activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From chir...@apache.org
Subject svn commit: r1054262 - in /activemq/activemq-apollo/trunk: apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/ apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/ apollo-stomp/src/test/resources/ apollo-stomp...
Date Sat, 01 Jan 2011 17:25:46 GMT
Author: chirino
Date: Sat Jan  1 17:25:45 2011
New Revision: 1054262

URL: http://svn.apache.org/viewvc?rev=1054262&view=rev
Log:
Extracted group principals logic into it's own JAAS module.  Simplifies supporting the new
certificate module.  Handle wild cards in the kind attribute of the acl rule.

Added:
    activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/CertificateLoginModule.scala
    activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileGroupLoginModule.scala
      - copied, changed from r1054040, activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileLoginModule.scala
    activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileUserLoginModule.scala
      - copied, changed from r1054040, activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileLoginModule.scala
Removed:
    activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileLoginModule.scala
Modified:
    activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala
    activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/groups.properties
    activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/login.config
    activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-ssl-secure.xml
    activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/login.config
    activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/users.properties
    activemq/activemq-apollo/trunk/apollo-stomp/src/test/scala/org/apache/activemq/apollo/stomp/StompTest.scala
    activemq/activemq-apollo/trunk/apollo-website/src/documentation/user-manual.md

Added: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/CertificateLoginModule.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/CertificateLoginModule.scala?rev=1054262&view=auto
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/CertificateLoginModule.scala
(added)
+++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/CertificateLoginModule.scala
Sat Jan  1 17:25:45 2011
@@ -0,0 +1,91 @@
+package org.apache.activemq.apollo.broker.security
+
+import java.io.IOException
+import java.security.Principal
+import javax.security.auth.Subject
+import javax.security.auth.callback.CallbackHandler
+import javax.security.auth.callback.UnsupportedCallbackException
+import javax.security.auth.login.FailedLoginException
+import javax.security.auth.login.LoginException
+import java.security.cert.X509Certificate
+import java.util.HashSet
+
+
+import java.{util => ju}
+import org.apache.activemq.apollo.util.Log
+import org.apache.activemq.jaas.CertificateCallback
+
+/**
+ * <p>
+ * </p>
+ *
+ * @author <a href="http://hiramchirino.com">Hiram Chirino</a>
+ */
+object CertificateLoginModule extends Log
+
+/**
+ * <p>
+ * </p>
+ *
+ * @author <a href="http://hiramchirino.com">Hiram Chirino</a>
+ */
+class CertificateLoginModule {
+
+  import CertificateLoginModule._
+
+  var callback_handler: CallbackHandler = _
+  var subject: Subject = _
+
+  var certificates: Array[X509Certificate] = _
+  var principals = new HashSet[Principal]()
+
+  /**
+   * Overriding to allow for proper initialization. Standard JAAS.
+   */
+  def initialize(subject: Subject, callback_handler: CallbackHandler, shared_state: ju.Map[String,
_], options: ju.Map[String, _]): Unit = {
+    this.subject = subject
+    this.callback_handler = callback_handler
+  }
+
+  def login: Boolean = {
+    val cert_callback = new CertificateCallback()
+    try {
+      callback_handler.handle(Array(cert_callback))
+    } catch {
+      case ioe: IOException =>
+        throw new LoginException(ioe.getMessage())
+      case uce: UnsupportedCallbackException =>
+        throw new LoginException(uce.getMessage() + " Unable to obtain client certificates.")
+    }
+
+    certificates = cert_callback.getCertificates()
+    if (certificates == null || certificates.isEmpty) {
+      throw new FailedLoginException("No associated certificates")
+    }
+    return true
+  }
+
+  def commit: Boolean = {
+    for (cert <- certificates) {
+      principals.add(cert.getSubjectX500Principal)
+    }
+    subject.getPrincipals().addAll(principals)
+    certificates = null;
+    debug("commit")
+    return true
+  }
+
+  def abort: Boolean = {
+    certificates = null;
+    debug("abort")
+    return true
+  }
+
+  def logout: Boolean = {
+    subject.getPrincipals().removeAll(principals)
+    principals.clear
+    debug("logout")
+    return true
+  }
+
+}
\ No newline at end of file

