Return-Path: X-Original-To: apmail-activemq-commits-archive@www.apache.org Delivered-To: apmail-activemq-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 9A3C77DC4 for ; Sat, 27 Aug 2011 13:14:35 +0000 (UTC) Received: (qmail 85752 invoked by uid 500); 27 Aug 2011 13:14:35 -0000 Delivered-To: apmail-activemq-commits-archive@activemq.apache.org Received: (qmail 85702 invoked by uid 500); 27 Aug 2011 13:14:35 -0000 Mailing-List: contact commits-help@activemq.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@activemq.apache.org Delivered-To: mailing list commits@activemq.apache.org Received: (qmail 85695 invoked by uid 99); 27 Aug 2011 13:14:34 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 27 Aug 2011 13:14:34 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 27 Aug 2011 13:14:22 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 53CF523889BB for ; Sat, 27 Aug 2011 13:13:59 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1162343 [1/2] - in /activemq/activemq-apollo/trunk: apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/ apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/ apollo-dto/ apollo-dto/src/main/java/org/apache/ac... Date: Sat, 27 Aug 2011 13:13:57 -0000 To: commits@activemq.apache.org From: chirino@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20110827131359.53CF523889BB@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: chirino Date: Sat Aug 27 13:13:56 2011 New Revision: 1162343 URL: http://svn.apache.org/viewvc?rev=1162343&view=rev Log: Fixes https://issues.apache.org/jira/browse/APLO-56 : Change to a terser configuration scheme for ACL definitions Added: activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/AccessRuleDTO.java Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Broker.scala activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Connector.scala activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/LocalRouter.scala activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Queue.scala activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Topic.scala activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/VirtualHost.scala activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/AclAuthorizer.scala activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authenticator.scala activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authorizer.scala activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/JaasAuthenticator.scala activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala activemq/activemq-apollo/trunk/apollo-dto/pom.xml activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/BrokerAclDTO.java activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/BrokerDTO.java activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/ConnectorAclDTO.java activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/ConnectorTypeDTO.java activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/PrincipalDTO.java activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/QueueAclDTO.java activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/QueueDTO.java activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/TopicAclDTO.java activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/TopicDTO.java activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/VirtualHostAclDTO.java activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/VirtualHostDTO.java activemq/activemq-apollo/trunk/apollo-dto/src/main/resources/org/apache/activemq/apollo/dto/jaxb.index activemq/activemq-apollo/trunk/apollo-dto/src/test/java/org/apache/activemq/apollo/dto/XmlCodecTest.java activemq/activemq-apollo/trunk/apollo-dto/src/test/resources/org/apache/activemq/apollo/dto/XmlCodecTest.xml activemq/activemq-apollo/trunk/apollo-openwire/src/main/scala/org/apache/activemq/apollo/openwire/OpenwireProtocolHandler.scala activemq/activemq-apollo/trunk/apollo-stomp/src/main/scala/org/apache/activemq/apollo/stomp/StompProtocolHandler.scala activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-secure.xml activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-ssl-secure.xml activemq/activemq-apollo/trunk/apollo-web/src/main/scala/org/apache/activemq/apollo/web/resources/BrokerResource.scala activemq/activemq-apollo/trunk/apollo-web/src/main/scala/org/apache/activemq/apollo/web/resources/Support.scala Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Broker.scala URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Broker.scala?rev=1162343&r1=1162342&r2=1162343&view=diff ============================================================================== --- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Broker.scala (original) +++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Broker.scala Sat Aug 27 13:13:56 2011 @@ -22,10 +22,9 @@ import org.fusesource.hawtdispatch._ import org.fusesource.hawtbuf._ import collection.JavaConversions import JavaConversions._ -import security.{AclAuthorizer, Authorizer, JaasAuthenticator, Authenticator} +import security._ import org.apache.activemq.apollo.broker.web._ import collection.mutable.{HashSet, LinkedHashMap, HashMap} -import scala.util.Random import org.apache.activemq.apollo.util._ import org.fusesource.hawtbuf.AsciiBuffer._ import CollectionsSupport._ @@ -35,8 +34,7 @@ import org.apache.activemq.apollo.dto._ import javax.management.ObjectName import org.fusesource.hawtdispatch.TaskTracker._ import java.util.concurrent.TimeUnit -import collection.mutable.ListBuffer._ - +import security.SecuredResource.BrokerKind /** *

* The BrokerFactory creates Broker objects from a URI. @@ -215,7 +213,7 @@ object Broker extends Log { * * @author Hiram Chirino */ -class Broker() extends BaseService { +class Broker() extends BaseService with SecuredResource { import Broker._ @@ -265,16 +263,9 @@ class Broker() extends BaseService { override def toString() = "broker: "+id var authenticator:Authenticator = _ - var authorizer:Authorizer = _ + var authorizer = Authorizer() - def init_dispatch_queue(dispatch_queue:DispatchQueue) = { - import OptionSupport._ - if( config.sticky_dispatching.getOrElse(true) ) { - val queues = getThreadQueues() - val queue = queues(Random.nextInt(queues.length)); - dispatch_queue.setTargetQueue(queue) - } - } + def resource_kind = SecuredResource.BrokerKind /** * Validates and then applies the configuration. @@ -296,7 +287,6 @@ class Broker() extends BaseService { init_logs log_versions check_file_limit - init_dispatch_queue(dispatch_queue) BrokerRegistry.add(this) schedule_periodic_maintenance @@ -374,10 +364,10 @@ class Broker() extends BaseService { if (config.authentication != null && config.authentication.enabled.getOrElse(true)) { authenticator = new JaasAuthenticator(config.authentication, security_log) - authorizer = new AclAuthorizer(config.authentication.acl_principal_kinds().toList, security_log) + authorizer=Authorizer(config.access_rules.toList, authenticator.acl_principal_kinds) } else { authenticator = null - authorizer = null + authorizer=Authorizer() } val host_config_by_id = HashMap[AsciiBuffer, VirtualHostDTO]() Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Connector.scala URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Connector.scala?rev=1162343&r1=1162342&r2=1162343&view=diff ============================================================================== --- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Connector.scala (original) +++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Connector.scala Sat Aug 27 13:13:56 2011 @@ -17,14 +17,14 @@ package org.apache.activemq.apollo.broker import org.fusesource.hawtdispatch._ -import org.fusesource.hawtdispatch.{Dispatch} import protocol.{ProtocolFactory, Protocol} import org.apache.activemq.apollo.transport._ import org.apache.activemq.apollo.util._ import org.apache.activemq.apollo.util.OptionSupport._ import java.net.SocketAddress -import org.apache.activemq.apollo.util.{Log, Service, ClassFinder} +import org.apache.activemq.apollo.util.{Log, ClassFinder} import org.apache.activemq.apollo.dto._ +import security.SecuredResource /** *

