qpid-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kp...@apache.org
Subject svn commit: r1451244 [29/45] - in /qpid/branches/asyncstore: ./ bin/ cpp/ cpp/bindings/ cpp/bindings/qmf/ cpp/bindings/qmf/python/ cpp/bindings/qmf/ruby/ cpp/bindings/qmf2/ cpp/bindings/qmf2/examples/cpp/ cpp/bindings/qmf2/python/ cpp/bindings/qmf2/rub...
Date Thu, 28 Feb 2013 16:14:57 GMT
Modified: qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/SecurityManager.java
URL: http://svn.apache.org/viewvc/qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/SecurityManager.java?rev=1451244&r1=1451243&r2=1451244&view=diff
==============================================================================
--- qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/SecurityManager.java (original)
+++ qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/SecurityManager.java Thu Feb 28 16:14:30 2013
@@ -18,22 +18,23 @@
  */
 package org.apache.qpid.server.security;
 
-import org.apache.commons.configuration.Configuration;
-import org.apache.commons.configuration.ConfigurationException;
 import org.apache.log4j.Logger;
 
 import org.apache.qpid.framing.AMQShortString;
-import org.apache.qpid.server.configuration.plugins.ConfigurationPlugin;
-import org.apache.qpid.server.configuration.plugins.ConfigurationPluginFactory;
 import org.apache.qpid.server.exchange.Exchange;
-import org.apache.qpid.server.plugins.PluginManager;
+
+import org.apache.qpid.server.plugin.AccessControlFactory;
+import org.apache.qpid.server.plugin.QpidServiceLoader;
 import org.apache.qpid.server.queue.AMQQueue;
 import org.apache.qpid.server.security.access.ObjectProperties;
+import org.apache.qpid.server.security.access.ObjectType;
 import org.apache.qpid.server.security.access.Operation;
 
 import static org.apache.qpid.server.security.access.ObjectType.EXCHANGE;
+import static org.apache.qpid.server.security.access.ObjectType.GROUP;
 import static org.apache.qpid.server.security.access.ObjectType.METHOD;
 import static org.apache.qpid.server.security.access.ObjectType.QUEUE;
+import static org.apache.qpid.server.security.access.ObjectType.USER;
 import static org.apache.qpid.server.security.access.ObjectType.VIRTUALHOST;
 import static org.apache.qpid.server.security.access.Operation.BIND;
 import static org.apache.qpid.server.security.access.Operation.CONSUME;
@@ -45,103 +46,105 @@ import static org.apache.qpid.server.sec
 
 import javax.security.auth.Subject;
 import java.net.SocketAddress;
-import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.LinkedHashMap;
-import java.util.List;
 import java.util.Map;
 import java.util.Map.Entry;
 import java.util.concurrent.ConcurrentHashMap;
 
 /**
- * The security manager contains references to all loaded {@link SecurityPlugin}s and delegates security decisions to them based
+ * The security manager contains references to all loaded {@link AccessControl}s and delegates security decisions to them based
  * on virtual host name. The plugins can be external <em>OSGi</em> .jar files that export the required classes or just internal
  * objects for simpler plugins.
- * 
- * @see SecurityPlugin
+ *
+ * @see AccessControl
  */
 public class SecurityManager
 {
     private static final Logger _logger = Logger.getLogger(SecurityManager.class);
-    
+
     /** Container for the {@link java.security.Principal} that is using to this thread. */
     private static final ThreadLocal<Subject> _subject = new ThreadLocal<Subject>();
-    private static final ThreadLocal<Boolean> _accessChecksDisabled = new ThreadLocal<Boolean>()
+
+    public static final ThreadLocal<Boolean> _accessChecksDisabled = new ClearingThreadLocal(false);
+
+    private Map<String, AccessControl> _globalPlugins = new HashMap<String, AccessControl>();
+    private Map<String, AccessControl> _hostPlugins = new HashMap<String, AccessControl>();
+
+    /**
+     * A special ThreadLocal, which calls remove() on itself whenever the value is
+     * the default, to avoid leaving a default value set after its use has passed.
+     */
+    private static final class ClearingThreadLocal extends ThreadLocal<Boolean>
     {
-        protected Boolean initialValue()
+        private Boolean _defaultValue;
+
+        public ClearingThreadLocal(Boolean defaultValue)
         {
-            return false;
+            super();
+            _defaultValue = defaultValue;
         }
-    };
 
-    private PluginManager _pluginManager;
-    private Map<String, SecurityPluginFactory> _pluginFactories = new HashMap<String, SecurityPluginFactory>();
-    private Map<String, SecurityPlugin> _globalPlugins = new HashMap<String, SecurityPlugin>();
-    private Map<String, SecurityPlugin> _hostPlugins = new HashMap<String, SecurityPlugin>();
+        @Override
+        protected Boolean initialValue()
+        {
+            return _defaultValue;
+        }
 
-    public static class SecurityConfiguration extends ConfigurationPlugin
-    {
-        public static final ConfigurationPluginFactory FACTORY = new ConfigurationPluginFactory()
+        @Override
+        public void set(Boolean value)
         {
-            public ConfigurationPlugin newInstance(String path, Configuration config) throws ConfigurationException
+            if (value == _defaultValue)
             {
-                ConfigurationPlugin instance = new SecurityConfiguration();
-                instance.setConfiguration(path, config);
-                return instance;
+                super.remove();
             }
-
-            public List<String> getParentPaths()
+            else
             {
-                return Arrays.asList("security", "virtualhosts.virtualhost.security");
+                super.set(value);
             }
-        };
-
-        @Override
-        public String[] getElementsProcessed()
-        {
-            return new String[]{"security"};
         }
 
-        public void validateConfiguration() throws ConfigurationException
+        @Override
+        public Boolean get()
         {
-            if (getConfig().isEmpty())
+            Boolean value = super.get();
+            if (value == _defaultValue)
             {
-                throw new ConfigurationException("security section is incomplete, no elements found.");
+                super.remove();
             }
+            return value;
         }
     }
 
-
-    public SecurityManager(SecurityManager parent) throws ConfigurationException
+    /*
+     * Used by the VirtualHost to allow deferring to the broker level security plugins if required.
+     */
+    public SecurityManager(SecurityManager parent, String aclFile)
     {
-        _pluginManager = parent._pluginManager;
-        _pluginFactories = parent._pluginFactories;
-        
+        this(aclFile);
+
         // our global plugins are the parent's host plugins
         _globalPlugins = parent._hostPlugins;
     }
 
-    public SecurityManager(ConfigurationPlugin configuration, PluginManager manager) throws ConfigurationException
+    public SecurityManager(String aclFile)
     {
-        this(configuration, manager, null);
-    }
-
-    public SecurityManager(ConfigurationPlugin configuration, PluginManager manager, SecurityPluginFactory plugin) throws ConfigurationException
-    {
-        _pluginManager = manager;
-        if (manager == null) // No plugin manager, no plugins
+        Map<String, Object> attributes = new HashMap<String, Object>();
+        attributes.put("aclFile", aclFile);
+        for (AccessControlFactory provider : (new QpidServiceLoader<AccessControlFactory>()).instancesOf(AccessControlFactory.class))
         {
-            return;
+            AccessControl accessControl = provider.createInstance(attributes);
+            if(accessControl != null)
+            {
+                addHostPlugin(accessControl);
+            }
         }
 
-        _pluginFactories = _pluginManager.getSecurityPlugins();
-        if (plugin != null)
+        if(_logger.isDebugEnabled())
         {
-            _pluginFactories.put(plugin.getPluginName(), plugin);
+            _logger.debug("Configured " + _hostPlugins.size() + " access control plugins");
         }
-
-        configureHostPlugins(configuration);
     }
 
     public static Subject getThreadSubject()
@@ -154,41 +157,6 @@ public class SecurityManager
         _subject.set(subject);
     }
 
