activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From chir...@apache.org
Subject svn commit: r1162343 [1/2] - in /activemq/activemq-apollo/trunk: apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/ apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/ apollo-dto/ apollo-dto/src/main/java/org/apache/ac...
Date Sat, 27 Aug 2011 13:13:57 GMT
Author: chirino
Date: Sat Aug 27 13:13:56 2011
New Revision: 1162343

URL: http://svn.apache.org/viewvc?rev=1162343&view=rev
Log:
Fixes https://issues.apache.org/jira/browse/APLO-56 : Change to a terser configuration scheme for ACL definitions

Added:
    activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/AccessRuleDTO.java
Modified:
    activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Broker.scala
    activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Connector.scala
    activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/LocalRouter.scala
    activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Queue.scala
    activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Topic.scala
    activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/VirtualHost.scala
    activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/AclAuthorizer.scala
    activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authenticator.scala
    activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authorizer.scala
    activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/JaasAuthenticator.scala
    activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala
    activemq/activemq-apollo/trunk/apollo-dto/pom.xml
    activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/BrokerAclDTO.java
    activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/BrokerDTO.java
    activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/ConnectorAclDTO.java
    activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/ConnectorTypeDTO.java
    activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/PrincipalDTO.java
    activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/QueueAclDTO.java
    activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/QueueDTO.java
    activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/TopicAclDTO.java
    activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/TopicDTO.java
    activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/VirtualHostAclDTO.java
    activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/VirtualHostDTO.java
    activemq/activemq-apollo/trunk/apollo-dto/src/main/resources/org/apache/activemq/apollo/dto/jaxb.index
    activemq/activemq-apollo/trunk/apollo-dto/src/test/java/org/apache/activemq/apollo/dto/XmlCodecTest.java
    activemq/activemq-apollo/trunk/apollo-dto/src/test/resources/org/apache/activemq/apollo/dto/XmlCodecTest.xml
    activemq/activemq-apollo/trunk/apollo-openwire/src/main/scala/org/apache/activemq/apollo/openwire/OpenwireProtocolHandler.scala
    activemq/activemq-apollo/trunk/apollo-stomp/src/main/scala/org/apache/activemq/apollo/stomp/StompProtocolHandler.scala
    activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-secure.xml
    activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-ssl-secure.xml
    activemq/activemq-apollo/trunk/apollo-web/src/main/scala/org/apache/activemq/apollo/web/resources/BrokerResource.scala
    activemq/activemq-apollo/trunk/apollo-web/src/main/scala/org/apache/activemq/apollo/web/resources/Support.scala

Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Broker.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Broker.scala?rev=1162343&r1=1162342&r2=1162343&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Broker.scala (original)
+++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Broker.scala Sat Aug 27 13:13:56 2011
@@ -22,10 +22,9 @@ import org.fusesource.hawtdispatch._
 import org.fusesource.hawtbuf._
 import collection.JavaConversions
 import JavaConversions._
-import security.{AclAuthorizer, Authorizer, JaasAuthenticator, Authenticator}
+import security._
 import org.apache.activemq.apollo.broker.web._
 import collection.mutable.{HashSet, LinkedHashMap, HashMap}
-import scala.util.Random
 import org.apache.activemq.apollo.util._
 import org.fusesource.hawtbuf.AsciiBuffer._
 import CollectionsSupport._
@@ -35,8 +34,7 @@ import org.apache.activemq.apollo.dto._
 import javax.management.ObjectName
 import org.fusesource.hawtdispatch.TaskTracker._
 import java.util.concurrent.TimeUnit
-import collection.mutable.ListBuffer._
-
+import security.SecuredResource.BrokerKind
 /**
  * <p>
  * The BrokerFactory creates Broker objects from a URI.
@@ -215,7 +213,7 @@ object Broker extends Log {
  *
  * @author <a href="http://hiramchirino.com">Hiram Chirino</a>
  */
-class Broker() extends BaseService {
+class Broker() extends BaseService with SecuredResource {
 
   import Broker._
 
@@ -265,16 +263,9 @@ class Broker() extends BaseService {
   override def toString() = "broker: "+id
 
   var authenticator:Authenticator = _
-  var authorizer:Authorizer = _
+  var authorizer = Authorizer()
 
-  def init_dispatch_queue(dispatch_queue:DispatchQueue) = {
-    import OptionSupport._
-    if( config.sticky_dispatching.getOrElse(true) ) {
-      val queues = getThreadQueues()
-      val queue = queues(Random.nextInt(queues.length));
-      dispatch_queue.setTargetQueue(queue)
-    }
-  }
+  def resource_kind = SecuredResource.BrokerKind
 
   /**
    * Validates and then applies the configuration.
@@ -296,7 +287,6 @@ class Broker() extends BaseService {
     init_logs
     log_versions
     check_file_limit
-    init_dispatch_queue(dispatch_queue)
 
     BrokerRegistry.add(this)
     schedule_periodic_maintenance
@@ -374,10 +364,10 @@ class Broker() extends BaseService {
 
     if (config.authentication != null && config.authentication.enabled.getOrElse(true)) {
       authenticator = new JaasAuthenticator(config.authentication, security_log)
-      authorizer = new AclAuthorizer(config.authentication.acl_principal_kinds().toList, security_log)
+      authorizer=Authorizer(config.access_rules.toList, authenticator.acl_principal_kinds)
     } else {
       authenticator = null
-      authorizer = null
+      authorizer=Authorizer()
     }
 
     val host_config_by_id = HashMap[AsciiBuffer, VirtualHostDTO]()

Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Connector.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Connector.scala?rev=1162343&r1=1162342&r2=1162343&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Connector.scala (original)
+++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Connector.scala Sat Aug 27 13:13:56 2011
@@ -17,14 +17,14 @@
 package org.apache.activemq.apollo.broker
 
 import org.fusesource.hawtdispatch._
-import org.fusesource.hawtdispatch.{Dispatch}
 import protocol.{ProtocolFactory, Protocol}
 import org.apache.activemq.apollo.transport._
 import org.apache.activemq.apollo.util._
 import org.apache.activemq.apollo.util.OptionSupport._
 import java.net.SocketAddress
-import org.apache.activemq.apollo.util.{Log, Service, ClassFinder}
+import org.apache.activemq.apollo.util.{Log, ClassFinder}
 import org.apache.activemq.apollo.dto._
+import security.SecuredResource
 
 /**
  * <p>
@@ -35,7 +35,7 @@ import org.apache.activemq.apollo.dto._
 object Connector extends Log {
 }
 
-trait Connector extends BaseService {
+trait Connector extends BaseService with SecuredResource {
 
   def broker:Broker
   def id:String
@@ -46,6 +46,7 @@ trait Connector extends BaseService {
   def update(config: ConnectorTypeDTO, on_complete:Runnable):Unit
   def socket_address:SocketAddress
   def status:ServiceStatusDTO
+  def resource_kind = SecuredResource.ConnectorKind
 }
 
 trait ConnectorFactory {
@@ -149,8 +150,6 @@ class AcceptingConnector(val broker:Brok
       connection.protocol_handler = protocol.createProtocolHandler
       connection.transport = transport
 
-      broker.init_dispatch_queue(connection.dispatch_queue)
-
       broker.connections.put(connection.id, connection)
       try {
         connection.start()

Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/LocalRouter.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/LocalRouter.scala?rev=1162343&r1=1162342&r2=1162343&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/LocalRouter.scala (original)
+++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/LocalRouter.scala Sat Aug 27 13:13:56 2011
@@ -21,13 +21,14 @@ import org.apache.activemq.apollo.util._
 import org.apache.activemq.apollo.broker.store.QueueRecord
 import path._
 import path.PathParser.PathException
-import security.SecurityContext
 import java.util.concurrent.TimeUnit
 import scala.Array
 import org.apache.activemq.apollo.dto._
 import java.util.{Arrays, ArrayList}
 import collection.mutable.{LinkedHashMap, HashMap}
 import collection.{Iterable, JavaConversions}
+import security.SecuredResource.{TopicKind, QueueKind}
+import security.{SecuredResource, SecurityContext}
 
 object DestinationMetricsSupport {
 
@@ -115,7 +116,7 @@ object RouterListenerFactory {
  *
  * @author <a href="http://hiramchirino.com">Hiram Chirino</a>
  */
-trait DomainDestination {
+trait DomainDestination extends SecuredResource {
 
   def id:String
   def virtual_host:VirtualHost
@@ -129,6 +130,7 @@ trait DomainDestination {
   def disconnect (producer:BindableDeliveryProducer)
 
   def update(on_completed:Runnable):Unit
+
 }
 
 /**
@@ -206,6 +208,8 @@ class LocalRouter(val virtual_host:Virtu
 
   private val ALL = new Path(List(AnyDescendantPart))
 
+  def authorizer = virtual_host.authorizer
+
   trait Domain[D <: DomainDestination] {
 
     // holds all the destinations in the domain by id
@@ -230,9 +234,6 @@ class LocalRouter(val virtual_host:Virtu
       }
     }
 
-    def can_destroy_destination(path:Path, destination:DestinationDTO, security:SecurityContext):Option[String]
-    def destroy_destination(path:Path, destination:DestinationDTO, security: SecurityContext):Unit
-
     def can_create_destination(path:Path, destination:DestinationDTO, security:SecurityContext):Option[String]
     def create_destination(path:Path, destination:DestinationDTO, security:SecurityContext):Result[D,String]
 
