activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From gtu...@apache.org
Subject svn commit: r1295661 - in /activemq/trunk/activemq-core/src: main/java/org/apache/activemq/filter/ main/java/org/apache/activemq/security/ test/java/org/apache/activemq/security/ test/resources/org/apache/activemq/security/
Date Thu, 01 Mar 2012 16:36:12 GMT
Author: gtully
Date: Thu Mar  1 16:36:12 2012
New Revision: 1295661

URL: http://svn.apache.org/viewvc?rev=1295661&view=rev
Log:
https://issues.apache.org/jira/browse/AMQ-3749 - Composite destinations break simple authorisation
through role aggregation. additional tests and fix - ldap did need some work

Modified:
    activemq/trunk/activemq-core/src/main/java/org/apache/activemq/filter/DestinationMap.java
    activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/DefaultAuthorizationMap.java
    activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/LDAPAuthorizationMap.java
    activemq/trunk/activemq-core/src/test/java/org/apache/activemq/security/CachedLDAPSecurityTest.java
    activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/activemq-ldap.xml

Modified: activemq/trunk/activemq-core/src/main/java/org/apache/activemq/filter/DestinationMap.java
URL: http://svn.apache.org/viewvc/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/filter/DestinationMap.java?rev=1295661&r1=1295660&r2=1295661&view=diff
==============================================================================
--- activemq/trunk/activemq-core/src/main/java/org/apache/activemq/filter/DestinationMap.java
(original)
+++ activemq/trunk/activemq-core/src/main/java/org/apache/activemq/filter/DestinationMap.java
Thu Mar  1 16:36:12 2012
@@ -17,6 +17,7 @@
 package org.apache.activemq.filter;
 
 import java.util.HashSet;
+import java.util.Iterator;
 import java.util.List;
 import java.util.Set;
 import java.util.SortedSet;
@@ -230,4 +231,23 @@ public class DestinationMap {
         topicRootNode = new DestinationMapNode(null);
         tempTopicRootNode = new DestinationMapNode(null);
     }
+
+    public static Set union(Set existing, Set candidates) {
+        if ( candidates != null ) {
+            if (existing != null) {
+                for (Iterator<Object> iterator = existing.iterator(); iterator.hasNext();)
{
+                    Object toMatch = iterator.next();
+                    if (!candidates.contains(toMatch)) {
+                        iterator.remove();
+                    }
+                }
+            } else {
+                existing = candidates;
+            }
+        } else if ( existing != null ) {
+            existing.clear();
+        }
+        return existing;
+    }
+
 }

Modified: activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/DefaultAuthorizationMap.java
URL: http://svn.apache.org/viewvc/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/DefaultAuthorizationMap.java?rev=1295661&r1=1295660&r2=1295661&view=diff
==============================================================================
--- activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/DefaultAuthorizationMap.java
(original)
+++ activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/DefaultAuthorizationMap.java
Thu Mar  1 16:36:12 2012
@@ -153,23 +153,6 @@ public class DefaultAuthorizationMap ext
         return findWildcardMatches(key);
     }
 
-    private Set union(Set existing, Set candidates) {
-        if ( candidates != null ) {
-            if (existing != null) {
-                for (Iterator<Object> iterator = existing.iterator(); iterator.hasNext();)
{
-                    Object toMatch = iterator.next();
-                    if (!candidates.contains(toMatch)) {
-                        iterator.remove();
-                    }
-                }
-            } else {
-                existing = candidates;
-            }
-        } else if ( existing != null ) {
-            existing.clear();
-        }
-        return existing;
-    }
 