Copied: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileGroupLoginModule.scala
(from r1054040, activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileLoginModule.scala)
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileGroupLoginModule.scala?p2=activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileGroupLoginModule.scala&p1=activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileLoginModule.scala&r1=1054040&r2=1054262&rev=1054262&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileLoginModule.scala
(original)
+++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileGroupLoginModule.scala
Sat Jan  1 17:25:45 2011
@@ -1,3 +1,5 @@
+package org.apache.activemq.apollo.broker.security
+
 /**
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
@@ -14,20 +16,13 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.apache.activemq.apollo.broker.security
-
 import java.io.File
 import java.io.FileInputStream
 import java.io.IOException
 import java.security.Principal
 import java.util.Properties
 import javax.security.auth.Subject
-import javax.security.auth.callback.Callback
 import javax.security.auth.callback.CallbackHandler
-import javax.security.auth.callback.NameCallback
-import javax.security.auth.callback.PasswordCallback
-import javax.security.auth.callback.UnsupportedCallbackException
-import javax.security.auth.login.FailedLoginException
 import javax.security.auth.login.LoginException
 import javax.security.auth.spi.LoginModule
 
@@ -36,106 +31,79 @@ import org.apache.activemq.jaas.UserPrin
 import java.{util => ju}
 import org.apache.activemq.apollo.util.{FileSupport, Log}
 import FileSupport._
+import java.util.regex.Pattern
 
-object FileLoginModule extends Log {
+object FileGroupLoginModule extends Log {
   val LOGIN_CONFIG = "java.security.auth.login.config"
-  val USERS_FILE = "users_file"
-  val GROUPS_FILE = "groups_file"
+  val FILE_OPTION = "file"
+  val MATCH_OPTION = "match"
+  val SEPARATOR_OPTION = "separator"
 }
 
 /**
  * <p>
+ * This login module adds additional GroupPrincipals to the
+ * subject based on existing principle already associated with the principal
+ * and a groups file.
  * </p>
  *
  * @author <a href="http://hiramchirino.com">Hiram Chirino</a>
  */
-class FileLoginModule extends LoginModule {
+class FileGroupLoginModule extends LoginModule {
 
-  import FileLoginModule._
+  import FileGroupLoginModule._
 
+  private var separator: String = _
+  private var match_kind: String = _
   private var subject: Subject = _
-  private var callback_handler: CallbackHandler = _
-
-  private var user_file: File = _
-  private var group_file: File = _
+  private var file: File = _
 
-  private val users = new Properties()
   private val groups = new Properties()
-
-  private var user: String = _
   private val principals = new ju.HashSet[Principal]()
 
   def initialize(subject: Subject, callback_handler: CallbackHandler, shared_state: ju.Map[String,
_], options: ju.Map[String, _]): Unit = {
-
     this.subject = subject
-    this.callback_handler = callback_handler
-
     val base_dir = if (System.getProperty(LOGIN_CONFIG) != null) {
       new File(System.getProperty(LOGIN_CONFIG)).getParentFile()
     } else {
       new File(".")
     }
 
-    user_file = new File(base_dir, options.get(USERS_FILE).asInstanceOf[String])
-    group_file = new File(base_dir, options.get(GROUPS_FILE).asInstanceOf[String])
+    match_kind = Option(options.get(MATCH_OPTION)).
+                  map(_.asInstanceOf[String]).
+                  getOrElse(classOf[UserPrincipal].getName)
+
+    separator = Option(options.get(SEPARATOR_OPTION)).
+                  map(_.asInstanceOf[String]).
+                  getOrElse("|")
 
-    debug("Initialized user_file=%s group_file=%s", user_file, group_file)
+    file = new File(base_dir, options.get(FILE_OPTION).asInstanceOf[String])
+    debug("Initialized file=%s, match=%s", file, match_kind)
   }
 