-    public void configureHostPlugins(ConfigurationPlugin hostConfig) throws ConfigurationException
-    {
-        _hostPlugins = configurePlugins(hostConfig);
-    }
-    
-    public void configureGlobalPlugins(ConfigurationPlugin configuration) throws ConfigurationException
-    {
-        _globalPlugins = configurePlugins(configuration);
-    }
-
-    public Map<String, SecurityPlugin> configurePlugins(ConfigurationPlugin hostConfig) throws ConfigurationException
-    {
-        Map<String, SecurityPlugin> plugins = new HashMap<String, SecurityPlugin>();
-        SecurityConfiguration securityConfig = hostConfig.getConfiguration(SecurityConfiguration.class.getName());
-
-        // If we have no security Configuration then there is nothing to configure.        
-        if (securityConfig != null)
-        {
-            for (SecurityPluginFactory<?> factory : _pluginFactories.values())
-            {
-                SecurityPlugin plugin = factory.newInstance(securityConfig);
-                if (plugin != null)
-                {
-                    plugins.put(factory.getPluginName(), plugin);
-                }
-            }
-        }
-        return plugins;
-    }
-
-    public void addHostPlugin(SecurityPlugin plugin)
-    {
-        _hostPlugins.put(plugin.getClass().getName(), plugin);
-    }
-
     public static Logger getLogger()
     {
         return _logger;
@@ -205,7 +173,7 @@ public class SecurityManager
 
     private abstract class AccessCheck
     {
-        abstract Result allowed(SecurityPlugin plugin);
+        abstract Result allowed(AccessControl plugin);
     }
 
     private boolean checkAllPlugins(AccessCheck checker)
@@ -215,16 +183,16 @@ public class SecurityManager
             return true;
         }
 
-        Map<String, SecurityPlugin> remainingPlugins = _globalPlugins.isEmpty()
-                ? Collections.<String, SecurityPlugin>emptyMap()
-                : _hostPlugins.isEmpty() ? _globalPlugins : new HashMap<String, SecurityPlugin>(_globalPlugins);
-		
-		if(!_hostPlugins.isEmpty())
+        Map<String, AccessControl> remainingPlugins = _globalPlugins.isEmpty()
+                ? Collections.<String, AccessControl>emptyMap()
+                : _hostPlugins.isEmpty() ? _globalPlugins : new HashMap<String, AccessControl>(_globalPlugins);
+
+        if(!_hostPlugins.isEmpty())
         {
-            for (Entry<String, SecurityPlugin> hostEntry : _hostPlugins.entrySet())
+            for (Entry<String, AccessControl> hostEntry : _hostPlugins.entrySet())
             {
                 // Create set of global only plugins
-                SecurityPlugin globalPlugin = remainingPlugins.get(hostEntry.getKey());
+                AccessControl globalPlugin = remainingPlugins.get(hostEntry.getKey());
                 if (globalPlugin != null)
                 {
                     remainingPlugins.remove(hostEntry.getKey());
@@ -272,7 +240,7 @@ public class SecurityManager
             }
         }
 
-        for (SecurityPlugin plugin : remainingPlugins.values())
+        for (AccessControl plugin : remainingPlugins.values())
         {
             Result remaining = checker.allowed(plugin);
 			if (remaining == Result.DEFER)
@@ -284,16 +252,16 @@ public class SecurityManager
                 return false;
             }
         }
-        
+
         // getting here means either allowed or abstained from all plugins
         return true;
     }
-    
+
     public boolean authoriseBind(final Exchange exch, final AMQQueue queue, final AMQShortString routingKey)
     {
         return checkAllPlugins(new AccessCheck()
         {
-            Result allowed(SecurityPlugin plugin)
+            Result allowed(AccessControl plugin)
             {
                 return plugin.authorise(BIND, EXCHANGE, new ObjectProperties(exch, queue, routingKey));
             }
@@ -304,7 +272,7 @@ public class SecurityManager
     {
         return checkAllPlugins(new AccessCheck()
         {
-            Result allowed(SecurityPlugin plugin)
+            Result allowed(AccessControl plugin)
             {
                 ObjectProperties properties = new ObjectProperties();
                 properties.setName(methodName);
@@ -318,11 +286,22 @@ public class SecurityManager
         });
     }
 
+    public boolean accessManagement()
+    {
+        return checkAllPlugins(new AccessCheck()
+        {
+            Result allowed(AccessControl plugin)
+            {
+                return plugin.access(ObjectType.MANAGEMENT, null);
+            }
+        });
+    }
+
     public boolean accessVirtualhost(final String vhostname, final SocketAddress remoteAddress)
     {
         return checkAllPlugins(new AccessCheck()
         {
-            Result allowed(SecurityPlugin plugin)
+            Result allowed(AccessControl plugin)
             {
                 return plugin.access(VIRTUALHOST, remoteAddress);
             }
@@ -333,7 +312,7 @@ public class SecurityManager
     {
         return checkAllPlugins(new AccessCheck()
         {
-            Result allowed(SecurityPlugin plugin)
+            Result allowed(AccessControl plugin)
             {
                 return plugin.authorise(CONSUME, QUEUE, new ObjectProperties(queue));
             }
@@ -345,7 +324,7 @@ public class SecurityManager
     {
         return checkAllPlugins(new AccessCheck()
         {
-            Result allowed(SecurityPlugin plugin)
+            Result allowed(AccessControl plugin)
             {
                 return plugin.authorise(CREATE, EXCHANGE, new ObjectProperties(autoDelete, durable, exchangeName,
                         internal, nowait, passive, exchangeType));
@@ -358,7 +337,7 @@ public class SecurityManager
     {
         return checkAllPlugins(new AccessCheck()
         {
-            Result allowed(SecurityPlugin plugin)
+            Result allowed(AccessControl plugin)
             {
                 return plugin.authorise(CREATE, QUEUE, new ObjectProperties(autoDelete, durable, exclusive, nowait, passive, queueName, owner));
             }
@@ -369,7 +348,7 @@ public class SecurityManager
     {
         return checkAllPlugins(new AccessCheck()
         {
-            Result allowed(SecurityPlugin plugin)
+            Result allowed(AccessControl plugin)
             {
                 return plugin.authorise(DELETE, QUEUE, new ObjectProperties(queue));
             }
@@ -380,13 +359,34 @@ public class SecurityManager
     {
         return checkAllPlugins(new AccessCheck()
         {
-            Result allowed(SecurityPlugin plugin)
+            Result allowed(AccessControl plugin)
             {
                 return plugin.authorise(DELETE, EXCHANGE, new ObjectProperties(exchange.getName()));
             }
         });
     }
 
+    public boolean authoriseGroupOperation(final Operation operation, final String groupName)
+    {
+        return checkAllPlugins(new AccessCheck()
+        {
+            Result allowed(AccessControl plugin)
+            {
+                return plugin.authorise(operation, GROUP, new ObjectProperties(groupName));
+            }
+        });
+    }
+
+    public boolean authoriseUserOperation(final Operation operation, final String userName)
+    {
+        return checkAllPlugins(new AccessCheck()
+        {
+            Result allowed(AccessControl plugin)
+            {
+                return plugin.authorise(operation, USER, new ObjectProperties(userName));
+            }
+        });
+    }
 
     private ConcurrentHashMap<String, ConcurrentHashMap<String, PublishAccessCheck>> _immediatePublishPropsCache
             = new ConcurrentHashMap<String, ConcurrentHashMap<String, PublishAccessCheck>>();
@@ -428,7 +428,7 @@ public class SecurityManager
     {
         return checkAllPlugins(new AccessCheck()
         {
-            Result allowed(SecurityPlugin plugin)
+            Result allowed(AccessControl plugin)
             {
                 return plugin.authorise(PURGE, QUEUE, new ObjectProperties(queue));
             }
@@ -439,7 +439,7 @@ public class SecurityManager
     {
         return checkAllPlugins(new AccessCheck()
         {
-            Result allowed(SecurityPlugin plugin)
+            Result allowed(AccessControl plugin)
             {
                 return plugin.authorise(UNBIND, EXCHANGE, new ObjectProperties(exch, queue, routingKey));
             }
@@ -465,9 +465,16 @@ public class SecurityManager
             _props = props;
         }
 