@@ -249,12 +250,12 @@ class LocalRouter(val virtual_host:Virtu
       // binds any matching wild card subs and producers...
       import JavaConversions._
       consumers_by_path.get( path ).foreach { x=>
-        if( can_bind_one(path, x.destination, x.consumer, x.security) ) {
+        if( authorizer.can(x.security, bind_action(x.consumer), dest) ) {
           dest.bind(x.destination, x.consumer)
         }
       }
       producers_by_path.get( path ).foreach { x=>
-        if( can_connect_one(path, x.destination, x.producer, x.security) ) {
+        if( authorizer.can(x.security, "send", dest) ) {
           dest.connect(x.destination, x.producer)
         }
       }
@@ -265,7 +266,34 @@ class LocalRouter(val virtual_host:Virtu
       destination_by_id.remove(dest.id)
     }
 
-    def can_bind_one(path:Path, destination:DestinationDTO, consumer:DeliveryConsumer, security:SecurityContext):Boolean
+    def can_destroy_destination(path:Path, destination:DestinationDTO, security:SecurityContext):Option[String] = {
+      if( security==null ) {
+        return None
+      }
+
+      if( destination.temp_owner != null ) {
+        for( connection <- security.connection_id) {
+          if( connection != destination.temp_owner.longValue() ) {
+            return Some("Not authorized to destroy the destination.")
+          }
+        }
+      }
+
+      val matches = get_destination_matches(path)
+      matches.foldLeft(None:Option[String]) { case (rc,dest) =>
+        rc.orElse {
+          if( authorizer.can(security, "destroy", dest) ) {
+            None
+          } else {
+            Some("Not authorized to destroy destination: %s".format(dest.id))
+          }
+        }
+      }
+    }
+    def destroy_destination(path:Path, destination:DestinationDTO, security: SecurityContext):Unit
+
+    def bind_action(consumer:DeliveryConsumer):String
+
     def can_bind_all(path:Path, destination:DestinationDTO, consumer:DeliveryConsumer, security:SecurityContext):Option[String] = {
       if( security==null ) {
         return None
@@ -297,7 +325,7 @@ class LocalRouter(val virtual_host:Virtu
         }
 
         matches.foreach { dest =>
-          if( !can_bind_one(path, destination, consumer, security) ) {
+          if( !authorizer.can(security, bind_action(consumer), dest) ) {
             return Some("Not authorized to receive from the destination.")
           }
         }
@@ -308,7 +336,7 @@ class LocalRouter(val virtual_host:Virtu
     def bind(path:Path, destination:DestinationDTO, consumer:DeliveryConsumer, security:SecurityContext):Unit = {
       var matches = get_destination_matches(path)
       matches.foreach { dest=>
-        if( can_bind_one(path, destination, consumer, security) ) {
+        if( authorizer.can(security, bind_action(consumer), dest) ) {
           dest.bind(destination, consumer)
           for( l <- router_listeners) {
             l.on_bind(dest, consumer, security)
@@ -332,8 +360,6 @@ class LocalRouter(val virtual_host:Virtu
       }
     }
 
-    def can_connect_one(path:Path, destination:DestinationDTO, producer:BindableDeliveryProducer, security:SecurityContext):Boolean
-
     def can_connect_all(path:Path, destination:DestinationDTO, producer:BindableDeliveryProducer, security:SecurityContext):Option[String] = {
 
       val wildcard = PathParser.containsWildCards(path)
@@ -362,8 +388,10 @@ class LocalRouter(val virtual_host:Virtu
 
         // since this is not a wild card, we should have only matched one..
         assert( matches.size == 1 )
-        if( !can_connect_one(path, destination, producer, security) ) {
-          return Some("Not authorized to send to the destination.")
+        for( dest <- matches ) {
+          if( !authorizer.can(security, "send", dest) ) {
+            return Some("Not authorized to send to the destination.")
+          }
         }
 
         None
@@ -372,7 +400,7 @@ class LocalRouter(val virtual_host:Virtu
 
     def connect(path:Path, destination:DestinationDTO, producer:BindableDeliveryProducer, security:SecurityContext):Unit = {
       get_destination_matches(path).foreach { dest=>
-        if( can_connect_one(path, destination, producer, security) ) {
+        if( authorizer.can(security, "send", dest) ) {
           dest.connect(destination, producer)
           for( l <- router_listeners) {
             l.on_connect(dest, producer, security)
@@ -460,31 +488,6 @@ class LocalRouter(val virtual_host:Virtu
       }
     }
 
-    def can_destroy_destination(path:Path, destination: DestinationDTO, security: SecurityContext): Option[String] = {
-      if( security == null ) {
-        return None
-      }
-
-      if( destination.temp_owner != null ) {
-        for( connection <- security.connection_id) {
-          if( connection != destination.temp_owner.longValue() ) {
-            return Some("Not authorized to destroy the temporary destination.")
-          }
-        }
-      }
-
-      val matches = get_destination_matches(path)
-      matches.foldLeft(None:Option[String]) { case (rc,dest) =>
-        rc.orElse {
-          if( virtual_host.authorizer!=null && security!=null && !virtual_host.authorizer.can_destroy(security, virtual_host, dest.config)) {
-            Some("Not authorized to destroy topic: %s".format(dest.id))
-          } else {
-            None
-          }
-        }
-      }
-    }
-
     def destroy_destination(path:Path, destination: DestinationDTO, security: SecurityContext): Unit = {
       val matches = get_destination_matches(path)
       matches.foreach { dest =>
@@ -517,12 +520,19 @@ class LocalRouter(val virtual_host:Virtu
     }
 
     def can_create_destination(path:Path, destination:DestinationDTO, security:SecurityContext):Option[String] = {
+      if (security==null) {
+        return None;
+      }
+
       // We can't create a wild card destination.. only wild card subscriptions.
       assert( !PathParser.containsWildCards(path) )
       // A new destination is being created...
-      val dto = topic_config(path)
 
-      if(  virtual_host.authorizer!=null && security!=null && !virtual_host.authorizer.can_create(security, virtual_host, dto)) {
+      val resource = new SecuredResource() {
+        def resource_kind = TopicKind
+        def id = destination_parser.encode_path(path)
+      }
+      if( !authorizer.can(security, "create", resource)) {
         Some("Not authorized to create the destination")
       } else {
         None
@@ -536,7 +546,11 @@ class LocalRouter(val virtual_host:Virtu
       // A new destination is being created...
       val dto = topic_config(path)
 
-      if(  virtual_host.authorizer!=null && security!=null && !virtual_host.authorizer.can_create(security, virtual_host, dto)) {
+      val resource = new SecuredResource() {
+        def resource_kind = TopicKind
+        def id = destination_parser.encode_path(path)
+      }
+      if( !authorizer.can(security, "create", resource)) {
         return new Failure("Not authorized to create the destination")
       }
 
@@ -549,20 +563,7 @@ class LocalRouter(val virtual_host:Virtu
       Success(topic)
     }
 
-    def can_bind_one(path:Path, destination:DestinationDTO, consumer:DeliveryConsumer, security:SecurityContext):Boolean = {
-      val config = topic_config(path)
-      val authorizer = virtual_host.authorizer
-      if( authorizer!=null && security!=null && !authorizer.can_receive_from(security, virtual_host, config) ) {
-        return false;
-      }
-      true
-    }
-
-    def can_connect_one(path:Path, destination:DestinationDTO, producer:BindableDeliveryProducer, security:SecurityContext):Boolean = {
-      val config = topic_config(path)
-      val authorizer = virtual_host.authorizer
-      !(authorizer!=null && security!=null && !authorizer.can_send_to(security, virtual_host, config) )
-    }
+    def bind_action(consumer:DeliveryConsumer):String = "receive"
 
     def bind_dsub(queue:Queue) = {
       assert_executing
@@ -709,9 +710,16 @@ class LocalRouter(val virtual_host:Virtu
     }
 
 
+    def get_dsub_secured_resource(config: DurableSubscriptionDTO):SecuredResource = {
+      durable_subscriptions_by_id.get(config.id).getOrElse(new SecuredResource() {
+        def resource_kind = SecuredResource.DurableSubKind
+        def id = config.id
+      })
+    }
+
     def can_create_dsub(config:DurableSubscriptionDTO, security:SecurityContext) = {
-      val authorizer = virtual_host.authorizer
-      if( authorizer!=null && security!=null && !authorizer.can_create(security, virtual_host, config) ) {
+      val resource = get_dsub_secured_resource(config)
+      if( !authorizer.can(security, "create", resource) ) {
         Some("Not authorized to create the durable subscription.")
       } else {
         None
@@ -719,8 +727,8 @@ class LocalRouter(val virtual_host:Virtu
     }
 
     def can_connect_dsub(config:DurableSubscriptionDTO, security:SecurityContext):Option[String] = {
-      val authorizer = virtual_host.authorizer
-      if( authorizer!=null && security!=null && !authorizer.can_send_to(security, virtual_host, config) ) {
+      val resource = get_dsub_secured_resource(config)
+      if( !authorizer.can(security, "send", resource) ) {
         Some("Not authorized to send to the durable subscription.")
       } else {
         None
@@ -728,21 +736,10 @@ class LocalRouter(val virtual_host:Virtu
     }
 
     def can_bind_dsub(config:DurableSubscriptionDTO, consumer:DeliveryConsumer, security:SecurityContext):Option[String] = {
-      val authorizer = virtual_host.authorizer
-      if( authorizer!=null && security!=null ) {
-        if ( consumer.browser ) {
-          if( !authorizer.can_receive_from(security, virtual_host, config) ) {
-            Some("Not authorized to receive from the durable subscription.")
-          } else {
-            None
-          }
-        } else {
-          if( !authorizer.can_consume_from(security, virtual_host, config) ) {
-            Some("Not authorized to consume from the durable subscription.")
-          } else {
-            None
-          }
-        }
+      val resource = get_dsub_secured_resource(config)
+      val action = if ( consumer.browser ) "receive" else "consume"
+      if( !authorizer.can(security, action, resource) ) {
+        Some("Not authorized to "+action+" from the durable subscription.")
       } else {
         None
       }
@@ -752,22 +749,6 @@ class LocalRouter(val virtual_host:Virtu
   val queue_domain = new QueueDomain
   class QueueDomain extends Domain[Queue] {
 
