
     }
@@ -74,14 +79,15 @@
         if( securityContext == null )
             throw new SecurityException("User is not authenticated.");
 
-        // You don't need to be an admin to remove temp destinations.
-        if( !destination.isTemporary() 
-            || !((ActiveMQTempDestination)destination).getConnectionId().equals(context.getConnectionId().getValue())
) {
-            
-            Set allowedACLs = authorizationMap.getAdminACLs(destination);
-            if(allowedACLs!=null && !securityContext.isInOneOf(allowedACLs))
-                throw new SecurityException("User "+securityContext.getUserName()+" is not
authorized to remove: "+destination);
+        Set allowedACLs = null;
+        if(!destination.isTemporary()) {
+            allowedACLs = authorizationMap.getAdminACLs(destination);
+        } else {
+        	allowedACLs = authorizationMap.getTempDestinationAdminACLs();
         }
+        
+    	if(allowedACLs!=null && !securityContext.isInOneOf(allowedACLs))
+            throw new SecurityException("User "+securityContext.getUserName()+" is not authorized
to remove: "+destination);
 
         super.removeDestination(context, destination, timeout);
     }
@@ -92,9 +98,16 @@
         if( subject == null )
             throw new SecurityException("User is not authenticated.");
         
-        Set allowedACLs = authorizationMap.getReadACLs(info.getDestination());
+        Set allowedACLs = null;
+        if(!info.getDestination().isTemporary()) {
+            allowedACLs = authorizationMap.getReadACLs(info.getDestination());
+        }else {
+        	allowedACLs = authorizationMap.getTempDestinationWriteACLs();
+        }
+
         if(allowedACLs!=null && !subject.isInOneOf(allowedACLs))
             throw new SecurityException("User "+subject.getUserName()+" is not authorized
to read from: "+info.getDestination());
+        
         subject.getAuthorizedReadDests().put(info.getDestination(), info.getDestination());
         
         /* 
@@ -133,9 +146,17 @@
             throw new SecurityException("User is not authenticated.");
         
         if( info.getDestination()!=null ) {
-            Set allowedACLs = authorizationMap.getWriteACLs(info.getDestination());
-            if(allowedACLs!=null && !subject.isInOneOf(allowedACLs))
+        	
+        	Set allowedACLs = null;
+        	if(!info.getDestination().isTemporary()) {
+        		allowedACLs = authorizationMap.getWriteACLs(info.getDestination());          
+        	}else {
+        	   	allowedACLs = authorizationMap.getTempDestinationWriteACLs();
+        	}
+            if(allowedACLs!=null && !subject.isInOneOf(allowedACLs)) 
                 throw new SecurityException("User "+subject.getUserName()+" is not authorized
to write to: "+info.getDestination());
+            
+            
             subject.getAuthorizedWriteDests().put(info.getDestination(), info.getDestination());
         }
         
@@ -146,11 +167,19 @@
         SecurityContext subject = (SecurityContext) context.getSecurityContext();
         if( subject == null )
             throw new SecurityException("User is not authenticated.");
-        
+
         if( !subject.getAuthorizedWriteDests().contains(messageSend.getDestination()) ) {
-            Set allowedACLs = authorizationMap.getWriteACLs(messageSend.getDestination());
           
-            if(allowedACLs!=null && !subject.isInOneOf(allowedACLs))
+        	
+        	Set allowedACLs = null;
+        	if(!messageSend.getDestination().isTemporary()) {
+                allowedACLs = authorizationMap.getWriteACLs(messageSend.getDestination());
           
+        	}else {
+        		allowedACLs = authorizationMap.getTempDestinationWriteACLs();
+        	}
+            
+        	if(allowedACLs!=null && !subject.isInOneOf(allowedACLs))
                 throw new SecurityException("User "+subject.getUserName()+" is not authorized
to write to: "+messageSend.getDestination());
+        	
             subject.getAuthorizedWriteDests().put(messageSend.getDestination(), messageSend.getDestination());
         }
 

Modified: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationMap.java
URL: http://svn.apache.org/viewvc/incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationMap.java?view=diff&rev=479639&r1=479638&r2=479639
==============================================================================
--- incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationMap.java
(original)
+++ incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationMap.java
Mon Nov 27 06:35:34 2006
@@ -28,6 +28,21 @@
 public interface AuthorizationMap {
 