-        Result allowed(SecurityPlugin plugin)
+        Result allowed(AccessControl plugin)
         {
             return plugin.authorise(PUBLISH, EXCHANGE, _props);
         }
     }
+
+
+    public void addHostPlugin(AccessControl plugin)
+    {
+        _hostPlugins.put(plugin.getClass().getName(), plugin);
+    }
+
 }

Modified: qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/access/ObjectProperties.java
URL: http://svn.apache.org/viewvc/qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/access/ObjectProperties.java?rev=1451244&r1=1451243&r2=1451244&view=diff
==============================================================================
--- qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/access/ObjectProperties.java (original)
+++ qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/access/ObjectProperties.java Thu Feb 28 16:14:30 2013
@@ -18,33 +18,31 @@
  */
 package org.apache.qpid.server.security.access;
 
-import org.apache.commons.lang.StringUtils;
-
-import org.apache.qpid.framing.AMQShortString;
-import org.apache.qpid.server.exchange.Exchange;
-import org.apache.qpid.server.queue.AMQQueue;
-
 import java.util.ArrayList;
 import java.util.EnumMap;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
+import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang.builder.EqualsBuilder;
+import org.apache.qpid.framing.AMQShortString;
+import org.apache.qpid.server.exchange.Exchange;
+import org.apache.qpid.server.queue.AMQQueue;
+
 /**
  * An set of properties for an access control v2 rule {@link ObjectType}.
- * 
+ *
  * The {@link #matches(ObjectProperties)} method is intended to be used when determining precedence of rules, and
  * {@link #equals(Object)} and {@link #hashCode()} are intended for use in maps. This is due to the wildcard matching
  * described above.
  */
 public class ObjectProperties
 {
-    /** serialVersionUID */
-    private static final long serialVersionUID = -1356019341374170495L;
-    
     public static final String STAR= "*";
 
     public static final ObjectProperties EMPTY = new ObjectProperties();
-    
+
     public enum Property
     {
         ROUTING_KEY,
@@ -65,81 +63,89 @@ public class ObjectProperties
         AUTO_DELETE,
         COMPONENT,
         PACKAGE,
-        CLASS;
-        
-        public static Property parse(String text)
+        CLASS,
+        FROM_NETWORK,
+        FROM_HOSTNAME;
+
+        private static final Map<String, Property> _canonicalNameToPropertyMap = new HashMap<String, ObjectProperties.Property>();
+
+        static
         {
             for (Property property : values())
             {
-                if (property.getName().equalsIgnoreCase(text))
-                {
-                    return property;
-                }
+                _canonicalNameToPropertyMap.put(getCanonicalName(property.name()), property);
             }
-            throw new IllegalArgumentException("Not a valid property: " + text);
         }
-        
-        public String getName()
+
+        /**
+         * Properties are parsed using their canonical name (see {@link #getCanonicalName(String)})
+         * so that, for the sake of user-friendliness, the ACL file parses is insensitive to
+         * case and underscores.
+         */
+        public static Property parse(String text)
         {
-            return StringUtils.remove(name(), '_').toLowerCase();
+            String propertyName = getCanonicalName(text);
+            Property property = _canonicalNameToPropertyMap.get(propertyName);
+
+            if(property == null)
+            {
+                throw new IllegalArgumentException("Not a valid property: " + text
+                        + " because " + propertyName
+                        + " is not in " + _canonicalNameToPropertyMap.keySet());
+            }
+            else
+            {
+                return property;
+            }
+        }
+
+        private static String getCanonicalName(String name)
+        {
+            return StringUtils.remove(name, '_').toLowerCase();
         }
-		
-		public static List<String> getPropertyNames()
-		{
-			List<String> properties = new ArrayList<String>();		
-			for (Property property : values())
-			{
-				properties.add(property.getName());
-			}
-			return properties;
-		}
     }
 
     private final EnumMap<Property, String> _properties = new EnumMap<Property, String>(Property.class);
 
-	public static List<String> getAllPropertyNames()
+    public static List<String> getAllPropertyNames()
     {
-		List<String> properties = new ArrayList<String>();		
-		for (Property property : Property.values())
-		{
-			properties.add(StringUtils.remove(property.name(), '_').toLowerCase());
-		}
-		return properties;
-	}
-		
+        List<String> properties = new ArrayList<String>();
+        for (Property property : Property.values())
+        {
+            properties.add(StringUtils.remove(property.name(), '_').toLowerCase());
+        }
+        return properties;
+    }
+
     public ObjectProperties()
     {
-        super();
     }
-    
+
+    public ObjectProperties(Property property, String value)
+    {
+        _properties.put(property, value);
+    }
+
     public ObjectProperties(ObjectProperties copy)
     {
-        super();
-        
         _properties.putAll(copy._properties);
     }
-    
+
     public ObjectProperties(String name)
     {
-        super();
-        
         setName(name);
     }
 
-    
+
     public ObjectProperties(AMQShortString name)
     {
-        super();
-        
         setName(name);
     }
-    
+
     public ObjectProperties(AMQQueue queue)
     {
-        super();
-		
         setName(queue.getName());
-        
+
         put(Property.AUTO_DELETE, queue.isAutoDelete());
         put(Property.TEMPORARY, queue.isAutoDelete());
         put(Property.DURABLE, queue.isDurable());
@@ -157,45 +163,45 @@ public class ObjectProperties
             put(Property.OWNER, queue.getAuthorizationHolder().getAuthorizedPrincipal().getName());
         }
     }
-    
+
     public ObjectProperties(Exchange exch, AMQQueue queue, AMQShortString routingKey)
     {
         this(queue);
-        
-        setName(exch.getName());		
-        
+
+        setName(exch.getName());
+
 		put(Property.QUEUE_NAME, queue.getName());
         put(Property.ROUTING_KEY, routingKey);
     }
-    
+
     public ObjectProperties(Exchange exch, AMQShortString routingKey)
     {
         this(exch.getName(), routingKey.asString());
     }
-    
+
     public ObjectProperties(String exchangeName, String routingKey, Boolean immediate)
     {
         this(exchangeName, routingKey);
-        
+
         put(Property.IMMEDIATE, immediate);
     }
-    
+
     public ObjectProperties(String exchangeName, String routingKey)
     {
         super();
-        
+
         setName(exchangeName);
-                
+
         put(Property.ROUTING_KEY, routingKey);
     }
-    
+
     public ObjectProperties(Boolean autoDelete, Boolean durable, AMQShortString exchangeName,
             Boolean internal, Boolean nowait, Boolean passive, AMQShortString exchangeType)
     {
         super();
-		
+
         setName(exchangeName);
-        
+
         put(Property.AUTO_DELETE, autoDelete);
         put(Property.TEMPORARY, autoDelete);
         put(Property.DURABLE, durable);
@@ -204,14 +210,14 @@ public class ObjectProperties
         put(Property.PASSIVE, passive);
         put(Property.TYPE, exchangeType);
     }
-    
+
     public ObjectProperties(Boolean autoDelete, Boolean durable, Boolean exclusive, Boolean nowait, Boolean passive,
             AMQShortString queueName, String owner)
     {
         super();
-        
+
         setName(queueName);
-		
+
         put(Property.AUTO_DELETE, autoDelete);
         put(Property.TEMPORARY, autoDelete);
         put(Property.DURABLE, durable);
@@ -220,7 +226,7 @@ public class ObjectProperties
         put(Property.PASSIVE, passive);
         put(Property.OWNER, owner);
     }
-    
+
     public ObjectProperties(Boolean exclusive, Boolean noAck, Boolean noLocal, Boolean nowait, AMQQueue queue)
     {
         this(queue);
@@ -230,17 +236,7 @@ public class ObjectProperties
         put(Property.EXCLUSIVE, exclusive);
         put(Property.NO_WAIT, nowait);
     }
-	
-	public List<String> getPropertyNames()
-    {
-		List<String> properties = new ArrayList<String>();		
-		for (Property property : _properties.keySet())
-		{
-			properties.add(property.getName());
-		}
-		return properties;
-	}
-    
+
     public Boolean isSet(Property key)
     {
         return _properties.containsKey(key) && Boolean.valueOf(_properties.get(key));
@@ -255,17 +251,17 @@ public class ObjectProperties
     {
         return _properties.get(Property.NAME);
     }
-    
+
     public void setName(String name)
     {
         _properties.put(Property.NAME, name);
     }
-    
+
     public void setName(AMQShortString name)
     {
         put(Property.NAME, name);
     }
-    
+
     public String put(Property key, AMQShortString value)
     {
         return put(key, value == null ? "" : value.asString());
@@ -275,7 +271,7 @@ public class ObjectProperties
     {
         return _properties.put(key, value == null ? "" : value.trim());
     }
-    
+
     public void put(Property key, Boolean value)
     {
         if (value != null)
@@ -283,66 +279,64 @@ public class ObjectProperties
             _properties.put(key, Boolean.toString(value));
         }
     }
-    
+
     public boolean matches(ObjectProperties properties)
     {
         if (properties._properties.keySet().isEmpty())
         {
             return true;
         }
-        
+
         if (!_properties.keySet().containsAll(properties._properties.keySet()))
         {
             return false;
         }
-        
+
         for (Map.Entry<Property,String> entry : properties._properties.entrySet())
         {
             Property key = entry.getKey();
             String ruleValue = entry.getValue();
-            
+
             String thisValue = _properties.get(key);
 
