activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From chir...@apache.org
Subject svn commit: r1050485 - in /activemq/activemq-apollo/trunk: apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/ apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/ apollo-cli/src/main/scala/org/apache/activemq...
Date Fri, 17 Dec 2010 20:13:07 GMT
Author: chirino
Date: Fri Dec 17 20:13:06 2010
New Revision: 1050485

URL: http://svn.apache.org/viewvc?rev=1050485&view=rev
Log:
Better acl management and more doco.

Added:
    activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/ConnectorAclDTO.java
      - copied, changed from r1050421, activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/VirtualHostAclDTO.java
Modified:
    activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/AclAuthorizer.scala
    activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authorizer.scala
    activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala
    activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/apollo-ssl.xml
    activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/apollo.xml
    activemq/activemq-apollo/trunk/apollo-cli/src/main/scala/org/apache/activemq/apollo/cli/commands/Run.scala
    activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/BrokerAclDTO.java
    activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/ConnectorDTO.java
    activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/DestinationAclDTO.java
    activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/PrincipalDTO.java
    activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/QueueAclDTO.java
    activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/VirtualHostAclDTO.java
    activemq/activemq-apollo/trunk/apollo-dto/src/test/resources/org/apache/activemq/apollo/dto/XmlCodecTest.xml
    activemq/activemq-apollo/trunk/apollo-stomp/src/main/scala/org/apache/activemq/apollo/stomp/StompProtocolHandler.scala
    activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-secure.xml
    activemq/activemq-apollo/trunk/apollo-stomp/src/test/scala/org/apache/activemq/apollo/stomp/StompTest.scala
    activemq/activemq-apollo/trunk/apollo-website/src/documentation/user-manual.md

Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/AclAuthorizer.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/AclAuthorizer.scala?rev=1050485&r1=1050484&r2=1050485&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/AclAuthorizer.scala
(original)
+++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/AclAuthorizer.scala
Fri Dec 17 20:13:06 2010
@@ -16,10 +16,10 @@
  */
 package org.apache.activemq.apollo.broker.security
 
-import org.apache.activemq.apollo.broker.{Destination, VirtualHost, Broker}
 import scala.util.continuations._
 import org.apache.activemq.apollo.util.path.Path
 import org.apache.activemq.apollo.dto._
+import org.apache.activemq.apollo.broker.{Connector, Destination, VirtualHost, Broker}
 
 /**
  * <p>
@@ -32,33 +32,33 @@ import org.apache.activemq.apollo.dto._
 class AclAuthorizer(val default_kinds:List[String]) extends Authorizer {
   import collection.JavaConversions._
 
-  var allow_deafult = true
-
-  def is_in(ctx: SecurityContext, allowed:java.util.Set[PrincipalDTO]):Boolean = {
-    ctx.intersects(allowed.toSet, default_kinds)
+  def is_in(ctx: SecurityContext, allowed:java.util.List[PrincipalDTO]):Boolean = {
+    ctx.is_allowed(allowed.toList, default_kinds)
   }
 
   def can_admin(ctx: SecurityContext, broker: Broker) = {
     if( broker.config.acl!=null ) {
       is_in(ctx, broker.config.acl.admins)
     } else {
-      allow_deafult
+      true
     }
   }
 
-  def can_connect_to(ctx: SecurityContext, host: VirtualHost) = {
-    if( host.config.acl!=null ) {
-      is_in(ctx, host.config.acl.connects)
-    } else {
-      allow_deafult
+  def can_connect_to(ctx: SecurityContext, host: VirtualHost, connector:Connector):Boolean
= {
+    if( host.config.acl!=null && !is_in(ctx, host.config.acl.connects) ) {
+      return false
+    }
+    if( connector.config.acl!=null && !is_in(ctx, connector.config.acl.connects)
) {
+      return false
     }
+    true
   }
 
-  private def can_dest(ctx: SecurityContext, host: VirtualHost, dest: DestinationDTO)(func:
DestinationAclDTO=>java.util.Set[PrincipalDTO]) = {
+  private def can_dest(ctx: SecurityContext, host: VirtualHost, dest: DestinationDTO)(func:
DestinationAclDTO=>java.util.List[PrincipalDTO]) = {
     if( dest.acl!=null ) {
       is_in(ctx, func(dest.acl))
     } else {
-      allow_deafult
+      true
     }
   }
 