     /**
+     * Returns the set of all ACLs capable of administering temp destination
+     */
+    Set getTempDestinationAdminACLs();
+	
+    /**
+     * Returns the set of all ACLs capable of reading from temp destination
+     */
+    Set getTempDestinationReadACLs();
+    
+    /**
+     * Returns the set of all ACLs capable of writing to temp destination
+     */
+    Set getTempDestinationWriteACLs();    
+    
+    /**
      * Returns the set of all ACLs capable of administering the given destination
      */
     Set getAdminACLs(ActiveMQDestination destination);

Modified: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/DefaultAuthorizationMap.java
URL: http://svn.apache.org/viewvc/incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/DefaultAuthorizationMap.java?view=diff&rev=479639&r1=479638&r2=479639
==============================================================================
--- incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/DefaultAuthorizationMap.java
(original)
+++ incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/DefaultAuthorizationMap.java
Mon Nov 27 06:35:34 2006
@@ -37,14 +37,46 @@
 public class DefaultAuthorizationMap extends DestinationMap implements AuthorizationMap {
 
     private AuthorizationEntry defaultEntry;
-
+    
+    private TempDestinationAuthorizationEntry tempDestinationAuthorizationEntry;
+    
     public DefaultAuthorizationMap() {
     }
 
     public DefaultAuthorizationMap(List authorizationEntries) {
         setAuthorizationEntries(authorizationEntries);
+       
     }
 
+  
+    public void setTempDestinationAuthorizationEntry(TempDestinationAuthorizationEntry tempDestinationAuthorizationEntry)
{
+        this.tempDestinationAuthorizationEntry = tempDestinationAuthorizationEntry;
+    }    
+    
+    public TempDestinationAuthorizationEntry getTempDestinationAuthorizationEntry() {
+        return this.tempDestinationAuthorizationEntry;
+    }    
+    
+    public Set getTempDestinationAdminACLs() {
+        if(tempDestinationAuthorizationEntry != null)    
+        	return tempDestinationAuthorizationEntry.getAdminACLs();
+        else
+        	return null;
+    }
+    
+    public Set getTempDestinationReadACLs() {
+    	if(tempDestinationAuthorizationEntry != null)  
+           	return tempDestinationAuthorizationEntry.getReadACLs();
+    	else
+    		return null;
+    }
+    
+    public Set getTempDestinationWriteACLs() {
+    	if(tempDestinationAuthorizationEntry != null)
+           	return tempDestinationAuthorizationEntry.getWriteACLs();
+    	else
+    		return null;
+    }    
     
     public Set getAdminACLs(ActiveMQDestination destination) {
         Set entries = getAllEntries(destination);

Modified: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/LDAPAuthorizationMap.java
URL: http://svn.apache.org/viewvc/incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/LDAPAuthorizationMap.java?view=diff&rev=479639&r1=479638&r2=479639
==============================================================================
--- incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/LDAPAuthorizationMap.java
(original)
+++ incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/LDAPAuthorizationMap.java
Mon Nov 27 06:35:34 2006
@@ -137,6 +137,22 @@
         queueSearchSubtreeBool = new Boolean(queueSearchSubtree).booleanValue();
     }
 
+    public Set getTempDestinationAdminACLs() {
+        //TODO insert implementation
+    	
+        return null;
+    }    
+    
+    public Set getTempDestinationReadACLs() {
+    	//    	TODO insert implementation
+        return null;
+    }
+    
+    public Set getTempDestinationWriteACLs() {
+    	//    	TODO insert implementation
+        return null;
+    }      
+    
     public Set getAdminACLs(ActiveMQDestination destination) {
         return getACLs(destination, adminBase, adminAttribute);
     }

Modified: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/SimpleAuthorizationMap.java
URL: http://svn.apache.org/viewvc/incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/SimpleAuthorizationMap.java?view=diff&rev=479639&r1=479638&r2=479639
==============================================================================
--- incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/SimpleAuthorizationMap.java
(original)
+++ incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/SimpleAuthorizationMap.java
Mon Nov 27 06:35:34 2006
@@ -36,6 +36,8 @@
     private DestinationMap readACLs;
     private DestinationMap adminACLs;
 