-            if (!valueMatches(thisValue, ruleValue)) 
+            if (!valueMatches(thisValue, ruleValue))
             {
                 return false;
             }
         }
-        
+
         return true;
     }
-    
+
     private boolean valueMatches(String thisValue, String ruleValue)
     {
         return (StringUtils.isEmpty(ruleValue)
                 || StringUtils.equals(thisValue, ruleValue))
                 || ruleValue.equals(STAR)
-                || (ruleValue.endsWith(STAR) 
+                || (ruleValue.endsWith(STAR)
                         && thisValue != null
                         && thisValue.length() >= ruleValue.length() - 1
                         && thisValue.startsWith(ruleValue.substring(0, ruleValue.length() - 1)));
     }
 
     @Override
-    public boolean equals(Object o)
+    public boolean equals(Object obj)
     {
-        if (this == o)
+        if (obj == null)
         {
-            return true;
+            return false;
         }
-        if (o == null || getClass() != o.getClass())
+        if (obj == this)
         {
-            return false;
+            return true;
         }
-
-        ObjectProperties that = (ObjectProperties) o;
-
-        if (_properties != null ? !_properties.equals(that._properties) : that._properties != null)
+        if (obj.getClass() != getClass())
         {
             return false;
         }
-
-        return true;
+        ObjectProperties rhs = (ObjectProperties) obj;
+        return new EqualsBuilder()
+            .append(_properties, rhs._properties).isEquals();
     }
 
     @Override

Modified: qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/access/ObjectType.java
URL: http://svn.apache.org/viewvc/qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/access/ObjectType.java?rev=1451244&r1=1451243&r2=1451244&view=diff
==============================================================================
--- qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/access/ObjectType.java (original)
+++ qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/access/ObjectType.java Thu Feb 28 16:14:30 2013
@@ -41,12 +41,15 @@ public enum ObjectType
 {
     ALL(Operation.ALL),
     VIRTUALHOST(Operation.ALL, ACCESS),
+    MANAGEMENT(Operation.ALL, ACCESS),
     QUEUE(Operation.ALL, CREATE, DELETE, PURGE, CONSUME),
     EXCHANGE(Operation.ALL, ACCESS, CREATE, DELETE, BIND, UNBIND, PUBLISH),
     LINK, // Not allowed in the Java broker
     ROUTE, // Not allowed in the Java broker
-    METHOD(Operation.ALL, ACCESS, UPDATE);
-    
+    METHOD(Operation.ALL, ACCESS, UPDATE),
+    USER(Operation.ALL, CREATE, DELETE, UPDATE),
+    GROUP(Operation.ALL, CREATE, DELETE, UPDATE);
+
     private EnumSet<Operation> _actions;
     
     private ObjectType()

Modified: qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/auth/AuthenticationResult.java
URL: http://svn.apache.org/viewvc/qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/auth/AuthenticationResult.java?rev=1451244&r1=1451243&r2=1451244&view=diff
==============================================================================
--- qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/auth/AuthenticationResult.java (original)
+++ qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/auth/AuthenticationResult.java Thu Feb 28 16:14:30 2013
@@ -7,9 +7,9 @@
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
- * 
+ *
  *   http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
@@ -20,15 +20,20 @@
  */
 package org.apache.qpid.server.security.auth;
 
-import javax.security.auth.Subject;
+import java.security.Principal;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
+
+import org.apache.qpid.server.security.auth.manager.AuthenticationManager;
 
 /**
- * Encapsulates the result of an attempt to authenticate.
+ * Encapsulates the result of an attempt to authenticate using an {@link AuthenticationManager}.
  * <p>
  * The authentication status describes the overall outcome.
  * <p>
  * <ol>
- *  <li>If authentication status is SUCCESS, the subject will be populated.
+ *  <li>If authentication status is SUCCESS, at least one {@link Principal} will be populated.
  *  </li>
  *  <li>If authentication status is CONTINUE, the authentication has failed because the user
  *      supplied incorrect credentials (etc).  If the authentication requires it, the next challenge
@@ -40,6 +45,8 @@ import javax.security.auth.Subject;
  *  </li>
  * </ol>
  *
+ * The main principal provided to the constructor is wrapped in an {@link AuthenticatedPrincipal}
+ * to make it easier for the rest of the application to identify it among the set of other principals.
  */
 public class AuthenticationResult
 {
@@ -56,37 +63,59 @@ public class AuthenticationResult
     private final AuthenticationStatus _status;
     private final byte[] _challenge;
     private final Exception _cause;
-    private final Subject _subject;
+    private final Set<Principal> _principals = new HashSet<Principal>();
+    private final Principal _mainPrincipal;
 
     public AuthenticationResult(final AuthenticationStatus status)
     {
         this(null, status, null);
     }
 
+    public AuthenticationResult(Principal mainPrincipal)
+    {
+        this(mainPrincipal, Collections.<Principal>emptySet());
+    }
+
+    public AuthenticationResult(Principal mainPrincipal, Set<Principal> otherPrincipals)
+    {
+        AuthenticatedPrincipal specialQpidAuthenticatedPrincipal = new AuthenticatedPrincipal(mainPrincipal);
+        _principals.addAll(otherPrincipals);
+        _principals.remove(mainPrincipal);
+        _principals.add(specialQpidAuthenticatedPrincipal);
+        _mainPrincipal = mainPrincipal;
+
+        _status = AuthenticationStatus.SUCCESS;
+        _challenge = null;
+        _cause = null;
+    }
+
     public AuthenticationResult(final byte[] challenge, final AuthenticationStatus status)
     {
-        this(challenge, status, null);
+        _challenge = challenge;
+        _status = status;
+        _cause = null;
+        _mainPrincipal = null;
     }
 
     public AuthenticationResult(final AuthenticationStatus error, final Exception cause)
     {
-        this(null, error, cause);
+        _status = error;
+        _challenge = null;
+        _cause = cause;
+        _mainPrincipal = null;
     }
 
     public AuthenticationResult(final byte[] challenge, final AuthenticationStatus status, final Exception cause)
     {
-        this._status = status;
-        this._challenge = challenge;
-        this._cause = cause;
-        this._subject = null;
-    }
-
-    public AuthenticationResult(final Subject subject)
-    {
-        this._status = AuthenticationStatus.SUCCESS;
-        this._challenge = null;
-        this._cause = null;
-        this._subject = subject;
+        if(status == AuthenticationStatus.SUCCESS)
+        {
+            throw new IllegalArgumentException("Successful authentication requires at least one principal");
+        }
+
+        _status = status;
+        _challenge = challenge;
+        _cause = cause;
+        _mainPrincipal = null;
     }
 
     public Exception getCause()
@@ -104,9 +133,13 @@ public class AuthenticationResult
         return _challenge;
     }
 