   def login: Boolean = {
     try {
-      users.clear()
-      using( new FileInputStream(user_file) ) { in=>
-        users.load(in)
-      }
-      EncryptionSupport.decrypt(users)
-    } catch {
-      case ioe: IOException => throw new LoginException("Unable to load user properties
file " + user_file)
-    }
-
-    try {
       groups.clear
-      using( new FileInputStream(group_file) ) { in=>
+      using( new FileInputStream(file) ) { in=>
         groups.load(in)
       }
     } catch {
-      case ioe: IOException => throw new LoginException("Unable to load group properties
file " + group_file)
-    }
-
-    val callbacks = new Array[Callback](2)
-    callbacks(0) = new NameCallback("Username: ")
-    callbacks(1) = new PasswordCallback("Password: ", false)
-    try {
-      callback_handler.handle(callbacks)
-    } catch {
-      case ioe: IOException =>
-        throw new LoginException(ioe.getMessage())
-      case uce: UnsupportedCallbackException =>
-        throw new LoginException(uce.getMessage() + " not available to obtain information
from user")
-    }
-
-    user = callbacks(0).asInstanceOf[NameCallback].getName()
-    var tmpPassword = callbacks(1).asInstanceOf[PasswordCallback].getPassword()
-    if (tmpPassword == null) {
-      tmpPassword = new Array[Char](0)
-    }
-    val password = users.getProperty(user)
-
-    if (password == null || !password.equals(new String(tmpPassword))) {
-      throw new FailedLoginException("Invalid user id or password")
+      case ioe: IOException => throw new LoginException("Unable to load group properties
file " + file)
     }
-    debug("login %s", user)
-    true
+    false
   }
 
   def commit: Boolean = {
-    principals.add(new UserPrincipal(user))
+
+    import collection.JavaConversions._
+    val principles = subject.getPrincipals.filter(_.getClass.getName == match_kind).map(_.getName)
+
     val en = groups.keys()
     while (en.hasMoreElements()) {
       val group_name = en.nextElement().asInstanceOf[String]
-      val users = groups.getProperty(group_name).split(",").map(_.trim)
+      val users = groups.getProperty(group_name).split(Pattern.quote(separator)).map(_.trim)
       users.foreach { x =>
-        if (user == x) {
+        if ( principles.contains(x) ) {
           principals.add(new GroupPrincipal(group_name))
         }
       }
@@ -143,13 +111,11 @@ class FileLoginModule extends LoginModul
 
     subject.getPrincipals().addAll(principals)
 
-    user = null
     debug("commit")
     return true
   }
 
   def abort: Boolean = {
-    user = null
     debug("abort")
     return true
   }
@@ -157,10 +123,9 @@ class FileLoginModule extends LoginModul
   def logout: Boolean = {
     subject.getPrincipals().removeAll(principals)
     principals.clear
-    user = null
     debug("logout")
     return true
   }
 
 
-}
+}
\ No newline at end of file

Copied: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileUserLoginModule.scala
(from r1054040, activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileLoginModule.scala)
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileUserLoginModule.scala?p2=activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileUserLoginModule.scala&p1=activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileLoginModule.scala&r1=1054040&r2=1054262&rev=1054262&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileLoginModule.scala
(original)
+++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileUserLoginModule.scala
Sat Jan  1 17:25:45 2011
@@ -31,37 +31,33 @@ import javax.security.auth.login.FailedL
 import javax.security.auth.login.LoginException
 import javax.security.auth.spi.LoginModule
 
-import org.apache.activemq.jaas.GroupPrincipal
 import org.apache.activemq.jaas.UserPrincipal
 import java.{util => ju}
 import org.apache.activemq.apollo.util.{FileSupport, Log}
 import FileSupport._
 
-object FileLoginModule extends Log {
+object FileUserLoginModule extends Log {
   val LOGIN_CONFIG = "java.security.auth.login.config"
-  val USERS_FILE = "users_file"
-  val GROUPS_FILE = "groups_file"
+  val FILE_OPTION = "file"
 }
 
 /**
  * <p>
+ * Uses a userid=password property file to control who can
+ * login.
  * </p>
  *
  * @author <a href="http://hiramchirino.com">Hiram Chirino</a>
  */
-class FileLoginModule extends LoginModule {
+class FileUserLoginModule extends LoginModule {
 
-  import FileLoginModule._
+  import FileUserLoginModule._
 
   private var subject: Subject = _
   private var callback_handler: CallbackHandler = _
 
-  private var user_file: File = _
-  private var group_file: File = _
-
+  private var file: File = _
   private val users = new Properties()
-  private val groups = new Properties()
-
   private var user: String = _
   private val principals = new ju.HashSet[Principal]()
 
@@ -76,30 +72,20 @@ class FileLoginModule extends LoginModul
       new File(".")
     }
 