+    private TempDestinationAuthorizationEntry tempDestinationAuthorizationEntry;
+    
     public SimpleAuthorizationMap() {
     }
 
@@ -45,6 +47,42 @@
         this.adminACLs = adminACLs;
     }
 
+    /*
+     * Need to think how to retrieve the ACLs for temporary destinations since they are not
map 
+     * to a specific destination. For now we'll just retrieve it from a TempDestinationAuthorizationEntry

+     * same way as the DefaultAuthorizationMap. The ACLs retrieved here will be map to all
temp destinations
+     */
+    
+    public void setTempDestinationAuthorizationEntry(TempDestinationAuthorizationEntry tempDestinationAuthorizationEntry)
{
+        this.tempDestinationAuthorizationEntry = tempDestinationAuthorizationEntry;
+    }    
+    
+    public TempDestinationAuthorizationEntry getTempDestinationAuthorizationEntry() {
+        return this.tempDestinationAuthorizationEntry;
+    }    
+
+    
+    public Set getTempDestinationAdminACLs() {
+        if(tempDestinationAuthorizationEntry != null)    
+        	return tempDestinationAuthorizationEntry.getAdminACLs();
+        else
+        	return null;
+    }
+    
+    public Set getTempDestinationReadACLs() {
+    	if(tempDestinationAuthorizationEntry != null)  
+           	return tempDestinationAuthorizationEntry.getReadACLs();
+    	else
+    		return null;
+    }
+    
+    public Set getTempDestinationWriteACLs() {
+    	if(tempDestinationAuthorizationEntry != null)
+           	return tempDestinationAuthorizationEntry.getWriteACLs();
+    	else
+    		return null;
+    }       
+        
     public Set getAdminACLs(ActiveMQDestination destination) {
         return adminACLs.get(destination);
     }

Added: incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/TempDestinationAuthorizationEntry.java
URL: http://svn.apache.org/viewvc/incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/TempDestinationAuthorizationEntry.java?view=auto&rev=479639
==============================================================================
--- incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/TempDestinationAuthorizationEntry.java
(added)
+++ incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/TempDestinationAuthorizationEntry.java
Mon Nov 27 06:35:34 2006
@@ -0,0 +1,45 @@
+/**
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.security;
+
+import org.apache.activemq.filter.DestinationMapEntry;
+import org.apache.activemq.jaas.GroupPrincipal;
+
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
+import java.util.StringTokenizer;
+
+/**
+ * Represents an entry in a {@link DefaultAuthorizationMap} for assigning
+ * different operations (read, write, admin) of user roles to
+ * a temporary destination
+ * 
+ * @org.apache.xbean.XBean
+ * 
+ * @version $Revision: 426366 $
+ */
+public class TempDestinationAuthorizationEntry extends AuthorizationEntry {
+
+  
+    public void afterPropertiesSet() throws Exception {
+       //we don't need to check if destination is specified since
+       //the TempDestinationAuthorizationEntry  should map to all temp destinations	
+    }    
+
+}

Modified: incubator/activemq/trunk/activemq-core/src/test/java/org/apache/activemq/security/AuthorizationMapTest.java
URL: http://svn.apache.org/viewvc/incubator/activemq/trunk/activemq-core/src/test/java/org/apache/activemq/security/AuthorizationMapTest.java?view=diff&rev=479639&r1=479638&r2=479639
==============================================================================
--- incubator/activemq/trunk/activemq-core/src/test/java/org/apache/activemq/security/AuthorizationMapTest.java
(original)
+++ incubator/activemq/trunk/activemq-core/src/test/java/org/apache/activemq/security/AuthorizationMapTest.java
Mon Nov 27 06:35:34 2006
@@ -18,10 +18,10 @@
 package org.apache.activemq.security;
 
 import org.apache.activemq.command.ActiveMQQueue;
+import org.apache.activemq.command.ActiveMQTempQueue;
 import org.apache.activemq.jaas.GroupPrincipal;
 
 import java.util.*;
-import java.util.Set;
 
 import junit.framework.TestCase;
 