-    public Subject getSubject()
+    public Set<Principal> getPrincipals()
     {
-        return _subject;
+        return _principals;
     }
 
+    public Principal getMainPrincipal()
+    {
+        return _mainPrincipal;
+    }
 }

Modified: qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/AbstractPasswordFilePrincipalDatabase.java
URL: http://svn.apache.org/viewvc/qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/AbstractPasswordFilePrincipalDatabase.java?rev=1451244&r1=1451243&r2=1451244&view=diff
==============================================================================
--- qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/AbstractPasswordFilePrincipalDatabase.java (original)
+++ qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/AbstractPasswordFilePrincipalDatabase.java Thu Feb 28 16:14:30 2013
@@ -21,9 +21,9 @@
 package org.apache.qpid.server.security.auth.database;
 
 import org.apache.log4j.Logger;
+import org.apache.qpid.server.security.auth.UsernamePrincipal;
 import org.apache.qpid.server.security.auth.sasl.AuthenticationProviderInitialiser;
 import org.apache.qpid.server.security.auth.sasl.UsernamePasswordInitialiser;
-import org.apache.qpid.server.security.auth.sasl.UsernamePrincipal;
 
 import javax.security.auth.callback.PasswordCallback;
 import javax.security.auth.login.AccountNotFoundException;

Modified: qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PrincipalDatabase.java
URL: http://svn.apache.org/viewvc/qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PrincipalDatabase.java?rev=1451244&r1=1451243&r2=1451244&view=diff
==============================================================================
--- qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PrincipalDatabase.java (original)
+++ qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PrincipalDatabase.java Thu Feb 28 16:14:30 2013
@@ -32,6 +32,8 @@ import java.util.Map;
 /** Represents a "user database" which is really a way of storing principals (i.e. usernames) and passwords. */
 public interface PrincipalDatabase
 {
+    void setPasswordFile(String passwordFile) throws IOException;
+
     /**
      * Set the password for a given principal in the specified callback. This is used for certain SASL providers. The
      * user database implementation should look up the password in any way it chooses and set it in the callback by

Modified: qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/AnonymousAuthenticationManager.java
URL: http://svn.apache.org/viewvc/qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/AnonymousAuthenticationManager.java?rev=1451244&r1=1451243&r2=1451244&view=diff
==============================================================================
--- qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/AnonymousAuthenticationManager.java (original)
+++ qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/AnonymousAuthenticationManager.java Thu Feb 28 16:14:30 2013
@@ -21,31 +21,25 @@
 package org.apache.qpid.server.security.auth.manager;
 
 import java.security.Principal;
-import java.util.Arrays;
-import java.util.List;
+
 import javax.security.auth.Subject;
-import javax.security.auth.callback.CallbackHandler;
 import javax.security.sasl.SaslException;
 import javax.security.sasl.SaslServer;
-import org.apache.commons.configuration.Configuration;
-import org.apache.commons.configuration.ConfigurationException;
-import org.apache.log4j.Logger;
-import org.apache.qpid.server.configuration.plugins.ConfigurationPlugin;
-import org.apache.qpid.server.configuration.plugins.ConfigurationPluginFactory;
+
 import org.apache.qpid.server.security.auth.AuthenticationResult;
-import org.apache.qpid.server.security.auth.sasl.UsernamePrincipal;
+import org.apache.qpid.server.security.auth.UsernamePrincipal;
 import org.apache.qpid.server.security.auth.sasl.anonymous.AnonymousInitialiser;
 import org.apache.qpid.server.security.auth.sasl.anonymous.AnonymousSaslServer;
 
 public class AnonymousAuthenticationManager implements AuthenticationManager
 {
-    private static final Logger _logger = Logger.getLogger(AnonymousAuthenticationManager.class);
-
     private static final AnonymousInitialiser SASL_INITIALISER = new AnonymousInitialiser();
 
     private static final String ANONYMOUS = SASL_INITIALISER.getMechanismName();
 
-    private static final Principal ANONYMOUS_PRINCIPAL = new UsernamePrincipal("ANONYMOUS");
+    public static final String ANONYMOUS_USERNAME = "ANONYMOUS";
+
+    public static final Principal ANONYMOUS_PRINCIPAL = new UsernamePrincipal(ANONYMOUS_USERNAME);
 
     public static final Subject ANONYMOUS_SUBJECT = new Subject();
     static
@@ -53,76 +47,11 @@ public class AnonymousAuthenticationMana
         ANONYMOUS_SUBJECT.getPrincipals().add(ANONYMOUS_PRINCIPAL);
     }
 
-    private static final AuthenticationResult ANONYMOUS_AUTHENTICATION = new AuthenticationResult(ANONYMOUS_SUBJECT);
-
-
-    private static CallbackHandler _callbackHandler = SASL_INITIALISER.getCallbackHandler();
+    private static final AuthenticationResult ANONYMOUS_AUTHENTICATION = new AuthenticationResult(ANONYMOUS_PRINCIPAL);
 
     static final AnonymousAuthenticationManager INSTANCE = new AnonymousAuthenticationManager();
 
-    public static class AnonymousAuthenticationManagerConfiguration extends ConfigurationPlugin
-    {
-
-        public static final ConfigurationPluginFactory FACTORY =
-                new ConfigurationPluginFactory()
-                {
-                    public List<String> getParentPaths()
-                    {
-                        return Arrays.asList("security.anonymous-auth-manager");
-                    }
-
-                    public ConfigurationPlugin newInstance(final String path, final Configuration config) throws ConfigurationException
-                    {
-                        final ConfigurationPlugin instance = new AnonymousAuthenticationManagerConfiguration();
-
-                        instance.setConfiguration(path, config);
-                        return instance;
-                    }
-                };
-
-        public String[] getElementsProcessed()
-        {
-            return new String[0];
-        }
-
-        public void validateConfiguration() throws ConfigurationException
-        {
-        }
-
-        }
-
-
-    public static final AuthenticationManagerPluginFactory<AnonymousAuthenticationManager> FACTORY = new AuthenticationManagerPluginFactory<AnonymousAuthenticationManager>()
-    {
-        public AnonymousAuthenticationManager newInstance(final ConfigurationPlugin config) throws ConfigurationException
-        {
-            AnonymousAuthenticationManagerConfiguration configuration =
-                    config == null
-                            ? null
-                            : (AnonymousAuthenticationManagerConfiguration) config.getConfiguration(AnonymousAuthenticationManagerConfiguration.class.getName());
-
-            // If there is no configuration for this plugin then don't load it.
-            if (configuration == null)
-            {
-                _logger.info("No authentication-manager configuration found for AnonymousAuthenticationManager");
-                return null;
-            }
-            return INSTANCE;
-        }
-
-        public Class<AnonymousAuthenticationManager> getPluginClass()
-        {
-            return AnonymousAuthenticationManager.class;
-        }
-
-        public String getPluginName()
-        {
-            return AnonymousAuthenticationManager.class.getName();
-        }
-    };
-
-
-    private AnonymousAuthenticationManager()
+    AnonymousAuthenticationManager()
     {
     }
 
@@ -184,9 +113,4 @@ public class AnonymousAuthenticationMana
     public void close()
     {
     }
-
-    @Override
-    public void configure(ConfigurationPlugin config) throws ConfigurationException
-    {
-    }
 }