@@ -75,11 +75,11 @@ class AclAuthorizer(val default_kinds:Li
     can_dest(ctx, host, dest)(_.creates)
   }
 
-  private def can_queue(ctx: SecurityContext, host: VirtualHost, queue: QueueDTO)(func: QueueAclDTO=>java.util.Set[PrincipalDTO])
= {
+  private def can_queue(ctx: SecurityContext, host: VirtualHost, queue: QueueDTO)(func: QueueAclDTO=>java.util.List[PrincipalDTO])
= {
     if( queue.acl!=null ) {
       is_in(ctx, func(queue.acl))
     } else {
-      allow_deafult
+      true
     }
   }
 

Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authorizer.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authorizer.scala?rev=1050485&r1=1050484&r2=1050485&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authorizer.scala
(original)
+++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authorizer.scala
Fri Dec 17 20:13:06 2010
@@ -16,7 +16,7 @@
  */
 package org.apache.activemq.apollo.broker.security
 import scala.util.continuations._
-import org.apache.activemq.apollo.broker.{VirtualHost, Broker, Destination}
+import org.apache.activemq.apollo.broker._
 import org.apache.activemq.apollo.util.path.Path
 import org.apache.activemq.apollo.dto.{DestinationDTO, QueueDTO, BindingDTO}
 
@@ -36,7 +36,7 @@ trait Authorizer {
   /**
    * @returns true if the user is allowed to connect to the virtual host
    */
-  def can_connect_to(ctx:SecurityContext, host:VirtualHost):Boolean
+  def can_connect_to(ctx:SecurityContext, host:VirtualHost, connector:Connector):Boolean
 
   /**
    * @returns true if the user is allowed to send to the destination

Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala?rev=1050485&r1=1050484&r2=1050485&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala
(original)
+++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala
Fri Dec 17 20:13:06 2010
@@ -39,7 +39,7 @@ class SecurityContext {
 
   var login_context:LoginContext = _
 
-  private val principles = new HashSet[PrincipalDTO]()
+  private var principles = Set[PrincipalDTO]()
 
   private var _subject:Subject = _
 
@@ -47,27 +47,51 @@ class SecurityContext {
 
   def subject_= (value:Subject) {
     _subject = value
-    principles.clear
+    principles = Set[PrincipalDTO]()
     if( value!=null ) {
       import collection.JavaConversions._
       value.getPrincipals.foreach { x=>
-        principles.add(new PrincipalDTO(x.getName, x.getClass.getName))
+        principles += new PrincipalDTO(x.getName, x.getClass.getName)
       }
     }
   }
 
-  def intersects(values:Set[PrincipalDTO], default_kinds:List[String]):Boolean = {
-    val (v1, v2) = values.partition(_.kind == null)
-    if( !principles.intersect(v2).isEmpty ) {
-      return true
+  def is_allowed(acl:List[PrincipalDTO], default_kinds:List[String]):Boolean = {
+
+    def matches(p:PrincipalDTO):Boolean = {
+      if( p.kind==null ) {
+        default_kinds.foreach { kind=>
+          if( principles.contains(new PrincipalDTO(p.allow, kind)) ) {
+            return true;
+          }
+        }
+        return false;
+      } else {
+        return principles.contains(p)
+      }
     }
-    default_kinds.foreach { x=>
-      val kinda_added = v1.map(y=> new PrincipalDTO(y.name, x))
-      if( ! principles.intersect(kinda_added).isEmpty ) {
-        return true
+
+    acl.foreach { p =>
+      p.deny match {
+        case null =>
+        case "*"=>
+          return false;
+        case id =>
+          if( matches(new PrincipalDTO(id, p.kind)) ) {
+            return false;
+          }
+      }
+      p.allow match {
+        case null =>
+        case "*"=>
+          return true;
+        case id =>
+          if( matches(new PrincipalDTO(id, p.kind)) ) {
+            return true
+          }
       }
     }
-    false
+    return false
   }
 