-    def can_create_queue(config:QueueDTO, security:SecurityContext) = {
-      if( virtual_host.authorizer==null || security==null) {
-        true
-      } else {
-        virtual_host.authorizer.can_create(security, virtual_host, config)
-      }
-    }
-
-    def can_destroy_queue(config:QueueDTO, security:SecurityContext) = {
-      if( virtual_host.authorizer==null || security==null) {
-        true
-      } else {
-        virtual_host.authorizer.can_destroy(security, virtual_host, config)
-      }
-    }
-
     def bind(queue:Queue) = {
       val path = queue.binding.destination
       assert( !PathParser.containsWildCards(path) )
@@ -794,19 +775,6 @@ class LocalRouter(val virtual_host:Virtu
       }
     }
 
-    def can_destroy_destination(path:Path, destination: DestinationDTO, security: SecurityContext): Option[String] = {
-      val matches = get_destination_matches(path)
-      matches.foldLeft(None:Option[String]) { case (rc,dest) =>
-        rc.orElse {
-          if( can_destroy_queue(dest.config, security) ) {
-            None
-          } else {
-            Some("Not authorized to destroy queue: %s".format(dest.id))
-          }
-        }
-      }
-    }
-
     def destroy_destination(path:Path, destination: DestinationDTO, security: SecurityContext): Unit = {
       val matches = get_destination_matches(path)
       matches.foreach { queue =>
@@ -818,11 +786,11 @@ class LocalRouter(val virtual_host:Virtu
     }
 
     def can_create_destination(path: Path, destination:DestinationDTO, security: SecurityContext):Option[String] = {
-      val dto = new QueueDestinationDTO
-      dto.path.addAll(destination.path)
-      val binding = QueueDomainQueueBinding.create(dto)
-      val config = binding.config(virtual_host)
-      if( can_create_queue(config, security) ) {
+      val resource = new SecuredResource() {
+        def resource_kind = QueueKind
+        def id = destination_parser.encode_path(path)
+      }
+      if( authorizer.can(security, "create", resource)) {
         None
       } else {
         Some("Not authorized to create the queue")
@@ -832,10 +800,13 @@ class LocalRouter(val virtual_host:Virtu
     def create_destination(path: Path, destination:DestinationDTO, security: SecurityContext) = {
       val dto = new QueueDestinationDTO
       dto.path.addAll(destination.path)
-
       val binding = QueueDomainQueueBinding.create(dto)
-      val config = binding.config(virtual_host)
-      if( can_create_queue(config, security) ) {
+
+      val resource = new SecuredResource() {
+        def resource_kind = QueueKind
+        def id = destination_parser.encode_path(path)
+      }
+      if( authorizer.can(security, "create", resource)) {
         var queue = _create_queue(binding)
         for( l <- router_listeners) {
           l.on_create(queue, security)
@@ -846,29 +817,10 @@ class LocalRouter(val virtual_host:Virtu
       }
 
     }
-
-    def can_bind_one(path:Path, dto:DestinationDTO, consumer:DeliveryConsumer, security: SecurityContext):Boolean = {
-      val binding = QueueDomainQueueBinding.create(dto)
-      val config = binding.config(virtual_host)
-      if(  virtual_host.authorizer!=null && security!=null ) {
-        if( consumer.browser ) {
-          if( !virtual_host.authorizer.can_receive_from(security, virtual_host, config) ) {
-            return false;
-          }
-        } else {
-          if( !virtual_host.authorizer.can_consume_from(security, virtual_host, config) ) {
-            return false
-          }
-        }
-      }
-      return true;
-    }
-
-    def can_connect_one(path:Path, dto:DestinationDTO, producer:BindableDeliveryProducer, security:SecurityContext):Boolean = {
-      val binding = QueueDomainQueueBinding.create(dto)
-      val config = binding.config(virtual_host)
-      val authorizer = virtual_host.authorizer
-      !( authorizer!=null && security!=null && !authorizer.can_send_to(security, virtual_host, config) )
+    def bind_action(consumer:DeliveryConsumer):String = if(consumer.browser) {
+      "receive"
+    } else {
+      "consume"
     }
 
   }
@@ -1227,11 +1179,8 @@ class LocalRouter(val virtual_host:Virtu
   }
 
   def _destroy_queue(queue:Queue, security:SecurityContext):Option[String] = {
-
-    if( security!=null && queue.config.acl!=null ) {
-      if( !virtual_host.authorizer.can_destroy(security, virtual_host, queue.config) ) {
-        return Some("Not authorized to destroy")
-      }
+    if( !authorizer.can(security, "destroy", queue) ) {
+      return Some("Not authorized to destroy")
     }
     _destroy_queue(queue)
     None

Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Queue.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Queue.scala?rev=1162343&r1=1162342&r2=1162343&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Queue.scala (original)
+++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Queue.scala Sat Aug 27 13:13:56 2011
@@ -26,11 +26,12 @@ import org.apache.activemq.apollo.util._
 import org.apache.activemq.apollo.util.list._
 import org.fusesource.hawtdispatch.{ListEventAggregator, DispatchQueue, BaseRetained}
 import OptionSupport._
-import security.SecurityContext
-import java.util.concurrent.atomic.{AtomicReference, AtomicLong, AtomicInteger}
+import java.util.concurrent.atomic.{AtomicReference, AtomicInteger}
 import org.fusesource.hawtbuf.Buffer
 import java.lang.UnsupportedOperationException
 import org.apache.activemq.apollo.dto._
+import security.SecuredResource._
+import security.{SecuredResource, SecurityContext}
 
 object Queue extends Log {
   val subcsription_counter = new AtomicInteger(0)
@@ -45,13 +46,19 @@ import Queue._
  *
  * @author <a href="http://hiramchirino.com">Hiram Chirino</a>
  */
-class Queue(val router: LocalRouter, val store_id:Long, var binding:Binding, var config:QueueDTO) extends BaseRetained with BindableDeliveryProducer with DeliveryConsumer with BaseService with DomainDestination with Dispatched {
+class Queue(val router: LocalRouter, val store_id:Long, var binding:Binding, var config:QueueDTO) extends BaseRetained with BindableDeliveryProducer with DeliveryConsumer with BaseService with DomainDestination with Dispatched with SecuredResource {
   def id = binding.id
 
   override def toString = binding.destination.toString
 
   def virtual_host = router.virtual_host
 
+  val resource_kind = binding match {
+    case x:DurableSubscriptionQueueBinding=> DurableSubKind
+    case x:QueueDomainQueueBinding=> QueueKind
+    case _ => OtherKind
+  }
+
   var producers = ListBuffer[BindableDeliveryProducer]()
   var inbound_sessions = Set[DeliverySession]()
   var all_subscriptions = Map[DeliveryConsumer, Subscription]()
@@ -60,7 +67,6 @@ class Queue(val router: LocalRouter, val
   def filter = binding.message_filter
 
   override val dispatch_queue: DispatchQueue = createQueue(id);
-  virtual_host.broker.init_dispatch_queue(dispatch_queue)
 
   def destination_dto: DestinationDTO = binding.binding_dto
 
@@ -785,14 +791,14 @@ class Queue(val router: LocalRouter, val
 
   def connected() = {}
 
-  def bind(value: DeliveryConsumer, security:SecurityContext): Result[Zilch, String] = {
-    if(  virtual_host.authorizer!=null && security!=null ) {
+  def bind(value: DeliveryConsumer, ctx:SecurityContext): Result[Zilch, String] = {
+    if( ctx!=null ) {
       if( value.browser ) {
-        if( !virtual_host.authorizer.can_receive_from(security, virtual_host, config) ) {
+        if( !virtual_host.authorizer.can(ctx, "receive", this) ) {
           return new Failure("Not authorized to browse the queue")
         }
       } else {
-        if( !virtual_host.authorizer.can_consume_from(security, virtual_host, config) ) {
+        if( !virtual_host.authorizer.can(ctx, "consume", this) ) {
           return new Failure("Not authorized to consume from the queue")
         }
       }

Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Topic.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Topic.scala?rev=1162343&r1=1162342&r2=1162343&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Topic.scala (original)
+++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Topic.scala Sat Aug 27 13:13:56 2011
@@ -24,8 +24,7 @@ import java.util.concurrent.TimeUnit
 import org.fusesource.hawtdispatch._
 import collection.mutable.{HashSet, HashMap, ListBuffer}
 import java.lang.Long
-import com.sun.jdi.connect.spi.TransportService.ListenKey
-
+import security.SecuredResource
 /**
  * <p>
  * A logical messaging topic
@@ -33,7 +32,7 @@ import com.sun.jdi.connect.spi.Transport
  *
  * @author <a href="http://hiramchirino.com">Hiram Chirino</a>
  */
-class Topic(val router:LocalRouter, val destination_dto:TopicDestinationDTO, var config_updater: ()=>TopicDTO, val id:String, path:Path) extends DomainDestination {
+class Topic(val router:LocalRouter, val destination_dto:TopicDestinationDTO, var config_updater: ()=>TopicDTO, val id:String, path:Path) extends DomainDestination with SecuredResource {
 
   var enqueue_item_counter = 0L
   var enqueue_size_counter = 0L
@@ -43,6 +42,8 @@ class Topic(val router:LocalRouter, val 
   var dequeue_size_counter = 0L
   var dequeue_ts = now
 
+  val resource_kind =SecuredResource.TopicKind
+
   var proxy_sessions = new HashSet[TopicDeliverySession]()
 
   implicit def from_link(from:LinkDTO):(Long,Long,Long)=(from.enqueue_item_counter, from.enqueue_size_counter, from.enqueue_ts)

Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/VirtualHost.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/VirtualHost.scala?rev=1162343&r1=1162342&r2=1162343&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/VirtualHost.scala (original)
+++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/VirtualHost.scala Sat Aug 27 13:13:56 2011
@@ -16,22 +16,16 @@
  */
 package org.apache.activemq.apollo.broker;
 