@@ -35,7 +35,7 @@ import org.apache.activemq.apollo.dto._ object Connector extends Log { } -trait Connector extends BaseService { +trait Connector extends BaseService with SecuredResource { def broker:Broker def id:String @@ -46,6 +46,7 @@ trait Connector extends BaseService { def update(config: ConnectorTypeDTO, on_complete:Runnable):Unit def socket_address:SocketAddress def status:ServiceStatusDTO + def resource_kind = SecuredResource.ConnectorKind } trait ConnectorFactory { @@ -149,8 +150,6 @@ class AcceptingConnector(val broker:Brok connection.protocol_handler = protocol.createProtocolHandler connection.transport = transport - broker.init_dispatch_queue(connection.dispatch_queue) - broker.connections.put(connection.id, connection) try { connection.start() Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/LocalRouter.scala URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/LocalRouter.scala?rev=1162343&r1=1162342&r2=1162343&view=diff ============================================================================== --- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/LocalRouter.scala (original) +++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/LocalRouter.scala Sat Aug 27 13:13:56 2011 @@ -21,13 +21,14 @@ import org.apache.activemq.apollo.util._ import org.apache.activemq.apollo.broker.store.QueueRecord import path._ import path.PathParser.PathException -import security.SecurityContext import java.util.concurrent.TimeUnit import scala.Array import org.apache.activemq.apollo.dto._ import java.util.{Arrays, ArrayList} import collection.mutable.{LinkedHashMap, HashMap} import collection.{Iterable, JavaConversions} +import security.SecuredResource.{TopicKind, QueueKind} +import security.{SecuredResource, SecurityContext} object DestinationMetricsSupport { @@ -115,7 +116,7 @@ object RouterListenerFactory { * * @author Hiram Chirino */ -trait DomainDestination { +trait DomainDestination extends SecuredResource { def id:String def virtual_host:VirtualHost @@ -129,6 +130,7 @@ trait DomainDestination { def disconnect (producer:BindableDeliveryProducer) def update(on_completed:Runnable):Unit + } /** @@ -206,6 +208,8 @@ class LocalRouter(val virtual_host:Virtu private val ALL = new Path(List(AnyDescendantPart)) + def authorizer = virtual_host.authorizer + trait Domain[D <: DomainDestination] { // holds all the destinations in the domain by id @@ -230,9 +234,6 @@ class LocalRouter(val virtual_host:Virtu } } - def can_destroy_destination(path:Path, destination:DestinationDTO, security:SecurityContext):Option[String] - def destroy_destination(path:Path, destination:DestinationDTO, security: SecurityContext):Unit - def can_create_destination(path:Path, destination:DestinationDTO, security:SecurityContext):Option[String] def create_destination(path:Path, destination:DestinationDTO, security:SecurityContext):Result[D,String] @@ -249,12 +250,12 @@ class LocalRouter(val virtual_host:Virtu // binds any matching wild card subs and producers... import JavaConversions._ consumers_by_path.get( path ).foreach { x=> - if( can_bind_one(path, x.destination, x.consumer, x.security) ) { + if( authorizer.can(x.security, bind_action(x.consumer), dest) ) { dest.bind(x.destination, x.consumer) } } producers_by_path.get( path ).foreach { x=> - if( can_connect_one(path, x.destination, x.producer, x.security) ) { + if( authorizer.can(x.security, "send", dest) ) { dest.connect(x.destination, x.producer) } } @@ -265,7 +266,34 @@ class LocalRouter(val virtual_host:Virtu destination_by_id.remove(dest.id) } - def can_bind_one(path:Path, destination:DestinationDTO, consumer:DeliveryConsumer, security:SecurityContext):Boolean + def can_destroy_destination(path:Path, destination:DestinationDTO, security:SecurityContext):Option[String] = { + if( security==null ) { + return None + } + + if( destination.temp_owner != null ) { + for( connection <- security.connection_id) { + if( connection != destination.temp_owner.longValue() ) { + return Some("Not authorized to destroy the destination.") + } + } + } + + val matches = get_destination_matches(path) + matches.foldLeft(None:Option[String]) { case (rc,dest) => + rc.orElse { + if( authorizer.can(security, "destroy", dest) ) { + None + } else { + Some("Not authorized to destroy destination: %s".format(dest.id)) + } + } + } + } + def destroy_destination(path:Path, destination:DestinationDTO, security: SecurityContext):Unit + + def bind_action(consumer:DeliveryConsumer):String + def can_bind_all(path:Path, destination:DestinationDTO, consumer:DeliveryConsumer, security:SecurityContext):Option[String] = { if( security==null ) { return None @@ -297,7 +325,7 @@ class LocalRouter(val virtual_host:Virtu } matches.foreach { dest => - if( !can_bind_one(path, destination, consumer, security) ) { + if( !authorizer.can(security, bind_action(consumer), dest) ) { return Some("Not authorized to receive from the destination.") } } @@ -308,7 +336,7 @@ class LocalRouter(val virtual_host:Virtu def bind(path:Path, destination:DestinationDTO, consumer:DeliveryConsumer, security:SecurityContext):Unit = { var matches = get_destination_matches(path) matches.foreach { dest=> - if( can_bind_one(path, destination, consumer, security) ) { + if( authorizer.can(security, bind_action(consumer), dest) ) { dest.bind(destination, consumer) for( l <- router_listeners) { l.on_bind(dest, consumer, security) @@ -332,8 +360,6 @@ class LocalRouter(val virtual_host:Virtu } } - def can_connect_one(path:Path, destination:DestinationDTO, producer:BindableDeliveryProducer, security:SecurityContext):Boolean - def can_connect_all(path:Path, destination:DestinationDTO, producer:BindableDeliveryProducer, security:SecurityContext):Option[String] = { val wildcard = PathParser.containsWildCards(path) @@ -362,8 +388,10 @@ class LocalRouter(val virtual_host:Virtu // since this is not a wild card, we should have only matched one.. assert( matches.size == 1 ) - if( !can_connect_one(path, destination, producer, security) ) { - return Some("Not authorized to send to the destination.") + for( dest <- matches ) { + if( !authorizer.can(security, "send", dest) ) { + return Some("Not authorized to send to the destination.") + } } None @@ -372,7 +400,7 @@ class LocalRouter(val virtual_host:Virtu def connect(path:Path, destination:DestinationDTO, producer:BindableDeliveryProducer, security:SecurityContext):Unit = { get_destination_matches(path).foreach { dest=> - if( can_connect_one(path, destination, producer, security) ) { + if( authorizer.can(security, "send", dest) ) { dest.connect(destination, producer) for( l <- router_listeners) { l.on_connect(dest, producer, security) @@ -460,31 +488,6 @@ class LocalRouter(val virtual_host:Virtu } } - def can_destroy_destination(path:Path, destination: DestinationDTO, security: SecurityContext): Option[String] = { - if( security == null ) { - return None - } - - if( destination.temp_owner != null ) { - for( connection <- security.connection_id) { - if( connection != destination.temp_owner.longValue() ) { - return Some("Not authorized to destroy the temporary destination.") - } - } - } - - val matches = get_destination_matches(path) - matches.foldLeft(None:Option[String]) { case (rc,dest) => - rc.orElse { - if( virtual_host.authorizer!=null && security!=null && !virtual_host.authorizer.can_destroy(security, virtual_host, dest.config)) { - Some("Not authorized to destroy topic: %s".format(dest.id)) - } else { - None - } - } - } - } - def destroy_destination(path:Path, destination: DestinationDTO, security: SecurityContext): Unit = { val matches = get_destination_matches(path) matches.foreach { dest => @@ -517,12 +520,19 @@ class LocalRouter(val virtual_host:Virtu } def can_create_destination(path:Path, destination:DestinationDTO, security:SecurityContext):Option[String] = { + if (security==null) { + return None; + } + // We can't create a wild card destination.. only wild card subscriptions. assert( !PathParser.containsWildCards(path) ) // A new destination is being created... - val dto = topic_config(path) - if( virtual_host.authorizer!=null && security!=null && !virtual_host.authorizer.can_create(security, virtual_host, dto)) { + val resource = new SecuredResource() { + def resource_kind = TopicKind + def id = destination_parser.encode_path(path) + } + if( !authorizer.can(security, "create", resource)) { Some("Not authorized to create the destination") } else { None @@ -536,7 +546,11 @@ class LocalRouter(val virtual_host:Virtu // A new destination is being created... val dto = topic_config(path) - if( virtual_host.authorizer!=null && security!=null && !virtual_host.authorizer.can_create(security, virtual_host, dto)) { + val resource = new SecuredResource() { + def resource_kind = TopicKind + def id = destination_parser.encode_path(path) + } + if( !authorizer.can(security, "create", resource)) { return new Failure("Not authorized to create the destination") } @@ -549,20 +563,7 @@ class LocalRouter(val virtual_host:Virtu Success(topic) } - def can_bind_one(path:Path, destination:DestinationDTO, consumer:DeliveryConsumer, security:SecurityContext):Boolean = { - val config = topic_config(path) - val authorizer = virtual_host.authorizer - if( authorizer!