-    user_file = new File(base_dir, options.get(USERS_FILE).asInstanceOf[String])
-    group_file = new File(base_dir, options.get(GROUPS_FILE).asInstanceOf[String])
+    file = new File(base_dir, options.get(FILE_OPTION).asInstanceOf[String])
 
-    debug("Initialized user_file=%s group_file=%s", user_file, group_file)
+    debug("Initialized file=%s", file)
   }
 
   def login: Boolean = {
     try {
       users.clear()
-      using( new FileInputStream(user_file) ) { in=>
+      using( new FileInputStream(file) ) { in=>
         users.load(in)
       }
       EncryptionSupport.decrypt(users)
     } catch {
-      case ioe: IOException => throw new LoginException("Unable to load user properties
file " + user_file)
-    }
-
-    try {
-      groups.clear
-      using( new FileInputStream(group_file) ) { in=>
-        groups.load(in)
-      }
-    } catch {
-      case ioe: IOException => throw new LoginException("Unable to load group properties
file " + group_file)
+      case ioe: IOException => throw new LoginException("Unable to load user properties
file " + file)
     }
 
     val callbacks = new Array[Callback](2)
@@ -130,17 +116,6 @@ class FileLoginModule extends LoginModul
 
   def commit: Boolean = {
     principals.add(new UserPrincipal(user))
-    val en = groups.keys()
-    while (en.hasMoreElements()) {
-      val group_name = en.nextElement().asInstanceOf[String]
-      val users = groups.getProperty(group_name).split(",").map(_.trim)
-      users.foreach { x =>
-        if (user == x) {
-          principals.add(new GroupPrincipal(group_name))
-        }
-      }
-    }
-
     subject.getPrincipals().addAll(principals)
 
     user = null

Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala?rev=1054262&r1=1054261&r2=1054262&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala
(original)
+++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala
Sat Jan  1 17:25:45 2011
@@ -58,16 +58,30 @@ class SecurityContext {
 
   def is_allowed(acl:List[PrincipalDTO], default_kinds:List[String]):Boolean = {
 
-    def matches(p:PrincipalDTO):Boolean = {
-      if( p.kind==null ) {
-        default_kinds.foreach { kind=>
-          if( principles.contains(new PrincipalDTO(p.allow, kind)) ) {
-            return true;
+    def kind_matches(kind:String):Boolean = {
+      kind match {
+        case null=>
+          return !principles.map(_.kind).intersect(default_kinds.toSet).isEmpty
+        case "*"=>
+          return true;
+        case kind=>
+          return principles.map(_.kind).contains(kind)
+      }
+    }
+
+    def principal_matches(p:PrincipalDTO):Boolean = {
+      p.kind match {
+        case null=>
+          default_kinds.foreach { kind=>
+            if( principles.contains(new PrincipalDTO(p.allow, kind)) ) {
+              return true;
+            }
           }
-        }
-        return false;
-      } else {
-        return principles.contains(p)
+          return false;
+        case "*"=>
+          return principles.map(_.allow).contains(p.allow)
+        case kind=>
+          return principles.contains(p)
       }
     }
 
@@ -75,18 +89,18 @@ class SecurityContext {
       p.deny match {
         case null =>
         case "*"=>
-          return false;
+          return !kind_matches(p.kind)
         case id =>
-          if( matches(new PrincipalDTO(id, p.kind)) ) {
+          if( principal_matches(new PrincipalDTO(id, p.kind)) ) {
             return false;
           }
       }
       p.allow match {
         case null =>
         case "*"=>
-          return true;
+          return kind_matches(p.kind)
         case id =>
-          if( matches(new PrincipalDTO(id, p.kind)) ) {
+          if( principal_matches(new PrincipalDTO(id, p.kind)) ) {
             return true
           }
       }

Modified: activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/groups.properties
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/groups.properties?rev=1054262&r1=1054261&r2=1054262&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/groups.properties
(original)
+++ activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/groups.properties
Sat Jan  1 17:25:45 2011
@@ -19,6 +19,6 @@
 # Allows you to place multiple users in a group.
 # Example:
 #
-# power_users=admin,chirino
+# power_users=admin|chirino
 #
 admins=admin
\ No newline at end of file