-import _root_.java.util.{ArrayList, HashMap}
-import _root_.java.lang.{String}
+import _root_.java.lang.String
 import _root_.scala.collection.JavaConversions._
 import org.fusesource.hawtdispatch._
 
-import java.util.concurrent.TimeUnit
 import org.apache.activemq.apollo.util._
-import path.PathFilter
-import org.fusesource.hawtbuf.{Buffer, AsciiBuffer}
-import collection.JavaConversions
-import java.util.concurrent.atomic.AtomicLong
 import org.apache.activemq.apollo.util.OptionSupport._
-import org.apache.activemq.apollo.util.path.{Path, PathParser}
-import security.{AclAuthorizer, JaasAuthenticator, Authenticator, Authorizer}
 import org.apache.activemq.apollo.dto._
-import store.{PersistentLongCounter, ZeroCopyBufferAllocator, Store, StoreFactory}
+import security._
+import security.SecuredResource.VirtualHostKind
+import store.{PersistentLongCounter, Store, StoreFactory}
 
 trait VirtualHostFactory {
   def create(broker:Broker, dto:VirtualHostDTO):VirtualHost
@@ -87,7 +81,7 @@ object VirtualHost extends Log {
 /**
  * @author <a href="http://hiramchirino.com">Hiram Chirino</a>
  */
-class VirtualHost(val broker: Broker, val id:String) extends BaseService {
+class VirtualHost(val broker: Broker, val id:String) extends BaseService with SecuredResource {
   import VirtualHost._
   
   override val dispatch_queue:DispatchQueue = createQueue("virtual-host") // getGlobalQueue(DispatchPriority.HIGH).createQueue("virtual-host")
@@ -103,14 +97,15 @@ class VirtualHost(val broker: Broker, va
   val session_counter = new PersistentLongCounter("session_counter")
 
   var authenticator:Authenticator = _
-  var authorizer:Authorizer = _
+  var authorizer = Authorizer()
 
   var audit_log:Log = _
   var security_log:Log  = _
   var connection_log:Log = _
   var console_log:Log = _
 
-  // This gets set if client should get redirected to another address.
+  def resource_kind = VirtualHostKind
+
   @volatile
   var client_redirect:Option[String] = None
 
@@ -151,18 +146,20 @@ class VirtualHost(val broker: Broker, va
       if (config.authentication.enabled.getOrElse(true)) {
         // Virtual host has it's own settings.
         authenticator = new JaasAuthenticator(config.authentication, security_log)
-        authorizer = new AclAuthorizer(config.authentication.acl_principal_kinds().toList, security_log)
       } else {
         // Don't use security on this host.
         authenticator = null
-        authorizer = null
       }
     } else {
       // use the broker's settings..
       authenticator = broker.authenticator
-      authorizer = broker.authorizer
     }
-
+    if( authenticator!=null ) {
+      val rules = config.access_rules.toList ::: broker.config.access_rules.toList
+      authorizer = Authorizer(rules, authenticator.acl_principal_kinds)
+    } else {
+      authorizer = Authorizer()
+    }
   }
 
   override protected def _start(on_completed:Runnable):Unit = {

Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authenticator.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authenticator.scala?rev=1162343&r1=1162342&r2=1162343&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authenticator.scala (original)
+++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authenticator.scala Sat Aug 27 13:13:56 2011
@@ -38,4 +38,6 @@ trait Authenticator {
    */
   def user_name(ctx:SecurityContext):Option[String]
 
+  def acl_principal_kinds:Set[String]
+
 }
\ No newline at end of file

Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authorizer.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authorizer.scala?rev=1162343&r1=1162342&r2=1162343&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authorizer.scala (original)
+++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authorizer.scala Sat Aug 27 13:13:56 2011
@@ -1,102 +1,209 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
 package org.apache.activemq.apollo.broker.security
-import org.apache.activemq.apollo.broker._
-import org.apache.activemq.apollo.dto.{TopicDTO, QueueDTO}
+
+import java.lang.Boolean
+import collection.mutable.{ListBuffer, HashMap}
+import org.apache.activemq.apollo.broker.LocalRouter
+import org.apache.activemq.apollo.dto.{QueueDTO, AccessRuleDTO}
+import org.apache.activemq.apollo.util.path.PathParser._
+import java.util.regex.Pattern
+import org.apache.activemq.apollo.broker.security.Authorizer.ResourceMatcher
+import java.util.concurrent.atomic.AtomicLong
+
+object SecuredResource {
+  case class SecurityRules(version:Long, rules: Seq[(String,SecurityContext)=>Option[Boolean]])
+
+  sealed trait ResourceKind
+  object BrokerKind extends ResourceKind
+  object VirtualHostKind extends ResourceKind
+  object ConnectorKind extends ResourceKind
+  object QueueKind extends ResourceKind
+  object TopicKind extends ResourceKind
+  object DurableSubKind extends ResourceKind
+  object OtherKind extends ResourceKind
+}
+import SecuredResource._
+
+trait SecuredResource {
+  def resource_kind:ResourceKind
+  def id:String
+
+  @volatile
+  var rules_cache:SecurityRules = _
+}
 
 /**
- * <p>This interface allows the authorization information to come
-  * from other sources besides the configuration model.</p>
+ * <p>
+ * </p>
  *
  * @author <a href="http://hiramchirino.com">Hiram Chirino</a>
  */
 trait Authorizer {
+  def can(ctx:SecurityContext, action:String, resource:SecuredResource):Boolean;
+}
 
-  /**
-   * @returns true if the user is an admin.
-   */
-  def can_admin(ctx:SecurityContext, broker:Broker):Boolean
-
-  def can_monitor(ctx:SecurityContext, broker:Broker):Boolean
-
-  def can_config(ctx:SecurityContext, broker:Broker):Boolean
-
-  def can_admin(ctx:SecurityContext, host:VirtualHost):Boolean
-
-  def can_monitor(ctx:SecurityContext, host:VirtualHost):Boolean
-
-  /**
-   * @returns true if the user is allowed to connect to the virtual host
-   */
-  def can_connect_to(ctx:SecurityContext, host:VirtualHost, connector:Connector):Boolean
-
-  /**
-   * @returns true if the user is allowed to send to the destination
-   */
-  def can_send_to(ctx:SecurityContext, host:VirtualHost, dest:TopicDTO):Boolean
-
-
-  def can_admin(ctx:SecurityContext, host:VirtualHost, dest:TopicDTO):Boolean
-
-  def can_monitor(ctx:SecurityContext, host:VirtualHost, dest:TopicDTO):Boolean
-
-  /**
-   * @returns true if the user is allowed to receive from the destination
-   */
-  def can_receive_from(ctx:SecurityContext, host:VirtualHost, dest:TopicDTO):Boolean
-
-  /**
-   * @returns true if the user is allowed to create the destination
-   */
-  def can_create(ctx:SecurityContext, host:VirtualHost, dest:TopicDTO):Boolean
-
-  /**
-   * @returns true if the user is allowed to destroy the destination
-   */
-  def can_destroy(ctx:SecurityContext, host:VirtualHost, dest:TopicDTO):Boolean
-
-
-  def can_admin(ctx:SecurityContext, host:VirtualHost, dest:QueueDTO):Boolean
-
-  def can_monitor(ctx:SecurityContext, host:VirtualHost, dest:QueueDTO):Boolean
-
-  /**
-   * @returns true if the user is allowed to send to the queue
-   */
-  def can_send_to(ctx:SecurityContext, host:VirtualHost, queue:QueueDTO):Boolean
-
-  /**
-   * @returns true if the user is allowed to receive from the queue
-   */
-  def can_receive_from(ctx:SecurityContext, host:VirtualHost, queue:QueueDTO):Boolean
-
-  /**
-   * @returns true if the user is allowed to consume from the queue
-   */
-  def can_consume_from(ctx:SecurityContext, host:VirtualHost, queue:QueueDTO):Boolean
+object Authorizer {
 
-  /**
-   * @returns true if the user is allowed to create the queue
-   */
-  def can_create(ctx:SecurityContext, host:VirtualHost, queue:QueueDTO):Boolean
+  val version_counter = new AtomicLong()
 