=null && security!=null && !authorizer.can_receive_from(security, virtual_host, config) ) { - return false; - } - true - } - - def can_connect_one(path:Path, destination:DestinationDTO, producer:BindableDeliveryProducer, security:SecurityContext):Boolean = { - val config = topic_config(path) - val authorizer = virtual_host.authorizer - !(authorizer!=null && security!=null && !authorizer.can_send_to(security, virtual_host, config) ) - } + def bind_action(consumer:DeliveryConsumer):String = "receive" def bind_dsub(queue:Queue) = { assert_executing @@ -709,9 +710,16 @@ class LocalRouter(val virtual_host:Virtu } + def get_dsub_secured_resource(config: DurableSubscriptionDTO):SecuredResource = { + durable_subscriptions_by_id.get(config.id).getOrElse(new SecuredResource() { + def resource_kind = SecuredResource.DurableSubKind + def id = config.id + }) + } + def can_create_dsub(config:DurableSubscriptionDTO, security:SecurityContext) = { - val authorizer = virtual_host.authorizer - if( authorizer!=null && security!=null && !authorizer.can_create(security, virtual_host, config) ) { + val resource = get_dsub_secured_resource(config) + if( !authorizer.can(security, "create", resource) ) { Some("Not authorized to create the durable subscription.") } else { None @@ -719,8 +727,8 @@ class LocalRouter(val virtual_host:Virtu } def can_connect_dsub(config:DurableSubscriptionDTO, security:SecurityContext):Option[String] = { - val authorizer = virtual_host.authorizer - if( authorizer!=null && security!=null && !authorizer.can_send_to(security, virtual_host, config) ) { + val resource = get_dsub_secured_resource(config) + if( !authorizer.can(security, "send", resource) ) { Some("Not authorized to send to the durable subscription.") } else { None @@ -728,21 +736,10 @@ class LocalRouter(val virtual_host:Virtu } def can_bind_dsub(config:DurableSubscriptionDTO, consumer:DeliveryConsumer, security:SecurityContext):Option[String] = { - val authorizer = virtual_host.authorizer - if( authorizer!=null && security!=null ) { - if ( consumer.browser ) { - if( !authorizer.can_receive_from(security, virtual_host, config) ) { - Some("Not authorized to receive from the durable subscription.") - } else { - None - } - } else { - if( !authorizer.can_consume_from(security, virtual_host, config) ) { - Some("Not authorized to consume from the durable subscription.") - } else { - None - } - } + val resource = get_dsub_secured_resource(config) + val action = if ( consumer.browser ) "receive" else "consume" + if( !authorizer.can(security, action, resource) ) { + Some("Not authorized to "+action+" from the durable subscription.") } else { None } @@ -752,22 +749,6 @@ class LocalRouter(val virtual_host:Virtu val queue_domain = new QueueDomain class QueueDomain extends Domain[Queue] { - def can_create_queue(config:QueueDTO, security:SecurityContext) = { - if( virtual_host.authorizer==null || security==null) { - true - } else { - virtual_host.authorizer.can_create(security, virtual_host, config) - } - } - - def can_destroy_queue(config:QueueDTO, security:SecurityContext) = { - if( virtual_host.authorizer==null || security==null) { - true - } else { - virtual_host.authorizer.can_destroy(security, virtual_host, config) - } - } - def bind(queue:Queue) = { val path = queue.binding.destination assert( !PathParser.containsWildCards(path) ) @@ -794,19 +775,6 @@ class LocalRouter(val virtual_host:Virtu } } - def can_destroy_destination(path:Path, destination: DestinationDTO, security: SecurityContext): Option[String] = { - val matches = get_destination_matches(path) - matches.foldLeft(None:Option[String]) { case (rc,dest) => - rc.orElse { - if( can_destroy_queue(dest.config, security) ) { - None - } else { - Some("Not authorized to destroy queue: %s".format(dest.id)) - } - } - } - } - def destroy_destination(path:Path, destination: DestinationDTO, security: SecurityContext): Unit = { val matches = get_destination_matches(path) matches.foreach { queue => @@ -818,11 +786,11 @@ class LocalRouter(val virtual_host:Virtu } def can_create_destination(path: Path, destination:DestinationDTO, security: SecurityContext):Option[String] = { - val dto = new QueueDestinationDTO - dto.path.addAll(destination.path) - val binding = QueueDomainQueueBinding.create(dto) - val config = binding.config(virtual_host) - if( can_create_queue(config, security) ) { + val resource = new SecuredResource() { + def resource_kind = QueueKind + def id = destination_parser.encode_path(path) + } + if( authorizer.can(security, "create", resource)) { None } else { Some("Not authorized to create the queue") @@ -832,10 +800,13 @@ class LocalRouter(val virtual_host:Virtu def create_destination(path: Path, destination:DestinationDTO, security: SecurityContext) = { val dto = new QueueDestinationDTO dto.path.addAll(destination.path) - val binding = QueueDomainQueueBinding.create(dto) - val config = binding.config(virtual_host) - if( can_create_queue(config, security) ) { + + val resource = new SecuredResource() { + def resource_kind = QueueKind + def id = destination_parser.encode_path(path) + } + if( authorizer.can(security, "create", resource)) { var queue = _create_queue(binding) for( l <- router_listeners) { l.on_create(queue, security) @@ -846,29 +817,10 @@ class LocalRouter(val virtual_host:Virtu } } - - def can_bind_one(path:Path, dto:DestinationDTO, consumer:DeliveryConsumer, security: SecurityContext):Boolean = { - val binding = QueueDomainQueueBinding.create(dto) - val config = binding.config(virtual_host) - if( virtual_host.authorizer!=null && security!=null ) { - if( consumer.browser ) { - if( !virtual_host.authorizer.can_receive_from(security, virtual_host, config) ) { - return false; - } - } else { - if( !virtual_host.authorizer.can_consume_from(security, virtual_host, config) ) { - return false - } - } - } - return true; - } - - def can_connect_one(path:Path, dto:DestinationDTO, producer:BindableDeliveryProducer, security:SecurityContext):Boolean = { - val binding = QueueDomainQueueBinding.create(dto) - val config = binding.config(virtual_host) - val authorizer = virtual_host.authorizer - !( authorizer!=null && security!=null && !authorizer.can_send_to(security, virtual_host, config) ) + def bind_action(consumer:DeliveryConsumer):String = if(consumer.browser) { + "receive" + } else { + "consume" } } @@ -1227,11 +1179,8 @@ class LocalRouter(val virtual_host:Virtu } def _destroy_queue(queue:Queue, security:SecurityContext):Option[String] = { - - if( security!=null && queue.config.acl!=null ) { - if( !virtual_host.authorizer.can_destroy(security, virtual_host, queue.config) ) { - return Some("Not authorized to destroy") - } + if( !authorizer.can(security, "destroy", queue) ) { + return Some("Not authorized to destroy") } _destroy_queue(queue) None Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Queue.scala URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Queue.scala?rev=1162343&r1=1162342&r2=1162343&view=diff ============================================================================== --- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Queue.scala (original) +++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Queue.scala Sat Aug 27 13:13:56 2011 @@ -26,11 +26,12 @@ import org.apache.activemq.apollo.util._ import org.apache.activemq.apollo.util.list._ import org.fusesource.hawtdispatch.{ListEventAggregator, DispatchQueue, BaseRetained} import OptionSupport._ -import security.SecurityContext -import java.util.concurrent.atomic.{AtomicReference, AtomicLong, AtomicInteger} +import java.util.concurrent.atomic.{AtomicReference, AtomicInteger} import org.fusesource.hawtbuf.Buffer import java.lang.UnsupportedOperationException import org.apache.activemq.apollo.dto._ +import security.SecuredResource._ +import security.