@@ -33,6 +33,7 @@
     static final GroupPrincipal guests = new GroupPrincipal("guests");
     static final GroupPrincipal users = new GroupPrincipal("users");
     static final GroupPrincipal admins = new GroupPrincipal("admins");
+    static final GroupPrincipal tempDestinationAdmins = new GroupPrincipal("tempDestAdmins");
 
     public void testAuthorizationMap() {
         AuthorizationMap map = createAuthorizationMap();
@@ -41,8 +42,23 @@
         assertEquals("set size: " + readACLs, 2, readACLs.size());
         assertTrue("Contains users group", readACLs.contains(admins));
         assertTrue("Contains users group", readACLs.contains(users));
+        
     }
 
+    public void testAuthorizationMapWithTempDest() {
+        AuthorizationMap map = createAuthorizationMapWithTempDest();
+
+        Set readACLs = map.getReadACLs(new ActiveMQQueue("USERS.FOO.BAR"));
+        assertEquals("set size: " + readACLs, 2, readACLs.size());
+        assertTrue("Contains users group", readACLs.contains(admins));
+        assertTrue("Contains users group", readACLs.contains(users));
+        
+        Set tempAdminACLs = map.getTempDestinationAdminACLs();
+        assertEquals("set size: " + tempAdminACLs, 1, tempAdminACLs.size());
+        assertTrue("Contains users group", tempAdminACLs.contains(tempDestinationAdmins));
+              
+    }    
+    
     protected AuthorizationMap createAuthorizationMap() {
         DefaultAuthorizationMap answer = new DefaultAuthorizationMap();
 
@@ -62,5 +78,31 @@
 
         return answer;
     }
+    
+    protected AuthorizationMap createAuthorizationMapWithTempDest() {
+        DefaultAuthorizationMap answer = new DefaultAuthorizationMap();
+
+        List entries = new ArrayList();
+
+        AuthorizationEntry entry = new AuthorizationEntry();
+        entry.setQueue(">");
+        entry.setRead("admins");
+        entries.add(entry);
+
+        entry = new AuthorizationEntry();
+        entry.setQueue("USERS.>");
+        entry.setRead("users");
+        entries.add(entry);
+
+        answer.setAuthorizationEntries(entries);
+        
+        //create entry for temporary queue
+        TempDestinationAuthorizationEntry tEntry = new TempDestinationAuthorizationEntry();
+        tEntry.setAdmin("tempDestAdmins");
+        
+        answer.setTempDestinationAuthorizationEntry(tEntry);
+
+        return answer;
+    }    
 
 }

Modified: incubator/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/groups.properties
URL: http://svn.apache.org/viewvc/incubator/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/groups.properties?view=diff&rev=479639&r1=479638&r2=479639
==============================================================================
--- incubator/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/groups.properties
(original)
+++ incubator/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/groups.properties
Mon Nov 27 06:35:34 2006
@@ -16,5 +16,6 @@
 ## ---------------------------------------------------------------------------
 
 admins=system
+tempDestinationAdmins=system,user
 users=system,user
 guests=guest

Modified: incubator/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/jaas-broker.xml
URL: http://svn.apache.org/viewvc/incubator/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/jaas-broker.xml?view=diff&rev=479639&r1=479638&r2=479639
==============================================================================
--- incubator/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/jaas-broker.xml
(original)
+++ incubator/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/jaas-broker.xml
Mon Nov 27 06:35:34 2006
@@ -42,6 +42,11 @@
               
               <authorizationEntry topic="ActiveMQ.Advisory.>" read="guests,users" write="guests,users"
admin="guests,users"/>
             </authorizationEntries>
+            
+            <!-- let's assign roles to temporary destinations. comment this entry if we
don't want any roles assigned to temp destinations  -->
+            <tempDestinationAuthorizationEntry>  
+              <tempDestinationAuthorizationEntry read="tempDestinationAdmins" write="tempDestinationAdmins"
admin="tempDestinationAdmins"/>
+           </tempDestinationAuthorizationEntry>               
           </authorizationMap>
         </map>
       </authorizationPlugin>



Mime
View raw message