Modified: qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/AuthenticationManager.java
URL: http://svn.apache.org/viewvc/qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/AuthenticationManager.java?rev=1451244&r1=1451243&r2=1451244&view=diff
==============================================================================
--- qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/AuthenticationManager.java (original)
+++ qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/AuthenticationManager.java Thu Feb 28 16:14:30 2013
@@ -24,22 +24,22 @@ import java.security.Principal;
 import javax.security.sasl.SaslException;
 import javax.security.sasl.SaslServer;
 import org.apache.qpid.common.Closeable;
-import org.apache.qpid.server.plugins.Plugin;
 import org.apache.qpid.server.security.auth.AuthenticationResult;
 
 /**
  * Implementations of the AuthenticationManager are responsible for determining
  * the authenticity of a user's credentials.
- *
- * If the authentication is successful, the manager is responsible for producing a populated
- * {@link javax.security.auth.Subject} containing the user's identity and zero or more principals representing
- * groups to which the user belongs.
+ * <p>
+ * If the authentication is successful, the manager is responsible for producing an
+ * {@link AuthenticationResult} containing the user's main {@link Principal} and zero or
+ * more other implementation-specific principals.
+ * </p>
  * <p>
  * The {@link #initialise()} method is responsible for registering SASL mechanisms required by
  * the manager.  The {@link #close()} method must reverse this registration.
- *
+ * </p>
  */
-public interface AuthenticationManager extends Closeable, Plugin
+public interface AuthenticationManager extends Closeable
 {
     /** The name for the required SASL Server mechanisms */
     public static final String PROVIDER_NAME= "AMQSASLProvider-Server";
@@ -88,5 +88,4 @@ public interface AuthenticationManager e
      * @return authentication result
      */
     AuthenticationResult authenticate(String username, String password);
-
 }

Modified: qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/ExternalAuthenticationManager.java
URL: http://svn.apache.org/viewvc/qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/ExternalAuthenticationManager.java?rev=1451244&r1=1451243&r2=1451244&view=diff
==============================================================================
--- qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/ExternalAuthenticationManager.java (original)
+++ qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/ExternalAuthenticationManager.java Thu Feb 28 16:14:30 2013
@@ -19,90 +19,19 @@
 package org.apache.qpid.server.security.auth.manager;
 
 import java.security.Principal;
-import java.util.Arrays;
-import java.util.List;
-import javax.security.auth.Subject;
+
 import javax.security.sasl.SaslException;
 import javax.security.sasl.SaslServer;
-import org.apache.commons.configuration.Configuration;
-import org.apache.commons.configuration.ConfigurationException;
-import org.apache.log4j.Logger;
-import org.apache.qpid.server.configuration.plugins.ConfigurationPlugin;
-import org.apache.qpid.server.configuration.plugins.ConfigurationPluginFactory;
+
 import org.apache.qpid.server.security.auth.AuthenticationResult;
+import org.apache.qpid.server.security.auth.UsernamePrincipal;
 import org.apache.qpid.server.security.auth.sasl.external.ExternalSaslServer;
 
 public class ExternalAuthenticationManager implements AuthenticationManager
 {
-    private static final Logger _logger = Logger.getLogger(ExternalAuthenticationManager.class);
-
     private static final String EXTERNAL = "EXTERNAL";
 
-    static final ExternalAuthenticationManager INSTANCE = new ExternalAuthenticationManager();
-
-    public static class ExternalAuthenticationManagerConfiguration extends ConfigurationPlugin
-    {
-
-        public static final ConfigurationPluginFactory FACTORY =
-                new ConfigurationPluginFactory()
-                {
-                    public List<String> getParentPaths()
-                    {
-                        return Arrays.asList("security.external-auth-manager");
-                    }
-
-                    public ConfigurationPlugin newInstance(final String path, final Configuration config) throws ConfigurationException
-                    {
-                        final ConfigurationPlugin instance = new ExternalAuthenticationManagerConfiguration();
-
-                        instance.setConfiguration(path, config);
-                        return instance;
-                    }
-                };
-
-        public String[] getElementsProcessed()
-        {
-            return new String[0];
-        }
-
-        public void validateConfiguration() throws ConfigurationException
-        {
-        }
-
-        }
-
-
-    public static final AuthenticationManagerPluginFactory<ExternalAuthenticationManager> FACTORY = new AuthenticationManagerPluginFactory<ExternalAuthenticationManager>()
-    {
-        public ExternalAuthenticationManager newInstance(final ConfigurationPlugin config) throws ConfigurationException
-        {
-            ExternalAuthenticationManagerConfiguration configuration =
-                    config == null
-                            ? null
-                            : (ExternalAuthenticationManagerConfiguration) config.getConfiguration(ExternalAuthenticationManagerConfiguration.class.getName());
-
-            // If there is no configuration for this plugin then don't load it.
-            if (configuration == null)
-            {
-                _logger.info("No authentication-manager configuration found for ExternalAuthenticationManager");
-                return null;
-            }
-            return INSTANCE;
-        }
-
-        public Class<ExternalAuthenticationManager> getPluginClass()
-        {
-            return ExternalAuthenticationManager.class;
-        }
-
-        public String getPluginName()
-        {
-            return ExternalAuthenticationManager.class.getName();
-        }
-    };
-
-
-    private ExternalAuthenticationManager()
+    ExternalAuthenticationManager()
     {
     }
 
@@ -137,15 +66,13 @@ public class ExternalAuthenticationManag
         // Process response from the client
         try
         {
-            byte[] challenge = server.evaluateResponse(response != null ? response : new byte[0]);
+            server.evaluateResponse(response != null ? response : new byte[0]);
 
             Principal principal = ((ExternalSaslServer)server).getAuthenticatedPrincipal();
 
             if(principal != null)
             {
-                final Subject subject = new Subject();
-                subject.getPrincipals().add(principal);
-                return new AuthenticationResult(subject);
+                return new AuthenticationResult(principal);
             }
             else
             {
@@ -162,16 +89,11 @@ public class ExternalAuthenticationManag
     @Override
     public AuthenticationResult authenticate(String username, String password)
     {
-        return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR);
+        return new AuthenticationResult(new UsernamePrincipal(username));
     }
 
     @Override
     public void close()
     {
     }
-
-    @Override
-    public void configure(ConfigurationPlugin config) throws ConfigurationException
-    {
-    }
 }

Modified: qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManager.java
URL: http://svn.apache.org/viewvc/qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManager.java?rev=1451244&r1=1451243&r2=1451244&view=diff
==============================================================================
--- qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManager.java (original)
+++ qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManager.java Thu Feb 28 16:14:30 2013
@@ -20,10 +20,7 @@ package org.apache.qpid.server.security.
 
 import java.io.IOException;
 import java.security.Principal;
-import java.util.Arrays;
 import java.util.HashMap;
-import java.util.List;
-import javax.security.auth.Subject;
 import javax.security.auth.callback.Callback;
 import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.callback.UnsupportedCallbackException;
@@ -31,86 +28,15 @@ import javax.security.sasl.AuthorizeCall
 import javax.security.sasl.Sasl;
 import javax.security.sasl.SaslException;
 import javax.security.sasl.SaslServer;
-import org.apache.commons.configuration.Configuration;
-import org.apache.commons.configuration.ConfigurationException;
-import org.apache.log4j.Logger;
-import org.apache.qpid.server.configuration.plugins.ConfigurationPlugin;
-import org.apache.qpid.server.configuration.plugins.ConfigurationPluginFactory;
 import org.apache.qpid.server.security.auth.AuthenticationResult;
-import org.apache.qpid.server.security.auth.sasl.UsernamePrincipal;
+import org.apache.qpid.server.security.auth.UsernamePrincipal;
 
 public class KerberosAuthenticationManager implements AuthenticationManager
 {
-    private static final Logger _logger = Logger.getLogger(KerberosAuthenticationManager.class);
-
     private static final String GSSAPI_MECHANISM = "GSSAPI";
     private final CallbackHandler _callbackHandler = new GssApiCallbackHandler();
 