 

Modified: activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/apollo-ssl.xml
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/apollo-ssl.xml?rev=1050485&r1=1050484&r2=1050485&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/apollo-ssl.xml
(original)
+++ activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/apollo-ssl.xml
Fri Dec 17 20:13:06 2010
@@ -22,7 +22,7 @@
   <!-- used to secure the web admin interface -->
   <authentication domain="apollo"/>
   <acl>
-    <admin name="admins"/>
+    <admin allow="admins"/>
   </acl>
 
   <web-admin host="127.0.0.1" port="8080"/>
@@ -45,23 +45,23 @@
       an object, then access is not restricted at all.
       -->
     <acl>
-      <connect name="admins"/>
+      <connect allow="admins"/>
     </acl>
     <destination name="secure.**">
       <acl>
-        <create  name="admins"/>
-        <destroy name="admins"/>
-        <send    name="admins"/>
-        <receive name="admins"/>
+        <create  allow="admins"/>
+        <destroy allow="admins"/>
+        <send    allow="admins"/>
+        <receive allow="admins"/>
       </acl>
     </destination>
     <queue name="secure.**">
       <acl>
-        <create  name="admins"/>
-        <destroy name="admins"/>
-        <send    name="admins"/>
-        <receive name="admins"/> <!-- queue browsers -->
-        <consume name="admins"/> <!-- regular consumers -->
+        <create  allow="admins"/>
+        <destroy allow="admins"/>
+        <send    allow="admins"/>
+        <receive allow="admins"/> <!-- queue browsers -->
+        <consume allow="admins"/> <!-- regular consumers -->
       </acl>
     </queue>
 

Modified: activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/apollo.xml
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/apollo.xml?rev=1050485&r1=1050484&r2=1050485&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/apollo.xml
(original)
+++ activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/apollo.xml
Fri Dec 17 20:13:06 2010
@@ -23,7 +23,7 @@
   <!-- used to secure the web admin interface -->
   <authentication domain="apollo"/>
   <acl>
-    <admin name="admins"/>
+    <admin allow="admins"/>
   </acl>
 
   <web-admin host="127.0.0.1" port="8080"/>
@@ -47,23 +47,23 @@
       an object, then access is not restricted at all.
       -->
     <acl>
-      <connect name="admins"/>
+      <connect allow="admins"/>
     </acl>
     <destination name="secure.**">
       <acl>
-        <create  name="admins"/>
-        <destroy name="admins"/>
-        <send    name="admins"/>
-        <receive name="admins"/>
+        <create  allow="admins"/>
+        <destroy allow="admins"/>
+        <send    allow="admins"/>
+        <receive allow="admins"/>
       </acl>
     </destination>
     <queue name="secure.**">
       <acl>
-        <create  name="admins"/>
-        <destroy name="admins"/>
-        <send    name="admins"/>
-        <receive name="admins"/> <!-- queue browsers -->
-        <consume name="admins"/> <!-- regular consumers -->
+        <create  allow="admins"/>
+        <destroy allow="admins"/>
+        <send    allow="admins"/>
+        <receive allow="admins"/> <!-- queue browsers -->
+        <consume allow="admins"/> <!-- regular consumers -->
       </acl>
     </queue>
 

Modified: activemq/activemq-apollo/trunk/apollo-cli/src/main/scala/org/apache/activemq/apollo/cli/commands/Run.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-cli/src/main/scala/org/apache/activemq/apollo/cli/commands/Run.scala?rev=1050485&r1=1050484&r2=1050485&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-cli/src/main/scala/org/apache/activemq/apollo/cli/commands/Run.scala
(original)
+++ activemq/activemq-apollo/trunk/apollo-cli/src/main/scala/org/apache/activemq/apollo/cli/commands/Run.scala
Fri Dec 17 20:13:06 2010
@@ -153,7 +153,7 @@ class Run extends Action with Logging {
             val c = new org.eclipse.jetty.http.security.Constraint()
             c.setName("BASIC")
             val admins:Set[PrincipalDTO] = config.acl.admins.toSet
-            c.setRoles(admins.map(_.name).toArray)
+            c.setRoles(admins.map(_.allow).toArray)
             c.setAuthenticate(true)
             cm.setConstraint(c)
             cm.setPathSpec("/*")