Modified: activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/login.config
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/login.config?rev=1054262&r1=1054261&r2=1054262&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/login.config
(original)
+++ activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/login.config
Sat Jan  1 17:25:45 2011
@@ -17,17 +17,33 @@
 apollo {
 
   //
-  // Sets up simple file based security
+  // Allow ssl certificate based authentication.  Only certificates that
+  // are trusted by the keystore will get added.
   //
-  org.apache.activemq.apollo.broker.security.FileLoginModule required
-    users_file="users.properties"
-    groups_file="groups.properties"
-    ;
+  //   adds: javax.security.auth.x500.X500Principal
+  //
+  org.apache.activemq.apollo.broker.security.CertificateLoginModule optional;
 
+  //
+  // Allow user/password authentication checked against the user.properties file.
+  //
+  //   adds: org.apache.activemq.jaas.UserPrincipal
+  //
+  org.apache.activemq.apollo.broker.security.FileUserLoginModule optional
+    file="users.properties";
 
   //
-  // You could use any JAAS based login module too.
+  // Maps the cert and password logins to groups using the groups.properties file.
   //
-  // com.sun.security.auth.module.UnixLoginModule optional;
+  //   adds: org.apache.activemq.jaas.GroupPrincipal
+  //
+  org.apache.activemq.apollo.broker.security.FileGroupLoginModule optional
+    match="org.apache.activemq.jaas.UserPrincipal"
+    file="groups.properties";
+
+  org.apache.activemq.apollo.broker.security.FileGroupLoginModule optional
+    match="javax.security.auth.x500.X500Principal"
+    file="groups.properties";
+
 
 };
\ No newline at end of file

Modified: activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-ssl-secure.xml
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-ssl-secure.xml?rev=1054262&r1=1054261&r2=1054262&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-ssl-secure.xml
(original)
+++ activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-ssl-secure.xml
Sat Jan  1 17:25:45 2011
@@ -22,6 +22,11 @@
 
   <virtual_host id="default" purge_on_startup="true">
     <host_name>localhost</host_name>
+
+    <acl>
+      <connect allow="connect_group"/>
+    </acl>
+
   </virtual_host>
 
   <key_storage file="${basedir}/src/test/resources/apollo.ks" password="password" key_password="password"/>

Modified: activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/login.config
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/login.config?rev=1054262&r1=1054261&r2=1054262&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/login.config (original)
+++ activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/login.config Sat Jan  1
17:25:45 2011
@@ -16,28 +16,24 @@
 // ---------------------------------------------------------------------------
 StompSecurityTest {
 
+  org.apache.activemq.apollo.broker.security.FileUserLoginModule optional
+    file="users.properties";
+
   //
   // For testing purposes, we do a funny thing where we set the user
   // file to also be used as the groups file.  This only works for the
   // test since  user==password==group for our tests.
   //
-  org.apache.activemq.apollo.broker.security.FileLoginModule required
-    users_file="users.properties"
-    groups_file="users.properties"
-    ;
+  org.apache.activemq.apollo.broker.security.FileGroupLoginModule optional
+    file="users.properties";
 
 };
 
 StompSslSecurityTest {
+  org.apache.activemq.apollo.broker.security.CertificateLoginModule optional;
 
-  //
-  // For testing purposes, we do a funny thing where we set the user
-  // file to also be used as the groups file.  This only works for the
-  // test since  user==password==group for our tests.
-  //
-  org.apache.activemq.jaas.TextFileCertificateLoginModule required
-    org.apache.activemq.jaas.textfiledn.user="users.properties"
-    org.apache.activemq.jaas.textfiledn.group="users.properties"
-    ;
+  org.apache.activemq.apollo.broker.security.FileGroupLoginModule optional
+    match="javax.security.auth.x500.X500Principal"
+    file="users.properties";
 