{SecuredResource, SecurityContext} object Queue extends Log { val subcsription_counter = new AtomicInteger(0) @@ -45,13 +46,19 @@ import Queue._ * * @author Hiram Chirino */ -class Queue(val router: LocalRouter, val store_id:Long, var binding:Binding, var config:QueueDTO) extends BaseRetained with BindableDeliveryProducer with DeliveryConsumer with BaseService with DomainDestination with Dispatched { +class Queue(val router: LocalRouter, val store_id:Long, var binding:Binding, var config:QueueDTO) extends BaseRetained with BindableDeliveryProducer with DeliveryConsumer with BaseService with DomainDestination with Dispatched with SecuredResource { def id = binding.id override def toString = binding.destination.toString def virtual_host = router.virtual_host + val resource_kind = binding match { + case x:DurableSubscriptionQueueBinding=> DurableSubKind + case x:QueueDomainQueueBinding=> QueueKind + case _ => OtherKind + } + var producers = ListBuffer[BindableDeliveryProducer]() var inbound_sessions = Set[DeliverySession]() var all_subscriptions = Map[DeliveryConsumer, Subscription]() @@ -60,7 +67,6 @@ class Queue(val router: LocalRouter, val def filter = binding.message_filter override val dispatch_queue: DispatchQueue = createQueue(id); - virtual_host.broker.init_dispatch_queue(dispatch_queue) def destination_dto: DestinationDTO = binding.binding_dto @@ -785,14 +791,14 @@ class Queue(val router: LocalRouter, val def connected() = {} - def bind(value: DeliveryConsumer, security:SecurityContext): Result[Zilch, String] = { - if( virtual_host.authorizer!=null && security!=null ) { + def bind(value: DeliveryConsumer, ctx:SecurityContext): Result[Zilch, String] = { + if( ctx!=null ) { if( value.browser ) { - if( !virtual_host.authorizer.can_receive_from(security, virtual_host, config) ) { + if( !virtual_host.authorizer.can(ctx, "receive", this) ) { return new Failure("Not authorized to browse the queue") } } else { - if( !virtual_host.authorizer.can_consume_from(security, virtual_host, config) ) { + if( !virtual_host.authorizer.can(ctx, "consume", this) ) { return new Failure("Not authorized to consume from the queue") } } Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Topic.scala URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Topic.scala?rev=1162343&r1=1162342&r2=1162343&view=diff ============================================================================== --- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Topic.scala (original) +++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Topic.scala Sat Aug 27 13:13:56 2011 @@ -24,8 +24,7 @@ import java.util.concurrent.TimeUnit import org.fusesource.hawtdispatch._ import collection.mutable.{HashSet, HashMap, ListBuffer} import java.lang.Long -import com.sun.jdi.connect.spi.TransportService.ListenKey - +import security.SecuredResource /** *

* A logical messaging topic @@ -33,7 +32,7 @@ import com.sun.jdi.connect.spi.Transport * * @author Hiram Chirino */ -class Topic(val router:LocalRouter, val destination_dto:TopicDestinationDTO, var config_updater: ()=>TopicDTO, val id:String, path:Path) extends DomainDestination { +class Topic(val router:LocalRouter, val destination_dto:TopicDestinationDTO, var config_updater: ()=>TopicDTO, val id:String, path:Path) extends DomainDestination with SecuredResource { var enqueue_item_counter = 0L var enqueue_size_counter = 0L @@ -43,6 +42,8 @@ class Topic(val router:LocalRouter, val var dequeue_size_counter = 0L var dequeue_ts = now + val resource_kind =SecuredResource.TopicKind + var proxy_sessions = new HashSet[TopicDeliverySession]() implicit def from_link(from:LinkDTO):(Long,Long,Long)=(from.enqueue_item_counter, from.enqueue_size_counter, from.enqueue_ts) Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/VirtualHost.scala URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/VirtualHost.scala?rev=1162343&r1=1162342&r2=1162343&view=diff ============================================================================== --- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/VirtualHost.scala (original) +++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/VirtualHost.scala Sat Aug 27 13:13:56 2011 @@ -16,22 +16,16 @@ */ package org.apache.activemq.apollo.broker; -import _root_.java.util.{ArrayList, HashMap} -import _root_.java.lang.{String} +import _root_.java.lang.String import _root_.scala.collection.JavaConversions._ import org.fusesource.hawtdispatch._ -import java.util.concurrent.TimeUnit import org.apache.activemq.apollo.util._ -import path.PathFilter -import org.fusesource.hawtbuf.{Buffer, AsciiBuffer} -import collection.JavaConversions -import java.util.concurrent.atomic.AtomicLong import org.apache.activemq.apollo.util.OptionSupport._ -import org.apache.activemq.apollo.util.path.{Path, PathParser} -import security.{AclAuthorizer, JaasAuthenticator, Authenticator, Authorizer} import org.apache.activemq.apollo.dto._ -import store.{PersistentLongCounter, ZeroCopyBufferAllocator, Store, StoreFactory} +import security._ +import security.SecuredResource.VirtualHostKind +import store.{PersistentLongCounter, Store, StoreFactory} trait VirtualHostFactory { def create(broker:Broker, dto:VirtualHostDTO):VirtualHost @@ -87,7 +81,7 @@ object VirtualHost extends Log { /** * @author Hiram Chirino */ -class VirtualHost(val broker: Broker, val id:String) extends BaseService { +class VirtualHost(val broker: Broker, val id:String) extends BaseService with SecuredResource { import VirtualHost._ override val dispatch_queue:DispatchQueue = createQueue("virtual-host") // getGlobalQueue(DispatchPriority.HIGH).createQueue("virtual-host") @@ -103,14 +97,15 @@ class VirtualHost(val broker: Broker, va val session_counter = new PersistentLongCounter("session_counter") var authenticator:Authenticator = _ - var authorizer:Authorizer = _ + var authorizer = Authorizer() var audit_log:Log = _ var security_log:Log = _ var connection_log:Log = _ var console_log:Log = _ - // This gets set if client should get redirected to another address. + def resource_kind = VirtualHostKind + @volatile var client_redirect:Option[String] = None @@ -151,18 +146,20 @@ class VirtualHost(val broker: Broker, va if (config.authentication.enabled.getOrElse(true)) { // Virtual host has it's own settings. authenticator = new JaasAuthenticator(config.authentication, security_log) - authorizer = new AclAuthorizer(config.authentication.acl_principal_kinds().toList, security_log) } else { // Don't use security on this host. authenticator = null - authorizer = null } } else { // use the broker's settings.. authenticator = broker.authenticator - authorizer = broker.authorizer } - + if( authenticator!=null ) { + val rules = config.access_rules.toList ::: broker.config.access_rules.toList + authorizer = Authorizer(rules, authenticator.acl_principal_kinds) + } else { + authorizer = Authorizer() + } } override protected def _start(on_completed:Runnable):Unit = { Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authenticator.scala URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authenticator.scala?rev=1162343&r1=1162342&r2=1162343&view=diff ============================================================================== --- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authenticator.scala (original) +++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authenticator.scala Sat Aug 27 13:13:56 2011 @@ -38,4 +38,6 @@ trait Authenticator { */ def user_name(ctx:SecurityContext):Option[String] + def acl_principal_kinds:Set[String] + } \ No newline at end of file Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authorizer.scala URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authorizer.scala?rev=1162343&r1=1162342&r2=1162343&view=diff ============================================================================== --- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authorizer.scala (original) +++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authorizer.scala Sat Aug 27 13:13:56 2011 @@ -1,102 +1,209 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ package org.apache.activemq.apollo.broker.security -import org.apache.activemq.apollo.broker._ -import org.apache.activemq.apollo.dto.{TopicDTO, QueueDTO} + +import java.lang.Boolean +import collection.mutable.{ListBuffer, HashMap} +import org.apache.activemq.apollo.broker.LocalRouter +import org.apache.activemq.apollo.dto.{QueueDTO, AccessRuleDTO} +import org.apache.activemq.apollo.util.path.PathParser._ +import java.util.regex.Pattern +import org.apache.activemq.apollo.broker.security.Authorizer.ResourceMatcher +import java.util.concurrent.atomic.AtomicLong + +object SecuredResource { + case class SecurityRules(version:Long, rules: Seq[(String,SecurityContext)=>Option[Boolean]]) + + sealed trait ResourceKind + object BrokerKind extends ResourceKind + object VirtualHostKind extends ResourceKind + object ConnectorKind extends ResourceKind + object QueueKind extends ResourceKind + object TopicKind extends ResourceKind + object DurableSubKind extends ResourceKind + object OtherKind extends ResourceKind +} +import SecuredResource._ + +trait SecuredResource { + def resource_kind:ResourceKind + def id:String + + @volatile + var rules_cache:SecurityRules = _ +} /** - *

This interface allows the authorization information to come - * from other sources besides the configuration model.