Modified: activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/BrokerAclDTO.java
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/BrokerAclDTO.java?rev=1050485&r1=1050484&r2=1050485&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/BrokerAclDTO.java
(original)
+++ activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/BrokerAclDTO.java
Fri Dec 17 20:13:06 2010
@@ -31,6 +31,7 @@ import java.util.*;
 public class BrokerAclDTO {
 
     @XmlElement(name="admin")
-    public Set<PrincipalDTO> admins = new HashSet<PrincipalDTO>();
+    public List<PrincipalDTO> admins = new ArrayList<PrincipalDTO>();
+
 
 }

Copied: activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/ConnectorAclDTO.java
(from r1050421, activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/VirtualHostAclDTO.java)
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/ConnectorAclDTO.java?p2=activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/ConnectorAclDTO.java&p1=activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/VirtualHostAclDTO.java&r1=1050421&r2=1050485&rev=1050485&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/VirtualHostAclDTO.java
(original)
+++ activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/ConnectorAclDTO.java
Fri Dec 17 20:13:06 2010
@@ -19,8 +19,10 @@ package org.apache.activemq.apollo.dto;
 import javax.xml.bind.annotation.XmlAccessType;
 import javax.xml.bind.annotation.XmlAccessorType;
 import javax.xml.bind.annotation.XmlElement;
-import javax.xml.bind.annotation.XmlRootElement;
-import java.util.*;
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
 
 /**
  * <p>
@@ -29,9 +31,9 @@ import java.util.*;
  * @author <a href="http://hiramchirino.com">Hiram Chirino</a>
  */
 @XmlAccessorType(XmlAccessType.FIELD)
-public class VirtualHostAclDTO {
+public class ConnectorAclDTO {
 
     @XmlElement(name="connect")
-    public Set<PrincipalDTO> connects = new HashSet<PrincipalDTO>();
+    public List<PrincipalDTO> connects = new ArrayList<PrincipalDTO>();
 
 }

Modified: activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/ConnectorDTO.java
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/ConnectorDTO.java?rev=1050485&r1=1050484&r2=1050485&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/ConnectorDTO.java
(original)
+++ activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/ConnectorDTO.java
Fri Dec 17 20:13:06 2010
@@ -57,5 +57,7 @@ public class ConnectorDTO extends Servic
     @XmlElementRef
     public List<ProtocolDTO> protocols = new ArrayList<ProtocolDTO>();
 
-    
+    @XmlElement(name="acl")
+    public ConnectorAclDTO acl;
+
 }
\ No newline at end of file

Modified: activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/DestinationAclDTO.java
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/DestinationAclDTO.java?rev=1050485&r1=1050484&r2=1050485&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/DestinationAclDTO.java
(original)
+++ activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/DestinationAclDTO.java
Fri Dec 17 20:13:06 2010
@@ -31,15 +31,15 @@ import java.util.*;
 public class DestinationAclDTO {
 
     @XmlElement(name="create")
-    public Set<PrincipalDTO> creates = new HashSet<PrincipalDTO>();
+    public List<PrincipalDTO> creates = new ArrayList<PrincipalDTO>();
 
     @XmlElement(name="destroy")
-    public Set<PrincipalDTO> destroys = new HashSet<PrincipalDTO>();
+    public List<PrincipalDTO> destroys = new ArrayList<PrincipalDTO>();
 
     @XmlElement(name="send")
-    public Set<PrincipalDTO> sends = new HashSet<PrincipalDTO>();
+    public List<PrincipalDTO> sends = new ArrayList<PrincipalDTO>();
 
     @XmlElement(name="receive")
-    public Set<PrincipalDTO> receives = new HashSet<PrincipalDTO>();
+    public List<PrincipalDTO> receives = new ArrayList<PrincipalDTO>();
 