-  /**
-   * @returns true if the user is allowed to destroy the queue
-   */
-  def can_destroy(ctx:SecurityContext, host:VirtualHost, queue:QueueDTO):Boolean
+  def apply():Authorizer = new Authorizer() {
+    def can(ctx: SecurityContext, action: String, resource: SecuredResource) = true
+  }
+
+  def apply(config:Seq[AccessRuleDTO], default_principal_kinds:Set[String]):Authorizer = {
+    new RulesAuthorizer(version_counter.incrementAndGet(), config.map(ResourceMatcher(_, default_principal_kinds)))
+  }
+
+  case class ResourceMatcher(rule:AccessRuleDTO, default_principal_kinds:Set[String]) {
+
+    var resource_matchers = List[(SecuredResource)=>Boolean]()
+
+    for(id_regex <- Option(rule.id_regex)) {
+      val reg_ex = Pattern.compile(id_regex)
+      resource_matchers ::= ((resource:SecuredResource) => {
+        reg_ex.matcher(resource.id).matches()
+      })
+    }
+
+    Option(rule.id).getOrElse("*") match {
+      case "*" =>
+      case id =>
+        if(rule.kind == "queue" || rule.kind == "topic") {
+          val filter = LocalRouter.destination_parser.decode_filter(id)
+          resource_matchers ::= ((resource:SecuredResource) => {
+            filter.matches(LocalRouter.destination_parser.decode_path(resource.id))
+          })
+        } else {
+          resource_matchers ::= ((resource:SecuredResource) => {
+            resource.id == id
+          })
+        }
+    }
+
+    Option(rule.kind).map(_.trim().toLowerCase).getOrElse("*") match {
+      case "*" =>
+      case kind =>
+        val kinds = (kind.split(",").map(_.trim()).map{ v=>
+          val kind:ResourceKind = v match {
+            case "broker"=>BrokerKind
+            case "virtual-host"=>VirtualHostKind
+            case "connector"=>ConnectorKind
+            case "queue"=>QueueKind
+            case "topic"=>TopicKind
+            case "dsub"=>DurableSubKind
+            case _ => OtherKind
+          }
+          kind
+        }).toSet
+        resource_matchers ::= ((resource:SecuredResource) => {
+          kinds.contains(resource.resource_kind)
+        })
+    }
+
+    def resource_matches(resource:SecuredResource):Boolean = {
+      // Looking for a matcher that does not match so we can
+      // fail the match quickly.
+      !resource_matchers.find(_(resource)==false).isDefined
+    }
+
+    var action_matchers = List[(String, SecurityContext)=>Boolean]()
+
+    val principal_kinds = Option(rule.principal_kind).map(_.trim().toLowerCase).getOrElse(null) match {
+      case null => Some(default_principal_kinds)
+      case "*" => None
+      case principal_kind => Some(principal_kind.split(",").map(_.trim()).toSet)
+    }
+
+    Option(rule.principal).map(_.trim().toLowerCase).getOrElse("+") match {
+      case "*" =>
+      case "+" =>
+        // user has to have at least one of the principle kinds
+        action_matchers ::= ((action:String, ctx:SecurityContext) => {
+          principal_kinds match {
+            case Some(principal_kinds)=>
+              ctx.principles.find(p=> principal_kinds.contains(p.getClass.getName) ).isDefined
+            case None =>
+              !ctx.principles.isEmpty
+          }
+        })
+
+      case principal =>
+        val principals = if(rule.separator!=null) {
+          principal.split(Pattern.quote(rule.separator)).map(_.trim()).toSet
+        } else {
+          Set(principal)
+        }
+        action_matchers ::= ((action:String, ctx:SecurityContext) => {
+          principal_kinds match {
+            case Some(principal_kinds)=>
+              ctx.principles.find{ p=>
+                val km = principal_kinds.contains(p.getClass.getName)
+                val nm = principals.contains(p.getName)
+                km && nm
+              }.isDefined
+            case None =>
+              ctx.principles.find(p=> principals.contains(p.getName) ).isDefined
+          }
+        })
+    }
+
+    Option(rule.action).map(_.trim().toLowerCase).getOrElse("*") match {
+      case "*" =>
+      case action =>
+        val actions = Set(action.split(",").map(_.trim()): _* )
+        action_matchers ::= ((action:String, ctx:SecurityContext) => {
+          actions.contains(action)
+        })
+    }
+
+    val deny = Option(rule.deny).map(_.booleanValue()).getOrElse(false)
+
+    def action_matches(action:String, ctx:SecurityContext):Option[Boolean] = {
+      for(matcher <- action_matchers) {
+        if ( !matcher(action, ctx) ) {
+          return None
+        }
+      }
+      return Some(!deny)
+    }
+  }
+
+  case class RulesAuthorizer(version:Long, config:Seq[ResourceMatcher]) extends Authorizer {
+
+    def can(ctx:SecurityContext, action:String, resource:SecuredResource):Boolean = {
+      if (ctx==null) {
+        return true;
+      }
+
+      // we may need to rebuild the security rules cache.
+      var cache = resource.rules_cache
+      if( cache==null || cache.version != version ) {
+        // We cache the list of rules which match this resource so that
+        // future access checks don't have to process the whole list.
+        cache = SecurityRules(version, build_rules(resource))
+        resource.rules_cache = cache
+      }
+
+      // Now we process the rules that are specific to the resource.
+      for( rule <- cache.rules ) {
+        rule(action, ctx) match {
+          case Some(allow)=>
+            // First rule match controls if we allow or reject access.
+            return allow;
+          case None=>
+        }
+      }
+
+      // If no rules matched, then reject access.
+      return false;
+    }
+    def build_rules(resource:SecuredResource):Seq[(String,SecurityContext)=>Option[Boolean]] = {
+      config.flatMap{rule=>
+        if(rule.resource_matches(resource))
+          Some(rule.action_matches _)
+        else
+          None
+      }
+    }
+  }
+}
 
-}
\ No newline at end of file

Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/JaasAuthenticator.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/JaasAuthenticator.scala?rev=1162343&r1=1162342&r2=1162343&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/JaasAuthenticator.scala (original)
+++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/JaasAuthenticator.scala Sat Aug 27 13:13:56 2011
@@ -27,7 +27,7 @@ import javax.security.auth.callback.Unsu
 import org.apache.activemq.jaas._
 import org.apache.activemq.apollo.broker.Broker.BLOCKABLE_THREAD_POOL
 import org.fusesource.hawtdispatch._
-import org.apache.activemq.apollo.dto.{PrincipalDTO, AuthenticationDTO}
+import org.apache.activemq.apollo.dto.AuthenticationDTO
 import org.apache.activemq.apollo.util.Log
 import collection.JavaConversions._
 
@@ -55,6 +55,7 @@ class JaasAuthenticator(val config: Auth
 
   val jass_realm = Option(config.domain).getOrElse("apollo")
   val user_principal_kinds = config.user_principal_kinds()
+  val acl_principal_kinds = config.acl_principal_kinds().toSet
 
   /*
    * The 'BLOCKABLE_THREAD_POOL ! { ... }' magic makes the code block

Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala?rev=1162343&r1=1162342&r2=1162343&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala (original)
+++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala Sat Aug 27 13:13:56 2011
@@ -22,7 +22,6 @@ import javax.security.auth.Subject
 import java.security.cert.X509Certificate
 import org.apache.activemq.apollo.util.OptionSupport._
 import org.apache.activemq.jaas.{GroupPrincipal, UserPrincipal}
-import org.apache.activemq.apollo.dto.PrincipalDTO
 import javax.security.auth.login.LoginContext
 import java.net.SocketAddress
 
@@ -42,94 +41,31 @@ class SecurityContext {
   var login_context:LoginContext = _
   var connection_id:Option[Long] = None
 
-  private var _principles = Set[PrincipalDTO]()
   private var _subject:Subject = _
 
   def subject = _subject
 
+  private var _principles = Set[Principal]()
+  def principles = _principles
+
   def subject_= (value:Subject) {
     _subject = value
-    _principles = Set[PrincipalDTO]()
+    _principles = Set()
     if( value!=null ) {
       import collection.JavaConversions._
-      value.getPrincipals.foreach { x=>
-        _principles += new PrincipalDTO(x.getName, x.getClass.getName)
-      }
+      _principles = value.getPrincipals.toSet
     }
   }
 
-  def principles = _principles
-
-  def principles(kind:String) = {
+  def principles(kind:String):Set[Principal] = {
     kind match {
       case "+"=>
-        _principles
+        principles
       case "*"=>
-        _principles
+        principles
       case kind=>
-        _principles.filter(_.kind == kind)
+        principles.filter(_.getClass.getName == kind)
     }
   }
 
-  def is_allowed(acl:List[PrincipalDTO], default_kinds:List[String]):Boolean = {
-
-    def kind_matches(kind:String):Boolean = {
-      kind match {
-        case null=>
-          return !_principles.map(_.kind).intersect(default_kinds.toSet).isEmpty
-        case "+"=>
-          return !_principles.isEmpty
-        case "*"=>
-          return true;
-        case kind=>
-          return _principles.map(_.kind).contains(kind)
-      }
-    }
-
-    def principal_matches(p:PrincipalDTO):Boolean = {
-      p.kind match {
-        case null=>
-          default_kinds.foreach { kind=>
-            if( _principles.contains(new PrincipalDTO(p.allow, kind)) ) {
-              return true;
-            }
-          }
-          return false;
-        case "+"=>
-          return _principles.map(_.allow).contains(p.allow)
-        case "*"=>
-          return _principles.map(_.allow).contains(p.allow)
-        case kind=>
-          return _principles.contains(p)
-      }
-    }
-
-    acl.foreach { p =>
-      p.deny match {
-        case null =>
-        case "*"=>
-          return false;
-        case "+"=>
-          return !kind_matches(p.kind)
-        case id =>
-          if( principal_matches(new PrincipalDTO(id, p.kind)) ) {
-            return false;
-          }
-      }
-      p.allow match {
-        case null =>
-        case "*"=>
-          return true;
-        case "+"=>
-          return kind_matches(p.kind)
-        case id =>
-          if( principal_matches(new PrincipalDTO(id, p.kind)) ) {
-            return true
-          }
-      }
-    }
-    return false
-  }
-
-
 }
\ No newline at end of file

Modified: activemq/activemq-apollo/trunk/apollo-dto/pom.xml
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/pom.xml?rev=1162343&r1=1162342&r2=1162343&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-dto/pom.xml (original)
+++ activemq/activemq-apollo/trunk/apollo-dto/pom.xml Sat Aug 27 13:13:56 2011
@@ -108,7 +108,7 @@
                   <classpath refid="maven.compile.classpath" />
                 </taskdef>
                 <mkdir dir="${project.build.directory}/schema/org/apache/activemq/apollo/dto" />
-                <schemagen srcdir="${basedir}/.." destdir="${project.build.directory}/schema/org/apache/activemq/apollo/dto">
+                <schemagen srcdir="${basedir}/.." destdir="${project.build.directory}/schema/org/apache/activemq/apollo/dto" includeantruntime="false">
                   <schema namespace="http://activemq.apache.org/schema/activemq/apollo" file="apollo.xsd" />
                   <classpath refid="maven.compile.classpath" />
                   <include name="**/package-info.java" />