+ *

+ *

* * @author Hiram Chirino */ trait Authorizer { + def can(ctx:SecurityContext, action:String, resource:SecuredResource):Boolean; +} - /** - * @returns true if the user is an admin. - */ - def can_admin(ctx:SecurityContext, broker:Broker):Boolean - - def can_monitor(ctx:SecurityContext, broker:Broker):Boolean - - def can_config(ctx:SecurityContext, broker:Broker):Boolean - - def can_admin(ctx:SecurityContext, host:VirtualHost):Boolean - - def can_monitor(ctx:SecurityContext, host:VirtualHost):Boolean - - /** - * @returns true if the user is allowed to connect to the virtual host - */ - def can_connect_to(ctx:SecurityContext, host:VirtualHost, connector:Connector):Boolean - - /** - * @returns true if the user is allowed to send to the destination - */ - def can_send_to(ctx:SecurityContext, host:VirtualHost, dest:TopicDTO):Boolean - - - def can_admin(ctx:SecurityContext, host:VirtualHost, dest:TopicDTO):Boolean - - def can_monitor(ctx:SecurityContext, host:VirtualHost, dest:TopicDTO):Boolean - - /** - * @returns true if the user is allowed to receive from the destination - */ - def can_receive_from(ctx:SecurityContext, host:VirtualHost, dest:TopicDTO):Boolean - - /** - * @returns true if the user is allowed to create the destination - */ - def can_create(ctx:SecurityContext, host:VirtualHost, dest:TopicDTO):Boolean - - /** - * @returns true if the user is allowed to destroy the destination - */ - def can_destroy(ctx:SecurityContext, host:VirtualHost, dest:TopicDTO):Boolean - - - def can_admin(ctx:SecurityContext, host:VirtualHost, dest:QueueDTO):Boolean - - def can_monitor(ctx:SecurityContext, host:VirtualHost, dest:QueueDTO):Boolean - - /** - * @returns true if the user is allowed to send to the queue - */ - def can_send_to(ctx:SecurityContext, host:VirtualHost, queue:QueueDTO):Boolean - - /** - * @returns true if the user is allowed to receive from the queue - */ - def can_receive_from(ctx:SecurityContext, host:VirtualHost, queue:QueueDTO):Boolean - - /** - * @returns true if the user is allowed to consume from the queue - */ - def can_consume_from(ctx:SecurityContext, host:VirtualHost, queue:QueueDTO):Boolean +object Authorizer { - /** - * @returns true if the user is allowed to create the queue - */ - def can_create(ctx:SecurityContext, host:VirtualHost, queue:QueueDTO):Boolean + val version_counter = new AtomicLong() - /** - * @returns true if the user is allowed to destroy the queue - */ - def can_destroy(ctx:SecurityContext, host:VirtualHost, queue:QueueDTO):Boolean + def apply():Authorizer = new Authorizer() { + def can(ctx: SecurityContext, action: String, resource: SecuredResource) = true + } + + def apply(config:Seq[AccessRuleDTO], default_principal_kinds:Set[String]):Authorizer = { + new RulesAuthorizer(version_counter.incrementAndGet(), config.map(ResourceMatcher(_, default_principal_kinds))) + } + + case class ResourceMatcher(rule:AccessRuleDTO, default_principal_kinds:Set[String]) { + + var resource_matchers = List[(SecuredResource)=>Boolean]() + + for(id_regex <- Option(rule.id_regex)) { + val reg_ex = Pattern.compile(id_regex) + resource_matchers ::= ((resource:SecuredResource) => { + reg_ex.matcher(resource.id).matches() + }) + } + + Option(rule.id).getOrElse("*") match { + case "*" => + case id => + if(rule.kind == "queue" || rule.kind == "topic") { + val filter = LocalRouter.destination_parser.decode_filter(id) + resource_matchers ::= ((resource:SecuredResource) => { + filter.matches(LocalRouter.destination_parser.decode_path(resource.id)) + }) + } else { + resource_matchers ::= ((resource:SecuredResource) => { + resource.id == id + }) + } + } + + Option(rule.kind).map(_.trim().toLowerCase).getOrElse("*") match { + case "*" => + case kind => + val kinds = (kind.split(",").map(_.trim()).map{ v=> + val kind:ResourceKind = v match { + case "broker"=>BrokerKind + case "virtual-host"=>VirtualHostKind + case "connector"=>ConnectorKind + case "queue"=>QueueKind + case "topic"=>TopicKind + case "dsub"=>DurableSubKind + case _ => OtherKind + } + kind + }).toSet + resource_matchers ::= ((resource:SecuredResource) => { + kinds.contains(resource.resource_kind) + }) + } + + def resource_matches(resource:SecuredResource):Boolean = { + // Looking for a matcher that does not match so we can + // fail the match quickly. + !resource_matchers.find(_(resource)==false).isDefined + } + + var action_matchers = List[(String, SecurityContext)=>Boolean]() + + val principal_kinds = Option(rule.principal_kind).map(_.trim().toLowerCase).getOrElse(null) match { + case null => Some(default_principal_kinds) + case "*" => None + case principal_kind => Some(principal_kind.split(",").map(_.trim()).toSet) + } + + Option(rule.principal).map(_.trim().toLowerCase).getOrElse("+") match { + case "*" => + case "+" => + // user has to have at least one of the principle kinds + action_matchers ::= ((action:String, ctx:SecurityContext) => { + principal_kinds match { + case Some(principal_kinds)=> + ctx.principles.find(p=> principal_kinds.contains(p.getClass.getName) ).isDefined + case None => + !ctx.principles.isEmpty + } + }) + + case principal => + val principals = if(rule.separator!=null) { + principal.split(Pattern.quote(rule.separator)).map(_.trim()).toSet + } else { + Set(principal) + } + action_matchers ::= ((action:String, ctx:SecurityContext) => { + principal_kinds match { + case Some(principal_kinds)=> + ctx.principles.find{ p=> + val km = principal_kinds.contains(p.getClass.getName) + val nm = principals.contains(p.getName) + km && nm + }.isDefined + case None => + ctx.principles.find(p=> principals.contains(p.getName) ).isDefined + } + }) + } + + Option(rule.action).map(_.trim().toLowerCase).getOrElse("*") match { + case "*" => + case action => + val actions = Set(action.split(",").map(_.trim()): _* ) + action_matchers ::= ((action:String, ctx:SecurityContext) => { + actions.contains(action) + }) + } + + val deny = Option(rule.deny).map(_.booleanValue()).getOrElse(false) + + def action_matches(action:String, ctx:SecurityContext):Option[Boolean] = { + for(matcher <- action_matchers) { + if ( !matcher(action, ctx) ) { + return None + } + } + return Some(!deny) + } + } + + case class RulesAuthorizer(version:Long, config:Seq[ResourceMatcher]) extends Authorizer { + + def can(ctx:SecurityContext, action:String, resource:SecuredResource):Boolean = { + if (ctx==null) { + return true; + } + + // we may need to rebuild the security rules cache. + var cache = resource.rules_cache + if( cache==null || cache.version != version ) { + // We cache the list of rules which match this resource so that + // future access checks don't have to process the whole list. + cache = SecurityRules(version, build_rules(resource)) + resource.rules_cache = cache + } + + // Now we process the rules that are specific to the resource. + for( rule <- cache.rules ) { + rule(action, ctx) match { + case Some(allow)=> + // First rule match controls if we allow or reject access. + return allow; + case None=> + } + } + + // If no rules matched, then reject access. + return false; + } + def build_rules(resource:SecuredResource):Seq[(String,SecurityContext)=>Option[Boolean]] = { + config.flatMap{rule=> + if(rule.resource_matches(resource)) + Some(rule.action_matches _) + else + None + } + } + } +} -} \ No newline at end of file Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/JaasAuthenticator.scala URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/JaasAuthenticator.scala?rev=1162343&r1=1162342&r2=1162343&view=diff ============================================================================== --- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/JaasAuthenticator.scala (original) +++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/JaasAuthenticator.scala Sat Aug 27 13:13:56 2011 @@ -27,7 +27,7 @@ import javax.security.auth.callback.Unsu import org.apache.activemq.jaas._ import org.apache.activemq.apollo.broker.Broker.BLOCKABLE_THREAD_POOL import org.fusesource.hawtdispatch._ -import org.apache.activemq.apollo.dto.{PrincipalDTO, AuthenticationDTO} +import org.apache.activemq.apollo.dto.AuthenticationDTO import org.apache.activemq.apollo.util.Log import collection.JavaConversions._ @@ -55,6 +55,7 @@ class JaasAuthenticator(val config: Auth val jass_realm = Option(config.domain).getOrElse("apollo") val user_principal_kinds = config.user_principal_kinds() + val acl_principal_kinds = config.acl_principal_kinds().toSet /* * The 'BLOCKABLE_THREAD_POOL ! { ... }' magic makes the code block Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala?rev=1162343&r1=1162342&r2=1162343&view=diff ============================================================================== --- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala (original) +++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala Sat Aug 27 13:13:56 2011 @@ -22,7 +22,6 @@ import javax.security.auth.Subject import java.security.cert.X509Certificate import org.apache.activemq.apollo.util.OptionSupport._ import org.apache.activemq.jaas.{GroupPrincipal, UserPrincipal} -import org.apache.activemq.apollo.dto.PrincipalDTO import javax.security.auth.login.LoginContext import java.net.SocketAddress @@ -42,94 +41,31 @@ class SecurityContext { var login_context:LoginContext = _ var connection_id:Option[Long] = None - private var _principles = Set[PrincipalDTO]() private var _subject:Subject = _ def subject = _subject + private var _principles = Set[Principal]() + def principles = _principles + def subject_= (value:Subject) { _subject = value - _principles = Set[PrincipalDTO]() + _principles = Set() if( value!