 }

Modified: activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/PrincipalDTO.java
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/PrincipalDTO.java?rev=1050485&r1=1050484&r2=1050485&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/PrincipalDTO.java
(original)
+++ activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/PrincipalDTO.java
Fri Dec 17 20:13:06 2010
@@ -27,8 +27,11 @@ import javax.xml.bind.annotation.*;
 @XmlAccessorType(XmlAccessType.FIELD)
 public class PrincipalDTO {
 
-    @XmlAttribute(required = true)
-    public String name;
+    @XmlAttribute
+    public String allow;
+
+    @XmlAttribute
+    public String deny;
 
     @XmlAttribute
     public String kind;
@@ -37,12 +40,12 @@ public class PrincipalDTO {
     public PrincipalDTO() {
     }
 
-    public PrincipalDTO(String name) {
-        this.name = name;
+    public PrincipalDTO(String allow) {
+        this.allow = allow;
     }
 
-    public PrincipalDTO(String name, String kind) {
-        this.name = name;
+    public PrincipalDTO(String allow, String kind) {
+        this.allow = allow;
         this.kind = kind;
     }
 
@@ -53,18 +56,18 @@ public class PrincipalDTO {
 
         PrincipalDTO that = (PrincipalDTO) o;
 
+        if (allow != null ? !allow.equals(that.allow) : that.allow != null) return false;
+        if (deny != null ? !deny.equals(that.deny) : that.deny != null) return false;
         if (kind != null ? !kind.equals(that.kind) : that.kind != null) return false;
-        if (name != null ? !name.equals(that.name) : that.name != null) return false;
 
         return true;
     }
 
     @Override
     public int hashCode() {
-        int result = name != null ? name.hashCode() : 0;
+        int result = allow != null ? allow.hashCode() : 0;
+        result = 31 * result + (deny != null ? deny.hashCode() : 0);
         result = 31 * result + (kind != null ? kind.hashCode() : 0);
         return result;
     }
-
-
 }

Modified: activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/QueueAclDTO.java
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/QueueAclDTO.java?rev=1050485&r1=1050484&r2=1050485&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/QueueAclDTO.java
(original)
+++ activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/QueueAclDTO.java
Fri Dec 17 20:13:06 2010
@@ -32,7 +32,6 @@ import java.util.*;
 public class QueueAclDTO extends DestinationAclDTO {
 
     @XmlElement(name="consume")
-    public Set<PrincipalDTO> consumes = new HashSet<PrincipalDTO>();
-
+    public List<PrincipalDTO> consumes = new ArrayList<PrincipalDTO>();
 
 }

Modified: activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/VirtualHostAclDTO.java
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/VirtualHostAclDTO.java?rev=1050485&r1=1050484&r2=1050485&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/VirtualHostAclDTO.java
(original)
+++ activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/VirtualHostAclDTO.java
Fri Dec 17 20:13:06 2010
@@ -32,6 +32,6 @@ import java.util.*;
 public class VirtualHostAclDTO {
 
     @XmlElement(name="connect")
-    public Set<PrincipalDTO> connects = new HashSet<PrincipalDTO>();
+    public List<PrincipalDTO> connects = new ArrayList<PrincipalDTO>();
 
 }

Modified: activemq/activemq-apollo/trunk/apollo-dto/src/test/resources/org/apache/activemq/apollo/dto/XmlCodecTest.xml
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/src/test/resources/org/apache/activemq/apollo/dto/XmlCodecTest.xml?rev=1050485&r1=1050484&r2=1050485&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-dto/src/test/resources/org/apache/activemq/apollo/dto/XmlCodecTest.xml
(original)
+++ activemq/activemq-apollo/trunk/apollo-dto/src/test/resources/org/apache/activemq/apollo/dto/XmlCodecTest.xml
Fri Dec 17 20:13:06 2010
@@ -18,9 +18,9 @@
 <broker basedir="./activemq-data/default" rev="0" enabled="true" id="default" xmlns="http://activemq.apache.org/schema/activemq/apollo">
 
   <acl>
-    <admin name="hiram"/>
-    <admin name="james"/>
-    <admin name="admins" kind="org.apache.activemq.jaas.GroupPrincipal"/>
+    <admin allow="hiram"/>
+    <admin allow="james"/>
+    <admin allow="admins" kind="org.apache.activemq.jaas.GroupPrincipal"/>
   </acl>
 