-    public static class KerberosAuthenticationManagerConfiguration extends ConfigurationPlugin
-    {
-
-        public static final ConfigurationPluginFactory FACTORY =
-                new ConfigurationPluginFactory()
-                {
-                    public List<String> getParentPaths()
-                    {
-                        return Arrays.asList("security.kerberos-auth-manager");
-                    }
-
-                    public ConfigurationPlugin newInstance(final String path, final Configuration config) throws ConfigurationException
-                    {
-                        final ConfigurationPlugin instance = new KerberosAuthenticationManagerConfiguration();
-
-                        instance.setConfiguration(path, config);
-                        return instance;
-                    }
-                };
-
-        public String[] getElementsProcessed()
-        {
-            return new String[0];
-        }
-
-        public void validateConfiguration() throws ConfigurationException
-        {
-        }
-
-    }
-
-
-    public static final AuthenticationManagerPluginFactory<KerberosAuthenticationManager> FACTORY = new AuthenticationManagerPluginFactory<KerberosAuthenticationManager>()
-    {
-        public KerberosAuthenticationManager newInstance(final ConfigurationPlugin config) throws ConfigurationException
-        {
-            KerberosAuthenticationManagerConfiguration configuration =
-                    config == null
-                            ? null
-                            : (KerberosAuthenticationManagerConfiguration) config.getConfiguration(KerberosAuthenticationManagerConfiguration.class.getName());
-
-            // If there is no configuration for this plugin then don't load it.
-            if (configuration == null)
-            {
-                _logger.info("No authentication-manager configuration found for KerberosAuthenticationManager");
-                return null;
-            }
-            KerberosAuthenticationManager kerberosAuthenticationManager = new KerberosAuthenticationManager();
-            kerberosAuthenticationManager.configure(configuration);
-            return kerberosAuthenticationManager;
-        }
-
-        public Class<KerberosAuthenticationManager> getPluginClass()
-        {
-            return KerberosAuthenticationManager.class;
-        }
-
-        public String getPluginName()
-        {
-            return KerberosAuthenticationManager.class.getName();
-        }
-    };
-
-
-    private KerberosAuthenticationManager()
+    KerberosAuthenticationManager()
     {
     }
 
@@ -158,10 +84,7 @@ public class KerberosAuthenticationManag
 
             if (server.isComplete())
             {
-                final Subject subject = new Subject();
-                _logger.debug("Authenticated as " + server.getAuthorizationID());
-                subject.getPrincipals().add(new UsernamePrincipal(server.getAuthorizationID()));
-                return new AuthenticationResult(subject);
+                return new AuthenticationResult(new UsernamePrincipal(server.getAuthorizationID()));
             }
             else
             {
@@ -186,11 +109,6 @@ public class KerberosAuthenticationManag
     {
     }
 
-    @Override
-    public void configure(ConfigurationPlugin config) throws ConfigurationException
-    {
-    }
-
     private static class GssApiCallbackHandler implements CallbackHandler
     {
 

Modified: qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/PrincipalDatabaseAuthenticationManager.java
URL: http://svn.apache.org/viewvc/qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/PrincipalDatabaseAuthenticationManager.java?rev=1451244&r1=1451243&r2=1451244&view=diff
==============================================================================
--- qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/PrincipalDatabaseAuthenticationManager.java (original)
+++ qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/PrincipalDatabaseAuthenticationManager.java Thu Feb 28 16:14:30 2013
@@ -21,38 +21,25 @@
 package org.apache.qpid.server.security.auth.manager;
 
 import java.security.Principal;
-import org.apache.commons.configuration.Configuration;
-import org.apache.commons.configuration.ConfigurationException;
 import org.apache.log4j.Logger;
 
-import org.apache.qpid.configuration.PropertyException;
-import org.apache.qpid.configuration.PropertyUtils;
-import org.apache.qpid.server.configuration.plugins.ConfigurationPlugin;
-import org.apache.qpid.server.configuration.plugins.ConfigurationPluginFactory;
 import org.apache.qpid.server.security.auth.AuthenticationResult;
 import org.apache.qpid.server.security.auth.AuthenticationResult.AuthenticationStatus;
 import org.apache.qpid.server.security.auth.database.PrincipalDatabase;
 import org.apache.qpid.server.security.auth.sasl.AuthenticationProviderInitialiser;
 import org.apache.qpid.server.security.auth.sasl.JCAProvider;
-import org.apache.qpid.server.security.auth.sasl.UsernamePrincipal;
+import org.apache.qpid.server.security.auth.UsernamePrincipal;
 
-import javax.security.auth.Subject;
 import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.login.AccountNotFoundException;
 import javax.security.sasl.Sasl;
 import javax.security.sasl.SaslException;
 import javax.security.sasl.SaslServer;
 import javax.security.sasl.SaslServerFactory;
-import java.lang.reflect.InvocationTargetException;
-import java.lang.reflect.Method;
+
 import java.security.Security;
-import java.util.Arrays;
-import java.util.Collections;
 import java.util.HashMap;
-import java.util.Iterator;
-import java.util.List;
 import java.util.Map;
-import java.util.Map.Entry;
 import java.util.TreeMap;
 
 
@@ -60,27 +47,10 @@ import java.util.TreeMap;
  * Concrete implementation of the AuthenticationManager that determines if supplied
  * user credentials match those appearing in a PrincipalDatabase.   The implementation
  * of the PrincipalDatabase is determined from the configuration.
- *
- * This implementation also registers the JMX UserManagemement MBean.
- *
- * This plugin expects configuration such as:
- *
- * <pre>
- * &lt;pd-auth-manager&gt;
- *   &lt;principal-database&gt;
- *      &lt;class&gt;org.apache.qpid.server.security.auth.database.PlainPasswordFilePrincipalDatabase&lt;/class&gt;
- *      &lt;attributes&gt;
- *         &lt;attribute&gt;
- *              &lt;name>passwordFile&lt;/name&gt;
- *              &lt;value>${conf}/passwd&lt;/value&gt;
- *          &lt;/attribute&gt;
- *      &lt;/attributes&gt;
- *   &lt;/principal-database&gt;
- * &lt;/pd-auth-manager&gt;
- * </pre>
  */
 public class PrincipalDatabaseAuthenticationManager implements AuthenticationManager
 {
+
     private static final Logger _logger = Logger.getLogger(PrincipalDatabaseAuthenticationManager.class);
 
     /** The list of mechanisms, in the order in which they are configured (i.e. preferred order) */
@@ -95,95 +65,11 @@ public class PrincipalDatabaseAuthentica
      */
     private final Map<String, Map<String, ?>> _serverCreationProperties = new HashMap<String, Map<String, ?>>();
 