=null ) { import collection.JavaConversions._ - value.getPrincipals.foreach { x=> - _principles += new PrincipalDTO(x.getName, x.getClass.getName) - } + _principles = value.getPrincipals.toSet } } - def principles = _principles - - def principles(kind:String) = { + def principles(kind:String):Set[Principal] = { kind match { case "+"=> - _principles + principles case "*"=> - _principles + principles case kind=> - _principles.filter(_.kind == kind) + principles.filter(_.getClass.getName == kind) } } - def is_allowed(acl:List[PrincipalDTO], default_kinds:List[String]):Boolean = { - - def kind_matches(kind:String):Boolean = { - kind match { - case null=> - return !_principles.map(_.kind).intersect(default_kinds.toSet).isEmpty - case "+"=> - return !_principles.isEmpty - case "*"=> - return true; - case kind=> - return _principles.map(_.kind).contains(kind) - } - } - - def principal_matches(p:PrincipalDTO):Boolean = { - p.kind match { - case null=> - default_kinds.foreach { kind=> - if( _principles.contains(new PrincipalDTO(p.allow, kind)) ) { - return true; - } - } - return false; - case "+"=> - return _principles.map(_.allow).contains(p.allow) - case "*"=> - return _principles.map(_.allow).contains(p.allow) - case kind=> - return _principles.contains(p) - } - } - - acl.foreach { p => - p.deny match { - case null => - case "*"=> - return false; - case "+"=> - return !kind_matches(p.kind) - case id => - if( principal_matches(new PrincipalDTO(id, p.kind)) ) { - return false; - } - } - p.allow match { - case null => - case "*"=> - return true; - case "+"=> - return kind_matches(p.kind) - case id => - if( principal_matches(new PrincipalDTO(id, p.kind)) ) { - return true - } - } - } - return false - } - - } \ No newline at end of file Modified: activemq/activemq-apollo/trunk/apollo-dto/pom.xml URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/pom.xml?rev=1162343&r1=1162342&r2=1162343&view=diff ============================================================================== --- activemq/activemq-apollo/trunk/apollo-dto/pom.xml (original) +++ activemq/activemq-apollo/trunk/apollo-dto/pom.xml Sat Aug 27 13:13:56 2011 @@ -108,7 +108,7 @@ - + Added: activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/AccessRuleDTO.java URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/AccessRuleDTO.java?rev=1162343&view=auto ============================================================================== --- activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/AccessRuleDTO.java (added) +++ activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/AccessRuleDTO.java Sat Aug 27 13:13:56 2011 @@ -0,0 +1,124 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.activemq.apollo.dto; + +import javax.xml.bind.annotation.XmlAccessType; +import javax.xml.bind.annotation.XmlAccessorType; +import javax.xml.bind.annotation.XmlAttribute; +import javax.xml.bind.annotation.XmlRootElement; + +/** + *

+ *

+ * + * @author Hiram Chirino + */ +@XmlRootElement(name="access_rule") +@XmlAccessorType(XmlAccessType.FIELD) +public class AccessRuleDTO { + + /** + * Is this a negative rule which denies access. If not set, defaults to false. + */ + @XmlAttribute + public Boolean deny; + + /** + * The class name of the JAAS principle that this rule will mach against. If not set + * the this defaults to the default principal kinds configured on the broker or virtual host. + * If set to "*" then it matches all principal classes. + */ + @XmlAttribute(name = "principal_kind") + public String principal_kind; + + /** + * The principal which we are matching against. If set to "+" then it matches all principals + * but requires at at least one. If set to "*" the it matches all principals and even matches + * the case where there are no principals associated with the subject. + * + * Defaults to "+" if not set. + */ + @XmlAttribute + public String principal; + + /** + * If the separator is set, then the principal field will be interpreted as a list of + * principles separated by the configured value. + */ + @XmlAttribute + public String separator; + + /** + * The comma separated list of actions which match this rule. Example 'create,destroy'. You can use "*" to + * match all actions. Defaults to "*". + */ + @XmlAttribute + public String action; + + /** + * The kind of broker resource which matches this rule. You can use "*" to match all types. If not set + * it defaults to "*" + */ + @XmlAttribute + public String kind; + + /** + * The identifier of the resource which matches this rule. You can use "*" to match all resources. If not set + * it defaults to "*" + */ + @XmlAttribute + public String id; + + /** + * A regular expression used to match the id of the resource. + */ + @XmlAttribute(name = "id_regex") + public String id_regex; + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (!(o instanceof AccessRuleDTO)) return false; + + AccessRuleDTO that = (AccessRuleDTO) o; + + if (action != null ? !action.equals(that.action) : that.action != null) return false; + if (deny != null ? !deny.equals(that.deny) : that.deny != null) return false; + if (id != null ? !id.equals(that.id) : that.id != null) return false; + if (id_regex != null ? !id_regex.equals(that.id_regex) : that.id_regex != null) return false; + if (kind != null ? !kind.equals(that.kind) : that.kind != null) return false; + if (principal != null ? !principal.equals(that.principal) : that.principal != null) return false; + if (principal_kind != null ? !principal_kind.equals(that.principal_kind) : that.principal_kind != null) + return false; + if (separator != null ? !separator.equals(that.separator) : that.separator != null) return false; + + return true; + } + + @Override + public int hashCode() { + int result = deny != null ? deny.hashCode() : 0; + result = 31 * result + (principal_kind != null ? principal_kind.hashCode() : 0); + result = 31 * result + (principal != null ? principal.hashCode() : 0); + result = 31 * result + (separator != null ? separator.hashCode() : 0); + result = 31 * result + (action != null ? action.hashCode() : 0); + result = 31 * result + (kind != null ? kind.hashCode() : 0); + result = 31 * result + (id != null ? id.hashCode() : 0); + result = 31 * result + (id_regex != null ? id_regex.hashCode() : 0); + return result; + } +} Modified: activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/BrokerDTO.java URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/BrokerDTO.java?rev=1162343&r1=1162342&r2=1162343&view=diff ============================================================================== --- activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/BrokerDTO.java (original) +++ activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/BrokerDTO.java Sat Aug 27 13:13:56 2011 @@ -61,8 +61,8 @@ public class BrokerDTO { @XmlElementRef public KeyStorageDTO key_storage; - @XmlElement(name="acl") - public BrokerAclDTO acl; + @XmlElement(name="access_rule") + public List access_rules = new ArrayList(); @XmlElement(name="web_admin") public List web_admins = new ArrayList(); @@ -80,10 +80,6 @@ public class BrokerDTO { @XmlElement(name="service") public List services = new ArrayList(); - @Deprecated - @XmlAttribute(name="sticky_dispatching") - public Boolean sticky_dispatching; - /** * If set to strict, then the broker will not start up if there * are any validation errors in the configuration file. @@ -97,6 +93,7 @@ public class BrokerDTO { @XmlAnyElement(lax=true) public List other = new ArrayList(); + @Override public boolean equals(Object o) { if (this == o) return true; @@ -104,7 +101,8 @@ public class BrokerDTO { BrokerDTO brokerDTO = (BrokerDTO) o; - if (acl != null ? !acl.equals(brokerDTO.acl) : brokerDTO.acl != null) return false; + if (access_rules != null ? !access_rules.equals(brokerDTO.access_rules) : brokerDTO.access_rules != null) + return false; if (authentication != null ? !authentication.equals(brokerDTO.authentication) : brokerDTO.authentication != null) return false; if (client_address != null ? !client_address.equals(brokerDTO.client_address) : brokerDTO.client_address != null) @@ -117,8 +115,6 @@ public class BrokerDTO { if (notes != null ? !notes.equals(brokerDTO.notes) : brokerDTO.notes != null) return false; if (other != null ? !other.equals(brokerDTO.other) : brokerDTO.other != null) return false; if (services != null ? !services.equals(brokerDTO.services) : brokerDTO.services != null) return false; - if (sticky_dispatching != null ? !sticky_dispatching.equals(brokerDTO.sticky_dispatching) : brokerDTO.sticky_dispatching != null) - return false; if (validation != null ? !validation.equals(brokerDTO.validation) : brokerDTO.validation != null) return false; if (virtual_hosts != null ? !virtual_hosts.equals(brokerDTO.virtual_hosts) : brokerDTO.virtual_hosts != null) return false; @@ -134,14 +130,14 @@ public class BrokerDTO { result = 31 * result + (connectors != null ? connectors.hashCode() : 0); result = 31 * result + (client_address != null ? client_address.hashCode() : 0); result = 31 * result + (key_storage != null ? key_storage.hashCode() : 0); - result = 31 * result + (acl != null ? acl.hashCode() : 0); + result = 31 * result + (access_rules != null ? access_rules.hashCode() : 0); result = 31 * result + (web_admins != null ? web_admins.hashCode() : 0); result = 31 * result + (authentication != null ? authentication.hashCode() : 0); result = 31 * result + (log_category != null ? log_category.hashCode() : 0); result = 31 * result + (services != null ? services.hashCode() : 0); - result = 31 * result + (sticky_dispatching != null ? sticky_dispatching.hashCode() : 0); result = 31 * result + (validation != null ? validation.hashCode() : 0); result = 31 * result + (other != null ? other.hashCode() : 0); return result; } -} + +} \ No newline at end of file Modified: activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/ConnectorTypeDTO.java URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/ConnectorTypeDTO.java?rev=1162343&r1=1162342&r2=1162343&view=diff ============================================================================== --- activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/ConnectorTypeDTO.java (original) +++ activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/ConnectorTypeDTO.java Sat Aug 27 13:13:56 2011 @@ -23,51 +23,42 @@ import java.util.ArrayList; import java.util.List; /** - * - * - * * @author Hiram Chirino */ -@XmlType (name = "connector_type") +@XmlType(name = "connector_type") @XmlAccessorType(XmlAccessType.FIELD) -@JsonTypeInfo(use=JsonTypeInfo.Id.CLASS, include=JsonTypeInfo.As.PROPERTY, property="@class") +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY, property = "@class") abstract public class ConnectorTypeDTO extends ServiceDTO { - @XmlElement(name="acl") - public ConnectorAclDTO acl; + @XmlAttribute(name = "connection_limit") + public Integer connection_limit; - @XmlAttribute(name="connection_limit") - public Integer connection_limit; + /** + * To hold any other non-matching XML elements + */ + @XmlAnyElement(lax = true) + public List other = new ArrayList(); -// /** -// * To hold any other non-matching XML elements -// */ -// @XmlAnyElement(lax=true) -// public List other = new ArrayList(); -// -// @Override -// public boolean equals(Object o) { -// if (this == o) return true; -// if (!(o instanceof ConnectorTypeDTO)) return false; -// if (!super.equals(o)) return false; -// -// ConnectorTypeDTO that = (ConnectorTypeDTO) o; -// -// if (acl != null ? !acl.equals(that.acl) : that.acl != null) return false; -// if (connection_limit != null ? !connection_limit.equals(that.connection_limit) : that.connection_limit != null) -// return false; -// if (other != null ? !other.equals(that.other) : that.other != null) -// return false; -// -// return true; -// } -// -// @Override -// public int hashCode() { -// int result = super.hashCode(); -// result = 31 * result + (acl != null ? acl.hashCode() : 0); -// result = 31 * result + (connection_limit != null ? connection_limit.hashCode() : 0); -// result = 31 * result + (other != null ? other.hashCode() : 0); -// return result; -// } + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (!(o instanceof ConnectorTypeDTO)) return false; + if (!super.equals(o)) return false; + + ConnectorTypeDTO that = (ConnectorTypeDTO) o; + + if (connection_limit != null ? !connection_limit.equals(that.connection_limit) : that.connection_limit != null) + return false; + if (other != null ? !other.equals(that.other) : that.other != null) return false; + + return true; + } + + @Override + public int hashCode() { + int result = super.hashCode(); + result = 31 * result + (connection_limit != null ? connection_limit.hashCode() : 0); + result = 31 * result + (other != null ? other.hashCode() : 0); + return result; + } } \ No newline at end of file Modified: activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/PrincipalDTO.java URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/PrincipalDTO.java?rev=1162343&r1=1162342&r2=1162343&view=diff ============================================================================== --- activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/PrincipalDTO.java (original) +++ activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/PrincipalDTO.java Sat Aug 27 13:13:56 2011 @@ -24,49 +24,39 @@ import javax.xml.bind.annotation.*; * * @author Hiram Chirino */ +@XmlRootElement(name="principal") @XmlAccessorType(XmlAccessType.FIELD) public class PrincipalDTO { @XmlAttribute - public String allow; - - @XmlAttribute - public String deny; + public String name; @XmlAttribute public String kind; - public PrincipalDTO() { } - - public PrincipalDTO(String allow) { - this.allow = allow; - } - - public PrincipalDTO(String allow, String kind) { - this.allow = allow; + public PrincipalDTO(String kind, String name) { this.kind = kind; + this.name = name; } @Override public boolean equals(Object o) { if (this == o) return true; - if (o == null || getClass() != o.getClass()) return false; + if (!(o instanceof PrincipalDTO)) return false; PrincipalDTO that = (PrincipalDTO) o; - if (allow != null ? !allow.equals(that.allow) : that.allow != null) return false; - if (deny != null ? !deny.equals(that.deny) : that.deny != null) return false; if (kind != null ? !kind.equals(that.kind) : that.kind != null) return false; + if (name != null ? !name.equals(that.name) : that.name != null) return false; return true; } @Override public int hashCode() { - int result = allow != null ? allow.hashCode() : 0; - result = 31 * result + (deny != null ? deny.hashCode() : 0); + int result = name != null ? name.hashCode() : 0; result = 31 * result + (kind != null ? kind.hashCode() : 0); return result; } Modified: activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/QueueDTO.java URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/QueueDTO.java?rev=1162343&r1=1162342&r2=1162343&view=diff ============================================================================== --- activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/QueueDTO.java (original) +++ activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/QueueDTO.java Sat Aug 27 13:13:56 2011 @@ -83,9 +83,6 @@ public class QueueDTO extends StringIdDT @XmlAttribute(name="swap_range_size") public Integer swap_range_size; - @XmlElement(name="acl") - public QueueAclDTO acl; - /** * The maximum amount of disk space the queue is allowed * to grow to. If not set then there is no limit. You can @@ -108,7 +105,6 @@ public class QueueDTO extends StringIdDT QueueDTO queueDTO = (QueueDTO) o; - if (acl != null ? !acl.equals(queueDTO.acl) : queueDTO.acl != null) return false; if (auto_delete_after != null ? !auto_delete_after.equals(queueDTO.auto_delete_after) : queueDTO.auto_delete_after != null) return false; if (consumer_buffer != null ? !consumer_buffer.equals(queueDTO.consumer_buffer) : queueDTO.consumer_buffer != null) @@ -135,7 +131,6 @@ public class QueueDTO extends StringIdDT result = 31 * result + (persistent != null ? persistent.hashCode() : 0); result = 31 * result + (swap != null ? swap.hashCode() : 0); result = 31 * result + (swap_range_size != null ? swap_range_size.hashCode() : 0); - result = 31 * result + (acl != null ? acl.hashCode() : 0); result = 31 * result + (other != null ? other.hashCode() : 0); return result; } Modified: activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/TopicDTO.java URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/TopicDTO.java?rev=1162343&r1=1162342&r2=1162343&view=diff ============================================================================== --- activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/TopicDTO.java (original) +++ activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/TopicDTO.java Sat Aug 27 13:13:56 2011 @@ -43,9 +43,6 @@ public class TopicDTO extends StringIdDT @XmlAttribute(name="slow_consumer_policy") public String slow_consumer_policy; - @XmlElement(name="acl") - public TopicAclDTO acl; - /** * To hold any other non-matching XML elements */ @@ -60,7 +57,6 @@ public class TopicDTO extends StringIdDT TopicDTO topicDTO = (TopicDTO) o; - if (acl != null ? !acl.equals(topicDTO.acl) : topicDTO.acl != null) return false; if (auto_delete_after != null ? !auto_delete_after.equals(topicDTO.auto_delete_after) : topicDTO.auto_delete_after != null) return false; if (other != null ? !other.equals(topicDTO.other) : topicDTO.other != null) return false; @@ -75,7 +71,6 @@ public class TopicDTO extends StringIdDT int result = super.hashCode(); result = 31 * result + (auto_delete_after != null ? auto_delete_after.hashCode() : 0); result = 31 * result + (slow_consumer_policy != null ? slow_consumer_policy.hashCode() : 0); - result = 31 * result + (acl != null ? acl.hashCode() : 0); result = 31 * result + (other != null ? other.hashCode() : 0); return result; } Modified: activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/VirtualHostDTO.java URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/VirtualHostDTO.java?rev=1162343&r1=1162342&r2=1162343&view=diff ============================================================================== --- activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/VirtualHostDTO.java (original) +++ activemq/activemq-apollo/trunk/apollo-dto/src/main/java/org/apache/activemq/apollo/dto/VirtualHostDTO.java Sat Aug 27 13:13:56 2011 @@ -50,6 +50,9 @@ public class VirtualHostDTO extends Serv @XmlAttribute(name="purge_on_startup") public Boolean purge_on_startup; + @XmlElement(name="access_rule") + public List access_rules = new ArrayList(); + /** * Holds the configuration for the destinations. */ @@ -74,9 +77,6 @@ public class VirtualHostDTO extends Serv @XmlAttribute(name="regroup_connections") public Boolean regroup_connections; - @XmlElement(name="acl") - public VirtualHostAclDTO acl; - @XmlElement(name="authentication") public