   <virtual-host enabled="true" id="vh-local">

Modified: activemq/activemq-apollo/trunk/apollo-stomp/src/main/scala/org/apache/activemq/apollo/stomp/StompProtocolHandler.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-stomp/src/main/scala/org/apache/activemq/apollo/stomp/StompProtocolHandler.scala?rev=1050485&r1=1050484&r2=1050485&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-stomp/src/main/scala/org/apache/activemq/apollo/stomp/StompProtocolHandler.scala
(original)
+++ activemq/activemq-apollo/trunk/apollo-stomp/src/main/scala/org/apache/activemq/apollo/stomp/StompProtocolHandler.scala
Fri Dec 17 20:13:06 2010
@@ -593,7 +593,7 @@ class StompProtocolHandler extends Proto
           if( !host.authenticator.authenticate(security_context) ) {
             async_die("Authentication failed.")
             noop // to make the cps compiler plugin happy.
-          } else if( !host.authorizer.can_connect_to(security_context, host) ) {
+          } else if( !host.authorizer.can_connect_to(security_context, host, connection.connector)
) {
             async_die("Connect not authorized.")
             noop // to make the cps compiler plugin happy.
           } else {

Modified: activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-secure.xml
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-secure.xml?rev=1050485&r1=1050484&r2=1050485&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-secure.xml
(original)
+++ activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-secure.xml
Fri Dec 17 20:13:06 2010
@@ -23,36 +23,36 @@
     <host-name>localhost</host-name>
 
     <acl>
-      <connect name="connect_group"/>
+      <connect allow="connect_group"/>
     </acl>
 
     <!-- queue security -->
     <queue name="**" kind="ptp">
       <acl>
-        <create  name="can_send_create_queue"/>
-        <send    name="can_send_create_queue"/>
-        <send    name="can_send_queue"/>
-        <receive name="can_receive_queue"/>
-        <consume name="can_consume_queue"/>
+        <create  allow="can_send_create_queue"/>
+        <send    allow="can_send_create_queue"/>
+        <send    allow="can_send_queue"/>
+        <receive allow="can_receive_queue"/>
+        <consume allow="can_consume_queue"/>
       </acl>
     </queue>
 
     <!-- topic security -->
     <destination name="**">
       <acl>
-        <create  name="can_send_create_topic"/>
-        <send    name="can_send_create_topic"/>
-        <send    name="can_send_topic"/>
-        <receive name="can_recieve_topic"/>
+        <create  allow="can_send_create_topic"/>
+        <send    allow="can_send_create_topic"/>
+        <send    allow="can_send_topic"/>
+        <receive allow="can_recieve_topic"/>
       </acl>
     </destination>
 
     <!-- durable sub security -->
     <queue name="**" kind="ds">
       <acl>
-        <create  name="can_consume_create_ds"/>
-        <consume name="can_consume_create_ds"/>
-        <consume name="can_consume_ds"/>
+        <create  allow="can_consume_create_ds"/>
+        <consume allow="can_consume_create_ds"/>
+        <consume allow="can_consume_ds"/>
       </acl>
     </queue>
   </virtual-host>

Modified: activemq/activemq-apollo/trunk/apollo-stomp/src/test/scala/org/apache/activemq/apollo/stomp/StompTest.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-stomp/src/test/scala/org/apache/activemq/apollo/stomp/StompTest.scala?rev=1050485&r1=1050484&r2=1050485&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-stomp/src/test/scala/org/apache/activemq/apollo/stomp/StompTest.scala
(original)
+++ activemq/activemq-apollo/trunk/apollo-stomp/src/test/scala/org/apache/activemq/apollo/stomp/StompTest.scala
Fri Dec 17 20:13:06 2010
@@ -774,6 +774,16 @@ class StompSecurityTest extends StompTes
     super.beforeAll
   }
 