     /**
      * Sets the individual entries on the authorization map

Modified: activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/LDAPAuthorizationMap.java
URL: http://svn.apache.org/viewvc/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/LDAPAuthorizationMap.java?rev=1295661&r1=1295660&r2=1295661&view=diff
==============================================================================
--- activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/LDAPAuthorizationMap.java
(original)
+++ activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/LDAPAuthorizationMap.java
Thu Mar  1 16:36:12 2012
@@ -35,6 +35,7 @@ import javax.naming.directory.SearchResu
 
 import org.apache.activemq.advisory.AdvisorySupport;
 import org.apache.activemq.command.ActiveMQDestination;
+import org.apache.activemq.filter.DestinationMap;
 import org.apache.activemq.jaas.GroupPrincipal;
 import org.apache.activemq.jaas.LDAPLoginModule;
 import org.slf4j.Logger;
@@ -362,9 +363,12 @@ public class LDAPAuthorizationMap implem
 
     protected Set<GroupPrincipal> getCompositeACLs(ActiveMQDestination destination,
String roleBase, String roleAttribute) {
         ActiveMQDestination[] dests = destination.getCompositeDestinations();
-        Set<GroupPrincipal> acls = new HashSet<GroupPrincipal>();
+        Set<GroupPrincipal> acls = null;
         for (ActiveMQDestination dest : dests) {
-            acls.addAll(getACLs(dest, roleBase, roleAttribute));
+            acls = DestinationMap.union(acls, getACLs(dest, roleBase, roleAttribute));
+            if (acls == null || acls.isEmpty()) {
+                break;
+            }
         }
         return acls;
     }

Modified: activemq/trunk/activemq-core/src/test/java/org/apache/activemq/security/CachedLDAPSecurityTest.java
URL: http://svn.apache.org/viewvc/activemq/trunk/activemq-core/src/test/java/org/apache/activemq/security/CachedLDAPSecurityTest.java?rev=1295661&r1=1295660&r2=1295661&view=diff
==============================================================================
--- activemq/trunk/activemq-core/src/test/java/org/apache/activemq/security/CachedLDAPSecurityTest.java
(original)
+++ activemq/trunk/activemq-core/src/test/java/org/apache/activemq/security/CachedLDAPSecurityTest.java
Thu Mar  1 16:36:12 2012
@@ -33,6 +33,7 @@ import org.junit.runner.RunWith;
 import javax.jms.*;
 
 import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.fail;
 
 
 @RunWith( FrameworkRunner.class )
@@ -77,6 +78,38 @@ public class CachedLDAPSecurityTest exte
     }
 
     @Test
+    public void testSendDenied() throws Exception {
+        ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory("tcp://localhost:61616");
+        Connection conn = factory.createQueueConnection("jdoe", "sunflower");
+        Session sess = conn.createSession(false, Session.AUTO_ACKNOWLEDGE);
+        conn.start();
+        Queue queue = sess.createQueue("ADMIN.FOO");
+
+        MessageProducer producer = sess.createProducer(queue);
+        try {
+            producer.send(sess.createTextMessage("test"));
+            fail("expect auth exception");
+        } catch (JMSException expected) {
+        }
+    }
+
+    @Test
+    public void testCompositeSendDenied() throws Exception {
+        ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory("tcp://localhost:61616");
+        Connection conn = factory.createQueueConnection("jdoe", "sunflower");
+        Session sess = conn.createSession(false, Session.AUTO_ACKNOWLEDGE);
+        conn.start();
+        Queue queue = sess.createQueue("TEST.FOO,ADMIN.FOO");
+
+        MessageProducer producer = sess.createProducer(queue);
+        try {
+            producer.send(sess.createTextMessage("test"));
+            fail("expect auth exception");
+        } catch (JMSException expected) {
+        }
+    }
+
+    @Test
     public void testTempDestinations() throws Exception {
         ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory("tcp://localhost:61616");
         Connection conn = factory.createQueueConnection("jdoe", "sunflower");

Modified: activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/activemq-ldap.xml
URL: http://svn.apache.org/viewvc/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/activemq-ldap.xml?rev=1295661&r1=1295660&r2=1295661&view=diff
==============================================================================
--- activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/activemq-ldap.xml
(original)
+++ activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/activemq-ldap.xml
Thu Mar  1 16:36:12 2012
@@ -27,6 +27,10 @@
 
   <broker useJmx="false"  xmlns="http://activemq.apache.org/schema/core" persistent="false">
 
+      <destinations>
+         <queue physicalName="ADMIN.FOO" />
+      </destinations>
+
       <plugins>
 		<simpleAuthenticationPlugin>
 			<users>



Mime
View raw message