Added: activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/AccessRuleDTO.java
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/AccessRuleDTO.java?rev=1162343&view=auto
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/AccessRuleDTO.java (added)
+++ activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/AccessRuleDTO.java Sat Aug 27 13:13:56 2011
@@ -0,0 +1,124 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.apollo.dto;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlAttribute;
+import javax.xml.bind.annotation.XmlRootElement;
+
+/**
+ * <p>
+ * </p>
+ *
+ * @author <a href="http://hiramchirino.com">Hiram Chirino</a>
+ */
+@XmlRootElement(name="access_rule")
+@XmlAccessorType(XmlAccessType.FIELD)
+public class AccessRuleDTO {
+
+    /**
+     * Is this a negative rule which denies access.  If not set, defaults to false.
+     */
+    @XmlAttribute
+    public Boolean deny;
+
+    /**
+     * The class name of the JAAS principle that this rule will mach against.  If not set
+     * the this defaults to the default principal kinds configured on the broker or virtual host.
+     * If set to "*" then it matches all principal classes.
+     */
+    @XmlAttribute(name = "principal_kind")
+    public String principal_kind;
+
+    /**
+     * The principal which we are matching against.  If set to "+" then it matches all principals
+     * but requires at at least one.  If set to "*" the it matches all principals and even matches
+     * the case where there are no principals associated with the subject.
+     *
+     * Defaults to "+" if not set.
+     */
+    @XmlAttribute
+    public String principal;
+
+    /**
+     * If the separator is set, then the principal field will be interpreted as a list of
+     * principles separated by the configured value.
+     */
+    @XmlAttribute
+    public String separator;
+
+    /**
+     * The comma separated list of actions which match this rule.  Example 'create,destroy'.  You can use "*" to
+     * match all actions.  Defaults to "*".
+     */
+    @XmlAttribute
+    public String action;
+
+    /**
+     * The kind of broker resource which matches this rule.  You can use "*" to match all types.  If not set
+     * it defaults to "*"
+     */
+    @XmlAttribute
+    public String kind;
+
+    /**
+     * The identifier of the resource which matches this rule.  You can use "*" to match all resources.  If not set
+     * it defaults to "*"
+     */
+    @XmlAttribute
+    public String id;
+
+    /**
+     * A regular expression used to match the id of the resource.
+     */
+    @XmlAttribute(name = "id_regex")
+    public String id_regex;
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (!(o instanceof AccessRuleDTO)) return false;
+
+        AccessRuleDTO that = (AccessRuleDTO) o;
+
+        if (action != null ? !action.equals(that.action) : that.action != null) return false;
+        if (deny != null ? !deny.equals(that.deny) : that.deny != null) return false;
+        if (id != null ? !id.equals(that.id) : that.id != null) return false;
+        if (id_regex != null ? !id_regex.equals(that.id_regex) : that.id_regex != null) return false;
+        if (kind != null ? !kind.equals(that.kind) : that.kind != null) return false;
+        if (principal != null ? !principal.equals(that.principal) : that.principal != null) return false;
+        if (principal_kind != null ? !principal_kind.equals(that.principal_kind) : that.principal_kind != null)
+            return false;
+        if (separator != null ? !separator.equals(that.separator) : that.separator != null) return false;
+
+        return true;
+    }
+
+    @Override
+    public int hashCode() {
+        int result = deny != null ? deny.hashCode() : 0;
+        result = 31 * result + (principal_kind != null ? principal_kind.hashCode() : 0);
+        result = 31 * result + (principal != null ? principal.hashCode() : 0);
+        result = 31 * result + (separator != null ? separator.hashCode() : 0);
+        result = 31 * result + (action != null ? action.hashCode() : 0);
+        result = 31 * result + (kind != null ? kind.hashCode() : 0);
+        result = 31 * result + (id != null ? id.hashCode() : 0);
+        result = 31 * result + (id_regex != null ? id_regex.hashCode() : 0);
+        return result;
+    }
+}

Modified: activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/BrokerDTO.java
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/BrokerDTO.java?rev=1162343&r1=1162342&r2=1162343&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/BrokerDTO.java (original)
+++ activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/BrokerDTO.java Sat Aug 27 13:13:56 2011
@@ -61,8 +61,8 @@ public class BrokerDTO {
     @XmlElementRef
     public KeyStorageDTO key_storage;
 
-    @XmlElement(name="acl")
-    public BrokerAclDTO acl;
+    @XmlElement(name="access_rule")
+    public List<AccessRuleDTO> access_rules = new ArrayList<AccessRuleDTO>();
 
     @XmlElement(name="web_admin")
     public List<WebAdminDTO> web_admins = new ArrayList<WebAdminDTO>();
@@ -80,10 +80,6 @@ public class BrokerDTO {
     @XmlElement(name="service")
     public List<CustomServiceDTO> services = new ArrayList<CustomServiceDTO>();
 
-    @Deprecated
-    @XmlAttribute(name="sticky_dispatching")
-    public Boolean sticky_dispatching;
-
     /**
      * If set to strict, then the broker will not start up if there
      * are any validation errors in the configuration file.
@@ -97,6 +93,7 @@ public class BrokerDTO {
     @XmlAnyElement(lax=true)
     public List<Object> other = new ArrayList<Object>();
 
+
     @Override
     public boolean equals(Object o) {
         if (this == o) return true;
@@ -104,7 +101,8 @@ public class BrokerDTO {
 
         BrokerDTO brokerDTO = (BrokerDTO) o;
 
-        if (acl != null ? !acl.equals(brokerDTO.acl) : brokerDTO.acl != null) return false;
+        if (access_rules != null ? !access_rules.equals(brokerDTO.access_rules) : brokerDTO.access_rules != null)
+            return false;
         if (authentication != null ? !authentication.equals(brokerDTO.authentication) : brokerDTO.authentication != null)
             return false;
         if (client_address != null ? !client_address.equals(brokerDTO.client_address) : brokerDTO.client_address != null)
@@ -117,8 +115,6 @@ public class BrokerDTO {
         if (notes != null ? !notes.equals(brokerDTO.notes) : brokerDTO.notes != null) return false;
         if (other != null ? !other.equals(brokerDTO.other) : brokerDTO.other != null) return false;
         if (services != null ? !services.equals(brokerDTO.services) : brokerDTO.services != null) return false;
-        if (sticky_dispatching != null ? !sticky_dispatching.equals(brokerDTO.sticky_dispatching) : brokerDTO.sticky_dispatching != null)
-            return false;
         if (validation != null ? !validation.equals(brokerDTO.validation) : brokerDTO.validation != null) return false;
         if (virtual_hosts != null ? !virtual_hosts.equals(brokerDTO.virtual_hosts) : brokerDTO.virtual_hosts != null)
             return false;
@@ -134,14 +130,14 @@ public class BrokerDTO {
         result = 31 * result + (connectors != null ? connectors.hashCode() : 0);
         result = 31 * result + (client_address != null ? client_address.hashCode() : 0);
         result = 31 * result + (key_storage != null ? key_storage.hashCode() : 0);
-        result = 31 * result + (acl != null ? acl.hashCode() : 0);
+        result = 31 * result + (access_rules != null ? access_rules.hashCode() : 0);
         result = 31 * result + (web_admins != null ? web_admins.hashCode() : 0);
         result = 31 * result + (authentication != null ? authentication.hashCode() : 0);
         result = 31 * result + (log_category != null ? log_category.hashCode() : 0);
         result = 31 * result + (services != null ? services.hashCode() : 0);
-        result = 31 * result + (sticky_dispatching != null ? sticky_dispatching.hashCode() : 0);
         result = 31 * result + (validation != null ? validation.hashCode() : 0);
         result = 31 * result + (other != null ? other.hashCode() : 0);
         return result;
     }
-}
+
+}
\ No newline at end of file

Modified: activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/ConnectorTypeDTO.java
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/ConnectorTypeDTO.java?rev=1162343&r1=1162342&r2=1162343&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/ConnectorTypeDTO.java (original)
+++ activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/ConnectorTypeDTO.java Sat Aug 27 13:13:56 2011
@@ -23,51 +23,42 @@ import java.util.ArrayList;
 import java.util.List;
 
 /**
- *
- * 
- *
  * @author <a href="http://hiramchirino.com">Hiram Chirino</a>
  */
-@XmlType (name = "connector_type")
+@XmlType(name = "connector_type")
 @XmlAccessorType(XmlAccessType.FIELD)
-@JsonTypeInfo(use=JsonTypeInfo.Id.CLASS, include=JsonTypeInfo.As.PROPERTY, property="@class")
+@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY, property = "@class")
 abstract public class ConnectorTypeDTO extends ServiceDTO {
 
-  @XmlElement(name="acl")
-  public ConnectorAclDTO acl;
+    @XmlAttribute(name = "connection_limit")
+    public Integer connection_limit;
 
-  @XmlAttribute(name="connection_limit")
-  public Integer connection_limit;
+    /**
+     * To hold any other non-matching XML elements
+     */
+    @XmlAnyElement(lax = true)
+    public List<Object> other = new ArrayList<Object>();
 
-//  /**
-//   * To hold any other non-matching XML elements
-//   */
-//  @XmlAnyElement(lax=true)
-//  public List<Object> other = new ArrayList<Object>();
-//
-//  @Override
-//  public boolean equals(Object o) {
-//    if (this == o) return true;
-//    if (!(o instanceof ConnectorTypeDTO)) return false;
-//    if (!super.equals(o)) return false;
-//
-//    ConnectorTypeDTO that = (ConnectorTypeDTO) o;
-//
-//    if (acl != null ? !acl.equals(that.acl) : that.acl != null) return false;
-//    if (connection_limit != null ? !connection_limit.equals(that.connection_limit) : that.connection_limit != null)
-//      return false;
-//    if (other != null ? !other.equals(that.other) : that.other != null)
-//      return false;
-//
-//    return true;
-//  }
-//
-//  @Override
-//  public int hashCode() {
-//    int result = super.hashCode();
-//    result = 31 * result + (acl != null ? acl.hashCode() : 0);
-//    result = 31 * result + (connection_limit != null ? connection_limit.hashCode() : 0);
-//    result = 31 * result + (other != null ? other.hashCode() : 0);
-//    return result;
-//  }
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (!(o instanceof ConnectorTypeDTO)) return false;
+        if (!super.equals(o)) return false;
+
+        ConnectorTypeDTO that = (ConnectorTypeDTO) o;
+
+        if (connection_limit != null ? !connection_limit.equals(that.connection_limit) : that.connection_limit != null)
+            return false;
+        if (other != null ? !other.equals(that.other) : that.other != null) return false;
+
+        return true;
+    }
+
+    @Override
+    public int hashCode() {
+        int result = super.hashCode();
+        result = 31 * result + (connection_limit != null ? connection_limit.hashCode() : 0);
+        result = 31 * result + (other != null ? other.hashCode() : 0);
+        return result;
+    }
 }
\ No newline at end of file