+  test("Connect with valid id password but can't connect") {
+
+    val frame = connect_request("1.1", client,
+      "login:can_not_connect\n" +
+      "passcode:can_not_connect\n")
+    frame should startWith("ERROR\n")
+    frame should include("message:Connect not authorized.\n")
+
+  }
+
   test("Connect with no id password") {
     val frame = connect_request("1.1", client)
     frame should startWith("ERROR\n")
@@ -789,16 +799,6 @@ class StompSecurityTest extends StompTes
 
   }
 
-  test("Connect with valid id password but can't connect") {
-
-    val frame = connect_request("1.1", client,
-      "login:can_not_connect\n" +
-      "passcode:can_not_connect\n")
-    frame should startWith("ERROR\n")
-    frame should include("message:Connect not authorized.\n")
-
-  }
-
   test("Connect with valid id password that can connect") {
     connect("1.1", client,
       "login:can_only_connect\n" +

Modified: activemq/activemq-apollo/trunk/apollo-website/src/documentation/user-manual.md
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-website/src/documentation/user-manual.md?rev=1050485&r1=1050484&r2=1050485&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-website/src/documentation/user-manual.md (original)
+++ activemq/activemq-apollo/trunk/apollo-website/src/documentation/user-manual.md Fri Dec
17 20:13:06 2010
@@ -168,9 +168,7 @@ destination being created. The attribute
 A `destination` element may be configured with the following attributes:
 
 * `unified` : If set to true, then routing then there is no difference
-  between sending to a queue or topic of the same name. The first time a
-  queue subscriptions is created, it will act like if a durable subscription
-  was created on the topic.
+  between sending to a queue or topic of the same name.
 
 * `slow_consumer_policy` : Valid values are `block` and `queue`. Defaults to
   `block`. This setting defines how topic subscriptions are handled which
@@ -221,6 +219,19 @@ memory.
   from the store at a time. Note that Flushed entires are just reference
   pointers to the actual messages. When not loaded, the batch is referenced
   as sequence range to conserve memory.
+  
+##### Unified Destinations
+
+Unified destinations can be used so that you can mix queue and topic 
+behavior on one logical destination.  For example, lets assumed `foo` 
+is configured as a unified destination and you have 2 subscribers
+on queue `foo` and 2 subscribers on topic `foo`, then when you publish to
+queue `foo` or topic `foo`, the 2 queue subscribers will load balance
+their messages and the 2 topic subscribers will each get a copy of the message.
+
+It is important to note that the unified subscription will not start 
+retaining it's messages in a queue until a queue subscriber subscribes from
+it.
 
 ##### Message Stores
 
@@ -384,7 +395,7 @@ The `wine.com` host will use the externa
 host will use the internal domain and the `test` host will not authenticate
 users.
 
-##### Changing the Login Modules
+##### Using Custom Login Modules
 
 ${project_name} uses JAAS to control against which systems users
 authenticate. The default ${project_name} configurations use file based
@@ -426,67 +437,98 @@ Example of customizing the principal kin
 
 #### Authorization
 
-User authorization to broker resources is accomplished by configuring access 
-control lists (ACLs) to the `broker`, `virtual-host`, `destination`, and 
-`queue` elements.  The ACL define which principals are allowed to perform
-actions against the resources.
-
-Bellow you will find an example which:
-
-* only allows `admins` to use the broker's management interface.
-* only `app1` and `app2` users are allowed to connect to the host.
-* All users are allowed to create and send messages to the app1.* 
-  queues and destination, but only admins can destroy them and
-  only app1 users can subscribe to them.
+User authorization to broker resources is accomplished by configuring an
+access control list using an `acl` element on the `broker`, `connector`,
+`virtual-host`, `destination`, or `queue` resources. The acl defines which
+principals are allowed or denied access to perform actions against the
+resources.  An example of `acl` is shown below:
 
 {pygmentize:: xml}
-<broker ...>
-  ...
-  <acl>
-    <admin name="admins"/>
-  </acl>
+<acl>
+  <send allow="*"/>
+  <send deny="guest"/>
+  <receive allow="app1"/>
+</acl>
+{pygmentize}
 