 };
\ No newline at end of file

Modified: activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/users.properties
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/users.properties?rev=1054262&r1=1054261&r2=1054262&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/users.properties (original)
+++ activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/users.properties Sat Jan
 1 17:25:45 2011
@@ -2,22 +2,20 @@
 ## Licensed to the Apache Software Foundation (ASF) under one or more
 ## contributor license agreements.  See the NOTICE file distributed with
 ## this work for additional information regarding copyright ownership.
-## The ASF licenses this file to You under the Apache License, Version 2.0
+## The ASF licenses this file to You under the Apache License| Version 2.0
 ## (the "License"); you may not use this file except in compliance with
 ## the License.  You may obtain a copy of the License at
 ##
 ## http://www.apache.org/licenses/LICENSE-2.0
 ##
-## Unless required by applicable law or agreed to in writing, software
-## distributed under the License is distributed on an "AS IS" BASIS,
-## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## Unless required by applicable law or agreed to in writing| software
+## distributed under the License is distributed on an "AS IS" BASIS|
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND| either express or implied.
 ## See the License for the specific language governing permissions and
 ## limitations under the License.
 ## ---------------------------------------------------------------------------
 
-connect_group=can_only_connect,can_send_create_queue,can_send_queue,can_receive_queue,can_consume_queue,can_send_create_topic,can_send_topic,can_recieve_topic,can_consume_create_ds,can_consume_ds
-
-ssl_user=CN=ssl_user
+connect_group=CN=ssl_user|can_only_connect|can_send_create_queue|can_send_queue|can_receive_queue|can_consume_queue|can_send_create_topic|can_send_topic|can_recieve_topic|can_consume_create_ds|can_consume_ds
 
 can_not_connect=can_not_connect
 can_only_connect=can_only_connect

Modified: activemq/activemq-apollo/trunk/apollo-stomp/src/test/scala/org/apache/activemq/apollo/stomp/StompTest.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-stomp/src/test/scala/org/apache/activemq/apollo/stomp/StompTest.scala?rev=1054262&r1=1054261&r2=1054262&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-stomp/src/test/scala/org/apache/activemq/apollo/stomp/StompTest.scala
(original)
+++ activemq/activemq-apollo/trunk/apollo-stomp/src/test/scala/org/apache/activemq/apollo/stomp/StompTest.scala
Sat Jan  1 17:25:45 2011
@@ -1044,11 +1044,6 @@ class StompSslSecurityTest extends Stomp
 
   override val broker_config_uri: String = "xml:classpath:apollo-stomp-ssl-secure.xml"
 
-  client.key_storeage = new KeyStorage
-  client.key_storeage.config.file = basedir/"src"/"test"/"resources"/"client.ks"
-  client.key_storeage.config.password = "password"
-  client.key_storeage.config.key_password = "password"
-
   override protected def beforeAll = {
     // System.setProperty("javax.net.debug", "all")
     try {
@@ -1060,7 +1055,15 @@ class StompSslSecurityTest extends Stomp
     super.beforeAll
   }
 
-  test("Connect with no id password") {
+  def use_client_cert = {
+    client.key_storeage = new KeyStorage
+    client.key_storeage.config.file = basedir/"src"/"test"/"resources"/"client.ks"
+    client.key_storeage.config.password = "password"
+    client.key_storeage.config.key_password = "password"
+  }
+
+  test("Connect with cert and no id password") {
+    use_client_cert
     connect("1.1", client)
   }
 

Modified: activemq/activemq-apollo/trunk/apollo-website/src/documentation/user-manual.md
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-website/src/documentation/user-manual.md?rev=1054262&r1=1054261&r2=1054262&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-website/src/documentation/user-manual.md (original)
+++ activemq/activemq-apollo/trunk/apollo-website/src/documentation/user-manual.md Sat Jan
 1 17:25:45 2011
@@ -494,7 +494,7 @@ If a configuration resource does not hav
 it, then the resource allows anyone to access all it's actions. The `acl`
 is made up of a list of authorization rule entries. Each entry defines
 that action the rule applies to and if the rule is allowing or denying
-access to a user principal. The special `*` value matches all users.
+access to a user principal. 
 
 Users can have many principals of many different kinds associated with
 them. The rules will only match up against principals of type
@@ -509,10 +509,13 @@ definition. Example:
 {pygmentize:: xml}
 <acl>
   <send deny="chirino" kind="org.apache.activemq.jaas.UserPrincipal"/>
-  <send allow="*"/>
+  <send allow="*" kind="*"/>
 </acl>
 {pygmentize}
 
+The special `*` value acts like a wild card and can be used in the `deny`,
+`allow`, and `kind` attributes.
+
 The order in which rule entries are defined are significant when the user
 matches multiple entries. The first entry the user matches determines if he
 will have access to the action. For example, lets say a user is groups



Mime
View raw message