Modified: activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/PrincipalDTO.java
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/PrincipalDTO.java?rev=1162343&r1=1162342&r2=1162343&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/PrincipalDTO.java (original)
+++ activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/PrincipalDTO.java Sat Aug 27 13:13:56 2011
@@ -24,49 +24,39 @@ import javax.xml.bind.annotation.*;
  *
  * @author <a href="http://hiramchirino.com">Hiram Chirino</a>
  */
+@XmlRootElement(name="principal")
 @XmlAccessorType(XmlAccessType.FIELD)
 public class PrincipalDTO {
 
     @XmlAttribute
-    public String allow;
-
-    @XmlAttribute
-    public String deny;
+    public String name;
 
     @XmlAttribute
     public String kind;
 
-
     public PrincipalDTO() {
     }
-
-    public PrincipalDTO(String allow) {
-        this.allow = allow;
-    }
-
-    public PrincipalDTO(String allow, String kind) {
-        this.allow = allow;
+    public PrincipalDTO(String kind, String name) {
         this.kind = kind;
+        this.name = name;
     }
 
     @Override
     public boolean equals(Object o) {
         if (this == o) return true;
-        if (o == null || getClass() != o.getClass()) return false;
+        if (!(o instanceof PrincipalDTO)) return false;
 
         PrincipalDTO that = (PrincipalDTO) o;
 
-        if (allow != null ? !allow.equals(that.allow) : that.allow != null) return false;
-        if (deny != null ? !deny.equals(that.deny) : that.deny != null) return false;
         if (kind != null ? !kind.equals(that.kind) : that.kind != null) return false;
+        if (name != null ? !name.equals(that.name) : that.name != null) return false;
 
         return true;
     }
 
     @Override
     public int hashCode() {
-        int result = allow != null ? allow.hashCode() : 0;
-        result = 31 * result + (deny != null ? deny.hashCode() : 0);
+        int result = name != null ? name.hashCode() : 0;
         result = 31 * result + (kind != null ? kind.hashCode() : 0);
         return result;
     }

Modified: activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/QueueDTO.java
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/QueueDTO.java?rev=1162343&r1=1162342&r2=1162343&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/QueueDTO.java (original)
+++ activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/QueueDTO.java Sat Aug 27 13:13:56 2011
@@ -83,9 +83,6 @@ public class QueueDTO extends StringIdDT
     @XmlAttribute(name="swap_range_size")
     public Integer swap_range_size;
 
-    @XmlElement(name="acl")
-    public QueueAclDTO acl;
-
     /**
      * The maximum amount of disk space the queue is allowed
      * to grow to.  If not set then there is no limit.  You can
@@ -108,7 +105,6 @@ public class QueueDTO extends StringIdDT
 
         QueueDTO queueDTO = (QueueDTO) o;
 
-        if (acl != null ? !acl.equals(queueDTO.acl) : queueDTO.acl != null) return false;
         if (auto_delete_after != null ? !auto_delete_after.equals(queueDTO.auto_delete_after) : queueDTO.auto_delete_after != null)
             return false;
         if (consumer_buffer != null ? !consumer_buffer.equals(queueDTO.consumer_buffer) : queueDTO.consumer_buffer != null)
@@ -135,7 +131,6 @@ public class QueueDTO extends StringIdDT
         result = 31 * result + (persistent != null ? persistent.hashCode() : 0);
         result = 31 * result + (swap != null ? swap.hashCode() : 0);
         result = 31 * result + (swap_range_size != null ? swap_range_size.hashCode() : 0);
-        result = 31 * result + (acl != null ? acl.hashCode() : 0);
         result = 31 * result + (other != null ? other.hashCode() : 0);
         return result;
     }

Modified: activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/TopicDTO.java
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/TopicDTO.java?rev=1162343&r1=1162342&r2=1162343&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/TopicDTO.java (original)
+++ activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/TopicDTO.java Sat Aug 27 13:13:56 2011
@@ -43,9 +43,6 @@ public class TopicDTO extends StringIdDT
     @XmlAttribute(name="slow_consumer_policy")
     public String slow_consumer_policy;
 
-    @XmlElement(name="acl")
-    public TopicAclDTO acl;
-
     /**
      * To hold any other non-matching XML elements
      */
@@ -60,7 +57,6 @@ public class TopicDTO extends StringIdDT
 
         TopicDTO topicDTO = (TopicDTO) o;
 
-        if (acl != null ? !acl.equals(topicDTO.acl) : topicDTO.acl != null) return false;
         if (auto_delete_after != null ? !auto_delete_after.equals(topicDTO.auto_delete_after) : topicDTO.auto_delete_after != null)
             return false;
         if (other != null ? !other.equals(topicDTO.other) : topicDTO.other != null) return false;
@@ -75,7 +71,6 @@ public class TopicDTO extends StringIdDT
         int result = super.hashCode();
         result = 31 * result + (auto_delete_after != null ? auto_delete_after.hashCode() : 0);
         result = 31 * result + (slow_consumer_policy != null ? slow_consumer_policy.hashCode() : 0);
-        result = 31 * result + (acl != null ? acl.hashCode() : 0);
         result = 31 * result + (other != null ? other.hashCode() : 0);
         return result;
     }

Modified: activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/VirtualHostDTO.java
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/VirtualHostDTO.java?rev=1162343&r1=1162342&r2=1162343&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/VirtualHostDTO.java (original)
+++ activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/VirtualHostDTO.java Sat Aug 27 13:13:56 2011
@@ -50,6 +50,9 @@ public class VirtualHostDTO extends Serv
     @XmlAttribute(name="purge_on_startup")
     public Boolean purge_on_startup;
 
+    @XmlElement(name="access_rule")
+    public List<AccessRuleDTO> access_rules = new ArrayList<AccessRuleDTO>();
+
     /**
      * Holds the configuration for the destinations.
      */
@@ -74,9 +77,6 @@ public class VirtualHostDTO extends Serv
     @XmlAttribute(name="regroup_connections")
     public Boolean regroup_connections;
 
-    @XmlElement(name="acl")
-    public VirtualHostAclDTO acl;
-
     @XmlElement(name="authentication")
     public AuthenticationDTO authentication;
 
@@ -89,6 +89,7 @@ public class VirtualHostDTO extends Serv
     @XmlAnyElement(lax=true)
     public List<Object> other = new ArrayList<Object>();
 
+
     @Override
     public boolean equals(Object o) {
         if (this == o) return true;
@@ -97,7 +98,7 @@ public class VirtualHostDTO extends Serv
 
         VirtualHostDTO that = (VirtualHostDTO) o;
 
-        if (acl != null ? !acl.equals(that.acl) : that.acl != null) return false;
+        if (access_rules != null ? !access_rules.equals(that.access_rules) : that.access_rules != null) return false;
         if (authentication != null ? !authentication.equals(that.authentication) : that.authentication != null)
             return false;
         if (auto_create_destinations != null ? !auto_create_destinations.equals(that.auto_create_destinations) : that.auto_create_destinations != null)
@@ -124,11 +125,11 @@ public class VirtualHostDTO extends Serv
         result = 31 * result + (store != null ? store.hashCode() : 0);
         result = 31 * result + (auto_create_destinations != null ? auto_create_destinations.hashCode() : 0);
         result = 31 * result + (purge_on_startup != null ? purge_on_startup.hashCode() : 0);
+        result = 31 * result + (access_rules != null ? access_rules.hashCode() : 0);
         result = 31 * result + (topics != null ? topics.hashCode() : 0);
         result = 31 * result + (queues != null ? queues.hashCode() : 0);
         result = 31 * result + (dsubs != null ? dsubs.hashCode() : 0);
         result = 31 * result + (regroup_connections != null ? regroup_connections.hashCode() : 0);
-        result = 31 * result + (acl != null ? acl.hashCode() : 0);
         result = 31 * result + (authentication != null ? authentication.hashCode() : 0);
         result = 31 * result + (log_category != null ? log_category.hashCode() : 0);
         result = 31 * result + (other != null ? other.hashCode() : 0);