-  <virtual-host id="default">
-    ...
-    <acl>
-      <connect name="app1"/>
-      <connect name="app2"/>
-    </acl>
-    
-    <destination path="app1.**">
-      <acl>
-        <create  name="all"/>
-        <destroy name="admins"/>
-        <send    name="all"/>
-        <receive name="app1"/>
-      </acl>
-    </destination>
-    
-    <queue path="app1.**">
-      <acl>
-        <create  name="all"/>
-        <destroy name="admins"/>
-        <send    name="all"/>
-        <receive name="app1"/> 
-        <consume name="app1"/>
-      </acl>
-    </queue>
-    ...
-  </virtual-host>
-  ...
-</broker>
+If a configuration resource does not have an `acl` element defined within
+it, then the resource allows anyone to access all it's actions. The `acl`
+is made up of a list of authorization rule entries. Each entry defines
+that action the rule applies to and if the rule is allowing or denying
+access to a user principal. The special `*` value matches all users.
+
+Users can have many principals of many different kinds associated with
+them. The rules will only match up against principals of type
+`org.apache.activemq.jaas.GroupPrincipal` since that is the default
+setting of the `acl-principal-kind` of the `authentication` domain.
+
+If you want the rule to match against more/different kinds of principals,
+you should update the `authentication` element's configuration or you
+explicitly state the kind you want to match against in your rule
+definition. Example:
+
+{pygmentize:: xml}
+<acl>
+  <send allow="*"/>
+  <send deny="chirino" kind="org.apache.activemq.jaas.UserPrincipal"/>
+</acl>
 {pygmentize}
 
+The order in which rule entries are defined are significant when the user
+matches multiple entries. The first entry the user matches determines if he
+will have access to the action. For example, lets say a user is groups
+'blue' and 'red', and you are matching against an ACL list defined as:
+
+{pygmentize:: xml}
+<acl>
+  <send deny="blue"/>
+  <send allow="red"/>
+</acl>
+{pygmentize}
+
+Then the user would not be allowed to send since `<send deny="blue"/>` was
+defined first. If the order in the ACL list were reversed, like
+so:
+
+{pygmentize:: xml}
+<acl>
+  <send allow="red"/>
+  <send deny="blue"/>
+</acl>
+{pygmentize}
+
+Then the user would be allowed access to the resource since the first rule
+which matches the user is `<send allow="red"/>`.
+
+The type of resource being secured determines the types of actions that
+can be secured by the acl rule entries. Here is listing of which actions
+can be secured on which resources:
+
+* `broker`
+  * `admin` : use of the administrative web interface
+* `connector` and `virtual-host`
+  * `connect` : allows connections to the connector or virtual host
+* `destination` and `queue`
+  * `create` : allows the destination or queue to be created.
+  * `destroy` : allows the destination or queue to be created.
+  * `send` : allows the user to send to the destination or queue
+  * `receive` : allows the user to send to do non-destructive read 
+    from the destination or queue
+* `queue`
+  * `consume` : allows the user to do destructive reads against the queue.
+
 #### Encrypting Passwords in the Configuration
 
-The `etc/apollo.xml` file supports using `${<property-name>}` style syntax.
-You can use any system properties and if the `etc/apollo.xml.properties` file
-exists, then any of the properties defined there. Any of the properties
-values in the `etc/apollo.xml.properties` can be replaced with encrypted
-versions by using the `apollo encrypt` command.
+The `etc/apollo.xml` file supports using `${<property-name>}` style
+syntax. You can use any system properties and if the
+`etc/apollo.xml.properties` file exists, then any of the properties
+defined there. Any of the properties values in the
+`etc/apollo.xml.properties` can be replaced with encrypted versions by
+using the `apollo encrypt` command.
 
 Lets say you your current `key-storage` contains plain text passwords that
 need to be replaced with encrypted versions:
+
 {pygmentize:: xml}
   ...
   <key-storage 
@@ -498,7 +540,7 @@ need to be replaced with encrypted versi
 
 Lets first find out what the encrypted versions of the passwords would be.
 ${project_name} encrypts and decrypts values using the password stored in
-the `APOLLO_ENCRYPTION_PASSWORD` environment variable.  
+the `APOLLO_ENCRYPTION_PASSWORD` environment variable.
 
 The following is an example of how you can encrypt the previous
 passwords:



Mime
View raw message