AuthenticationDTO authentication; @@ -89,6 +89,7 @@ public class VirtualHostDTO extends Serv @XmlAnyElement(lax=true) public List other = new ArrayList(); + @Override public boolean equals(Object o) { if (this == o) return true; @@ -97,7 +98,7 @@ public class VirtualHostDTO extends Serv VirtualHostDTO that = (VirtualHostDTO) o; - if (acl != null ? !acl.equals(that.acl) : that.acl != null) return false; + if (access_rules != null ? !access_rules.equals(that.access_rules) : that.access_rules != null) return false; if (authentication != null ? !authentication.equals(that.authentication) : that.authentication != null) return false; if (auto_create_destinations != null ? !auto_create_destinations.equals(that.auto_create_destinations) : that.auto_create_destinations != null) @@ -124,11 +125,11 @@ public class VirtualHostDTO extends Serv result = 31 * result + (store != null ? store.hashCode() : 0); result = 31 * result + (auto_create_destinations != null ? auto_create_destinations.hashCode() : 0); result = 31 * result + (purge_on_startup != null ? purge_on_startup.hashCode() : 0); + result = 31 * result + (access_rules != null ? access_rules.hashCode() : 0); result = 31 * result + (topics != null ? topics.hashCode() : 0); result = 31 * result + (queues != null ? queues.hashCode() : 0); result = 31 * result + (dsubs != null ? dsubs.hashCode() : 0); result = 31 * result + (regroup_connections != null ? regroup_connections.hashCode() : 0); - result = 31 * result + (acl != null ? acl.hashCode() : 0); result = 31 * result + (authentication != null ? authentication.hashCode() : 0); result = 31 * result + (log_category != null ? log_category.hashCode() : 0); result = 31 * result + (other != null ? other.hashCode() : 0); Modified: activemq/activemq-apollo/trunk/apollo-dto/src/main/resources/org/apache/activemq/apollo/dto/jaxb.index URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/src/main/resources/org/apache/activemq/apollo/dto/jaxb.index?rev=1162343&r1=1162342&r2=1162343&view=diff ============================================================================== --- activemq/activemq-apollo/trunk/apollo-dto/src/main/resources/org/apache/activemq/apollo/dto/jaxb.index (original) +++ activemq/activemq-apollo/trunk/apollo-dto/src/main/resources/org/apache/activemq/apollo/dto/jaxb.index Sat Aug 27 13:13:56 2011 @@ -14,38 +14,54 @@ # See the License for the specific language governing permissions and # limitations under the License. # ------------------------------------------------------------------------ +AcceptingConnectorDTO +AccessRuleDTO +AddUserHeaderDTO +AggregateConnectionMetricsDTO +AggregateDestMetricsDTO +AuthenticationDTO BrokerDTO BrokerStatusDTO ConnectionStatusDTO -AcceptingConnectorDTO ConnectorStatusDTO -TopicStatusDTO +ConnectorTypeDTO +CustomServiceDTO +DataPageDTO +DestMetricsDTO +DestinationDTO +DurableSubscriptionDTO +DurableSubscriptionDestinationDTO EntryStatusDTO IntMetricDTO +JvmMetricsDTO +KeyStorageDTO +LinkDTO +LogCategoryDTO LongIdDTO LongIdLabeledDTO LongIdListDTO +MemoryMetricsDTO +NullStoreDTO +PrincipalDTO +ProtocolDTO +QueueConsumerLinkDTO +QueueDTO +QueueDestinationDTO QueueStatusDTO ServiceDTO ServiceStatusDTO +SimpleStoreStatusDTO StoreDTO StoreStatusDTO StringIdDTO StringIdLabeledDTO StringIdListDTO +StringListDTO TimeMetricDTO -VirtualHostDTO -VirtualHostStatusDTO -KeyStorageDTO -SimpleStoreStatusDTO -NullStoreDTO -QueueDTO TopicDTO -LinkDTO -QueueConsumerLinkDTO +TopicDestinationDTO +TopicStatusDTO ValueDTO -StringListDTO -DataPageDTO -AggregateDestMetricsDTO -DestMetricsDTO -AggregateConnectionMetricsDTO \ No newline at end of file +VirtualHostDTO +VirtualHostStatusDTO +WebAdminDTO \ No newline at end of file Modified: activemq/activemq-apollo/trunk/apollo-dto/src/test/java/org/apache/activemq/apollo/dto/XmlCodecTest.java URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/src/test/java/org/apache/activemq/apollo/dto/XmlCodecTest.java?rev=1162343&r1=1162342&r2=1162343&view=diff ============================================================================== --- activemq/activemq-apollo/trunk/apollo-dto/src/test/java/org/apache/activemq/apollo/dto/XmlCodecTest.java (original) +++ activemq/activemq-apollo/trunk/apollo-dto/src/test/java/org/apache/activemq/apollo/dto/XmlCodecTest.java Sat Aug 27 13:13:56 2011 @@ -42,7 +42,6 @@ public class XmlCodecTest { assertEquals(1, dto.other.size()); VirtualHostDTO host = dto.virtual_hosts.get(0); - assertNotNull(host.acl); assertEquals("vh-local", host.id); assertEquals("localhost", host.host_names.get(0)); assertEquals("example.com", host.host_names.get(1)); @@ -51,11 +50,6 @@ public class XmlCodecTest { assertEquals("topic1", host.topics.get(0).id); assertEquals("durable_subscription1", host.dsubs.get(0).id); - assertNotNull(dto.acl); - assertTrue(dto.acl.admins.contains(new PrincipalDTO("hiram"))); - assertTrue(dto.acl.admins.contains(new PrincipalDTO("james"))); - assertTrue(dto.acl.admins.contains(new PrincipalDTO("admins", "org.apache.activemq.jaas.GroupPrincipal"))); - AcceptingConnectorDTO connector = (AcceptingConnectorDTO)dto.connectors.get(0); assertNotNull(connector); Modified: activemq/activemq-apollo/trunk/apollo-dto/src/test/resources/org/apache/activemq/apollo/dto/XmlCodecTest.xml URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-dto/src/test/resources/org/apache/activemq/apollo/dto/XmlCodecTest.xml?rev=1162343&r1=1162342&r2=1162343&view=diff ============================================================================== --- activemq/activemq-apollo/trunk/apollo-dto/src/test/resources/org/apache/activemq/apollo/dto/XmlCodecTest.xml (original) +++ activemq/activemq-apollo/trunk/apollo-dto/src/test/resources/org/apache/activemq/apollo/dto/XmlCodecTest.xml Sat Aug 27 13:13:56 2011 @@ -17,11 +17,9 @@ --> - - - - - + + + Modified: activemq/activemq-apollo/trunk/apollo-openwire/src/main/scala/org/apache/activemq/apollo/openwire/OpenwireProtocolHandler.scala URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-openwire/src/main/scala/org/apache/activemq/apollo/openwire/OpenwireProtocolHandler.scala?rev=1162343&r1=1162342&r2=1162343&view=diff ============================================================================== --- activemq/activemq-apollo/trunk/apollo-openwire/src/main/scala/org/apache/activemq/apollo/openwire/OpenwireProtocolHandler.scala (original) +++ activemq/activemq-apollo/trunk/apollo-openwire/src/main/scala/org/apache/activemq/apollo/openwire/OpenwireProtocolHandler.scala Sat Aug 27 13:13:56 2011 @@ -437,7 +437,7 @@ class OpenwireProtocolHandler extends Pr if( !host.authenticator.authenticate(security_context) ) { async_die("Authentication failed.", info) noop - } else if( !host.authorizer.can_connect_to(security_context, host, connection.connector) ) { + } else if( !host.authorizer.can(security_context, "connect", connection.connector) ) { async_die("Connect not authorized.", info) noop } else { Modified: activemq/activemq-apollo/trunk/apollo-stomp/src/main/scala/org/apache/activemq/apollo/stomp/StompProtocolHandler.scala URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-stomp/src/main/scala/org/apache/activemq/apollo/stomp/StompProtocolHandler.scala?rev=1162343&r1=1162342&r2=1162343&view=diff ============================================================================== --- activemq/activemq-apollo/trunk/apollo-stomp/src/main/scala/org/apache/activemq/apollo/stomp/StompProtocolHandler.scala (original) +++ activemq/activemq-apollo/trunk/apollo-stomp/src/main/scala/org/apache/activemq/apollo/stomp/StompProtocolHandler.scala Sat Aug 27 13:13:56 2011 @@ -834,7 +834,7 @@ class StompProtocolHandler extends Proto } async_die(msg) noop // to make the cps compiler plugin happy. - } else if( !host.authorizer.can_connect_to(security_context, host, connection.connector) ) { + } else if( !host.authorizer.can(security_context, "connect", connection.connector) ) { var msg = if( security_context.user==null ) { "Connect not authorized." @@ -964,9 +964,9 @@ class StompProtocolHandler extends Proto if( !matches.isEmpty ) { h.separator match { case null=> - rc ::= (encode_header(h.name.trim), encode_header(matches.head.allow)) + rc ::= (encode_header(h.name.trim), encode_header(matches.head.getName)) case separator => - rc ::= (encode_header(h.name.trim), encode_header(matches.map(_.allow).mkString(separator))) + rc ::= (encode_header(h.name.trim), encode_header(matches.map(_.getName).mkString(separator))) } } } Modified: activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-secure.xml URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-secure.xml?rev=1162343&r1=1162342&r2=1162343&view=diff ============================================================================== --- activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-secure.xml (original) +++ activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-secure.xml Sat Aug 27 13:13:56 2011 @@ -22,39 +22,21 @@ localhost - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + Modified: activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-ssl-secure.xml URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-ssl-secure.xml?rev=1162343&r1=1162342&r2=1162343&view=diff ============================================================================== --- activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-ssl-secure.xml (original) +++ activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-ssl-secure.xml Sat Aug 27 13:13:56 2011 @@ -23,9 +23,7 @@ localhost - - - +