Modified: activemq/activemq-apollo/trunk/apollo-dto/src/main/resources/org/apache/activemq/apollo/dto/jaxb.index
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/src/main/resources/org/apache/activemq/apollo/dto/jaxb.index?rev=1162343&r1=1162342&r2=1162343&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-dto/src/main/resources/org/apache/activemq/apollo/dto/jaxb.index (original)
+++ activemq/activemq-apollo/trunk/apollo-dto/src/main/resources/org/apache/activemq/apollo/dto/jaxb.index Sat Aug 27 13:13:56 2011
@@ -14,38 +14,54 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 # ------------------------------------------------------------------------
+AcceptingConnectorDTO
+AccessRuleDTO
+AddUserHeaderDTO
+AggregateConnectionMetricsDTO
+AggregateDestMetricsDTO
+AuthenticationDTO
 BrokerDTO
 BrokerStatusDTO
 ConnectionStatusDTO
-AcceptingConnectorDTO
 ConnectorStatusDTO
-TopicStatusDTO
+ConnectorTypeDTO
+CustomServiceDTO
+DataPageDTO
+DestMetricsDTO
+DestinationDTO
+DurableSubscriptionDTO
+DurableSubscriptionDestinationDTO
 EntryStatusDTO
 IntMetricDTO
+JvmMetricsDTO
+KeyStorageDTO
+LinkDTO
+LogCategoryDTO
 LongIdDTO
 LongIdLabeledDTO
 LongIdListDTO
+MemoryMetricsDTO
+NullStoreDTO
+PrincipalDTO
+ProtocolDTO
+QueueConsumerLinkDTO
+QueueDTO
+QueueDestinationDTO
 QueueStatusDTO
 ServiceDTO
 ServiceStatusDTO
+SimpleStoreStatusDTO
 StoreDTO
 StoreStatusDTO
 StringIdDTO
 StringIdLabeledDTO
 StringIdListDTO
+StringListDTO
 TimeMetricDTO
-VirtualHostDTO
-VirtualHostStatusDTO
-KeyStorageDTO
-SimpleStoreStatusDTO
-NullStoreDTO
-QueueDTO
 TopicDTO
-LinkDTO
-QueueConsumerLinkDTO
+TopicDestinationDTO
+TopicStatusDTO
 ValueDTO
-StringListDTO
-DataPageDTO
-AggregateDestMetricsDTO
-DestMetricsDTO
-AggregateConnectionMetricsDTO
\ No newline at end of file
+VirtualHostDTO
+VirtualHostStatusDTO
+WebAdminDTO
\ No newline at end of file

Modified: activemq/activemq-apollo/trunk/apollo-dto/src/test/java/org/apache/activemq/apollo/dto/XmlCodecTest.java
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/src/test/java/org/apache/activemq/apollo/dto/XmlCodecTest.java?rev=1162343&r1=1162342&r2=1162343&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-dto/src/test/java/org/apache/activemq/apollo/dto/XmlCodecTest.java (original)
+++ activemq/activemq-apollo/trunk/apollo-dto/src/test/java/org/apache/activemq/apollo/dto/XmlCodecTest.java Sat Aug 27 13:13:56 2011
@@ -42,7 +42,6 @@ public class XmlCodecTest {
         assertEquals(1, dto.other.size());
 
         VirtualHostDTO host = dto.virtual_hosts.get(0);
-        assertNotNull(host.acl);
         assertEquals("vh-local", host.id);
         assertEquals("localhost", host.host_names.get(0));
         assertEquals("example.com", host.host_names.get(1));
@@ -51,11 +50,6 @@ public class XmlCodecTest {
         assertEquals("topic1", host.topics.get(0).id);
         assertEquals("durable_subscription1", host.dsubs.get(0).id);
 
-        assertNotNull(dto.acl);
-        assertTrue(dto.acl.admins.contains(new PrincipalDTO("hiram")));
-        assertTrue(dto.acl.admins.contains(new PrincipalDTO("james")));
-        assertTrue(dto.acl.admins.contains(new PrincipalDTO("admins", "org.apache.activemq.jaas.GroupPrincipal")));
-
         AcceptingConnectorDTO connector = (AcceptingConnectorDTO)dto.connectors.get(0);
         assertNotNull(connector);
 

Modified: activemq/activemq-apollo/trunk/apollo-dto/src/test/resources/org/apache/activemq/apollo/dto/XmlCodecTest.xml
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/src/test/resources/org/apache/activemq/apollo/dto/XmlCodecTest.xml?rev=1162343&r1=1162342&r2=1162343&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-dto/src/test/resources/org/apache/activemq/apollo/dto/XmlCodecTest.xml (original)
+++ activemq/activemq-apollo/trunk/apollo-dto/src/test/resources/org/apache/activemq/apollo/dto/XmlCodecTest.xml Sat Aug 27 13:13:56 2011
@@ -17,11 +17,9 @@
 -->
 <broker xmlns="http://activemq.apache.org/schema/activemq/apollo">
 
-  <acl>
-    <admin allow="hiram"/>
-    <admin allow="james"/>
-    <admin allow="admins" kind="org.apache.activemq.jaas.GroupPrincipal"/>
-  </acl>
+  <access_rule principal="hiram" action="admin"/>
+  <access_rule principal="james" action="admin"/>
+  <access_rule principal="admins" action="admin"/>
 
   <virtual_host id="vh-local">
     <acl/>

Modified: activemq/activemq-apollo/trunk/apollo-openwire/src/main/scala/org/apache/activemq/apollo/openwire/OpenwireProtocolHandler.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-openwire/src/main/scala/org/apache/activemq/apollo/openwire/OpenwireProtocolHandler.scala?rev=1162343&r1=1162342&r2=1162343&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-openwire/src/main/scala/org/apache/activemq/apollo/openwire/OpenwireProtocolHandler.scala (original)
+++ activemq/activemq-apollo/trunk/apollo-openwire/src/main/scala/org/apache/activemq/apollo/openwire/OpenwireProtocolHandler.scala Sat Aug 27 13:13:56 2011
@@ -437,7 +437,7 @@ class OpenwireProtocolHandler extends Pr
           if( !host.authenticator.authenticate(security_context) ) {
             async_die("Authentication failed.", info)
             noop
-          } else if( !host.authorizer.can_connect_to(security_context, host, connection.connector) ) {
+          } else if( !host.authorizer.can(security_context, "connect", connection.connector) ) {
             async_die("Connect not authorized.", info)
             noop
           } else {

Modified: activemq/activemq-apollo/trunk/apollo-stomp/src/main/scala/org/apache/activemq/apollo/stomp/StompProtocolHandler.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-stomp/src/main/scala/org/apache/activemq/apollo/stomp/StompProtocolHandler.scala?rev=1162343&r1=1162342&r2=1162343&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-stomp/src/main/scala/org/apache/activemq/apollo/stomp/StompProtocolHandler.scala (original)
+++ activemq/activemq-apollo/trunk/apollo-stomp/src/main/scala/org/apache/activemq/apollo/stomp/StompProtocolHandler.scala Sat Aug 27 13:13:56 2011
@@ -834,7 +834,7 @@ class StompProtocolHandler extends Proto
             }
             async_die(msg)
             noop // to make the cps compiler plugin happy.
-          } else if( !host.authorizer.can_connect_to(security_context, host, connection.connector) ) {
+          } else if( !host.authorizer.can(security_context, "connect", connection.connector) ) {
 
             var msg = if( security_context.user==null ) {
               "Connect not authorized."
@@ -964,9 +964,9 @@ class StompProtocolHandler extends Proto
           if( !matches.isEmpty ) {
             h.separator match {
               case null=>
-                rc ::= (encode_header(h.name.trim), encode_header(matches.head.allow))
+                rc ::= (encode_header(h.name.trim), encode_header(matches.head.getName))
               case separator =>
-                rc ::= (encode_header(h.name.trim), encode_header(matches.map(_.allow).mkString(separator)))
+                rc ::= (encode_header(h.name.trim), encode_header(matches.map(_.getName).mkString(separator)))
             }
           }
         }

Modified: activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-secure.xml
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-secure.xml?rev=1162343&r1=1162342&r2=1162343&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-secure.xml (original)
+++ activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-secure.xml Sat Aug 27 13:13:56 2011
@@ -22,39 +22,21 @@
   <virtual_host id="default" purge_on_startup="true">
     <host_name>localhost</host_name>
 
-    <acl>
-      <connect allow="connect_group"/>
-    </acl>
-
-    <!-- queue security -->
-    <queue name="**" kind="ptp">
-      <acl>
-        <create  allow="can_send_create_queue"/>
-        <send    allow="can_send_create_queue"/>
-        <send    allow="can_send_queue"/>
-        <receive allow="can_receive_queue"/>
-        <consume allow="can_consume_queue"/>
-      </acl>
-    </queue>
-
-    <!-- topic security -->
-    <destination name="**">
-      <acl>
-        <create  allow="can_send_create_topic"/>
-        <send    allow="can_send_create_topic"/>
-        <send    allow="can_send_topic"/>
-        <receive allow="can_recieve_topic"/>
-      </acl>
-    </destination>
-
-    <!-- durable sub security -->
-    <queue name="**" kind="ds">
-      <acl>
-        <create  allow="can_consume_create_ds"/>
-        <consume allow="can_consume_create_ds"/>
-        <consume allow="can_consume_ds"/>
-      </acl>
-    </queue>
+    <access_rule principal="connect_group" action="connect"/>
+
+    <access_rule principal="can_send_create_queue" kind="queue" action="send,create"/>
+    <access_rule principal="can_send_queue"        kind="queue" action="send"/>
+    <access_rule principal="can_receive_queue"     kind="queue" action="receive"/>
+    <access_rule principal="can_consume_queue"     kind="queue" action="consume"/>
+
+    <access_rule principal="can_send_create_topic" kind="topic" action="send,create"/>
+    <access_rule principal="can_send_topic"        kind="topic" action="send"/>
+    <access_rule principal="can_recieve_topic"     kind="topic" action="receive"/>
+
+    <access_rule principal="can_consume_create_ds" kind="dsub" action="consume,create"/>
+    <access_rule principal="can_consume_ds"        kind="dsub" action="consume"/>
+    <access_rule principal="can_recieve_topic"     kind="dsub" action="receive"/>
+
   </virtual_host>
 
   <connector id="tcp" protocol="stomp" bind="tcp://0.0.0.0:0">

Modified: activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-ssl-secure.xml
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-ssl-secure.xml?rev=1162343&r1=1162342&r2=1162343&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-ssl-secure.xml (original)
+++ activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-ssl-secure.xml Sat Aug 27 13:13:56 2011
@@ -23,9 +23,7 @@
   <virtual_host id="default" purge_on_startup="true">
     <host_name>localhost</host_name>
 
-    <acl>
-      <connect allow="connect_group"/>
-    </acl>
+    <access_rule principal="connect_group" action="connect"/>
 
   </virtual_host>
 



Mime
View raw message