-    private PrincipalDatabase _principalDatabase = null;
-
-    public static final AuthenticationManagerPluginFactory<PrincipalDatabaseAuthenticationManager> FACTORY = new AuthenticationManagerPluginFactory<PrincipalDatabaseAuthenticationManager>()
-    {
-        public PrincipalDatabaseAuthenticationManager newInstance(final ConfigurationPlugin config) throws ConfigurationException
-        {
-            final PrincipalDatabaseAuthenticationManagerConfiguration configuration =
-                    config == null
-                            ? null
-                            : (PrincipalDatabaseAuthenticationManagerConfiguration) config.getConfiguration(PrincipalDatabaseAuthenticationManagerConfiguration.class.getName());
-
-            // If there is no configuration for this plugin then don't load it.
-            if (configuration == null)
-            {
-                _logger.info("No authentication-manager configuration found for PrincipalDatabaseAuthenticationManager");
-                return null;
-            }
-
-            final PrincipalDatabaseAuthenticationManager pdam = new PrincipalDatabaseAuthenticationManager();
-            pdam.configure(configuration);
-            pdam.initialise();
-            return pdam;
-        }
-
-        public Class<PrincipalDatabaseAuthenticationManager> getPluginClass()
-        {
-            return PrincipalDatabaseAuthenticationManager.class;
-        }
-
-        public String getPluginName()
-        {
-            return PrincipalDatabaseAuthenticationManager.class.getName();
-        }
-    };
-
-    public static class PrincipalDatabaseAuthenticationManagerConfiguration extends ConfigurationPlugin {
-
-        public static final ConfigurationPluginFactory FACTORY = new ConfigurationPluginFactory()
-        {
-            public List<String> getParentPaths()
-            {
-                return Arrays.asList("security.pd-auth-manager");
-            }
-
-            public ConfigurationPlugin newInstance(final String path, final Configuration config) throws ConfigurationException
-            {
-                final ConfigurationPlugin instance = new PrincipalDatabaseAuthenticationManagerConfiguration();
-
-                instance.setConfiguration(path, config);
-                return instance;
-            }
-        };
-
-        public String[] getElementsProcessed()
-        {
-            return new String[] {"principal-database.class",
-                                 "principal-database.attributes.attribute.name",
-                                 "principal-database.attributes.attribute.value"};
-        }
-
-        public void validateConfiguration() throws ConfigurationException
-        {
-        }
-
-        public String getPrincipalDatabaseClass()
-        {
-            return getConfig().getString("principal-database.class");
-        }
-
-        public Map<String,String> getPdClassAttributeMap() throws ConfigurationException
-        {
-            final List<String> argumentNames = (List) getConfig().getList("principal-database.attributes.attribute.name");
-            final List<String> argumentValues = (List) getConfig().getList("principal-database.attributes.attribute.value");
-            final Map<String,String> attributes = new HashMap<String,String>(argumentNames.size());
-
-            for (int i = 0; i < argumentNames.size(); i++)
-            {
-                final String argName = argumentNames.get(i);
-                final String argValue = argumentValues.get(i);
+    private final PrincipalDatabase _principalDatabase;
 
-                attributes.put(argName, argValue);
-            }
-
-            return Collections.unmodifiableMap(attributes);
-        }
-    }
-
-    protected PrincipalDatabaseAuthenticationManager()
+    public PrincipalDatabaseAuthenticationManager(PrincipalDatabase pd)
     {
+        _principalDatabase = pd;
     }
 
     public void initialise()
@@ -246,21 +132,6 @@ public class PrincipalDatabaseAuthentica
         _logger.info("Initialised " + mechanism + " SASL provider successfully");
     }
 
-    /**
-     * @see org.apache.qpid.server.plugins.Plugin#configure(org.apache.qpid.server.configuration.plugins.ConfigurationPlugin)
-     */
-    public void configure(final ConfigurationPlugin config) throws ConfigurationException
-    {
-        final PrincipalDatabaseAuthenticationManagerConfiguration pdamConfig = (PrincipalDatabaseAuthenticationManagerConfiguration) config;
-        final String pdClazz = pdamConfig.getPrincipalDatabaseClass();
-
-        _logger.info("PrincipalDatabase concrete implementation : " + pdClazz);
-
-        _principalDatabase = createPrincipalDatabaseImpl(pdClazz);
-
-        configPrincipalDatabase(_principalDatabase, pdamConfig);
-    }
-
     public String getMechanisms()
     {
         return _mechanisms;
@@ -268,8 +139,11 @@ public class PrincipalDatabaseAuthentica
 
     public SaslServer createSaslServer(String mechanism, String localFQDN, Principal externalPrincipal) throws SaslException
     {
-        return Sasl.createSaslServer(mechanism, "AMQP", localFQDN, _serverCreationProperties.get(mechanism),
-                                     _callbackHandlerMap.get(mechanism));
+        Map<String, ?> properties = _serverCreationProperties.get(mechanism);
+        CallbackHandler callbackHandler = _callbackHandlerMap.get(mechanism);
+
+        return Sasl.createSaslServer(mechanism, "AMQP", localFQDN, properties,
+                                     callbackHandler);
     }
 
     /**
@@ -284,9 +158,8 @@ public class PrincipalDatabaseAuthentica
 
             if (server.isComplete())
             {
-                final Subject subject = new Subject();
-                subject.getPrincipals().add(new UsernamePrincipal(server.getAuthorizationID()));
-                return new AuthenticationResult(subject);
+                final String userId = server.getAuthorizationID();
+                return new AuthenticationResult(new UsernamePrincipal(userId));
             }
             else
             {
@@ -308,9 +181,7 @@ public class PrincipalDatabaseAuthentica
         {
             if (_principalDatabase.verifyPassword(username, password.toCharArray()))
             {
-                final Subject subject = new Subject();
-                subject.getPrincipals().add(new UsernamePrincipal(username));
-                return new AuthenticationResult(subject);
+                return new AuthenticationResult(new UsernamePrincipal(username));
             }
             else
             {
@@ -329,100 +200,8 @@ public class PrincipalDatabaseAuthentica
         Security.removeProvider(PROVIDER_NAME);
     }
 
-    private PrincipalDatabase createPrincipalDatabaseImpl(final String pdClazz) throws ConfigurationException
-    {
-        try
-        {
-            return (PrincipalDatabase) Class.forName(pdClazz).newInstance();
-        }
-        catch (InstantiationException ie)
-        {
-            throw new ConfigurationException("Cannot instantiate " + pdClazz, ie);
-        }
-        catch (IllegalAccessException iae)
-        {
-            throw new ConfigurationException("Cannot access " + pdClazz, iae);
-        }
-        catch (ClassNotFoundException cnfe)
-        {
-            throw new ConfigurationException("Cannot load " + pdClazz + " implementation", cnfe);
-        }
-        catch (ClassCastException cce)
-        {
-            throw new ConfigurationException("Expecting a " + PrincipalDatabase.class + " implementation", cce);
-        }
-    }
-
-    private void configPrincipalDatabase(final PrincipalDatabase principalDatabase, final PrincipalDatabaseAuthenticationManagerConfiguration config)
-            throws ConfigurationException
-    {
-
-        final Map<String,String> attributes = config.getPdClassAttributeMap();
-
-        for (Iterator<Entry<String, String>> iterator = attributes.entrySet().iterator(); iterator.hasNext();)
-        {
-            final Entry<String, String> nameValuePair = iterator.next();
-            final String methodName = generateSetterName(nameValuePair.getKey());
-            final Method method;
-            try
-            {
-                method = principalDatabase.getClass().getMethod(methodName, String.class);
-            }
-            catch (Exception e)
-            {
-                throw new ConfigurationException("No method " + methodName + " found in class "
-                        + principalDatabase.getClass()
-                        + " hence unable to configure principal database. The method must be public and "
-                        + "have a single String argument with a void return type", e);
-            }
-            try
-            {
-                method.invoke(principalDatabase, PropertyUtils.replaceProperties(nameValuePair.getValue()));
-            }
-            catch (IllegalArgumentException e)
-            {
-                throw new ConfigurationException(e.getMessage(), e);
-            }
-            catch (PropertyException e)
-            {
-                throw new ConfigurationException(e.getMessage(), e);
-            }
-            catch (IllegalAccessException e)
-            {
-                throw new ConfigurationException(e.getMessage(), e);
-            }
-            catch (InvocationTargetException e)
-            {
-                // QPID-1347..  InvocationTargetException wraps the checked exception thrown from the reflective
-                // method call.  Pull out the underlying message and cause to make these more apparent to the user.
-                throw new ConfigurationException(e.getCause().getMessage(), e.getCause());
-            }
-        }
-    }
-
     public PrincipalDatabase getPrincipalDatabase()
     {
         return _principalDatabase;
     }
-
-    private String generateSetterName(String argName) throws ConfigurationException
-    {
-        if ((argName == null) || (argName.length() == 0))
-        {
-            throw new ConfigurationException("Argument names must have length >= 1 character");
-        }
-
-        if (Character.isLowerCase(argName.charAt(0)))
-        {
-            argName = Character.toUpperCase(argName.charAt(0)) + argName.substring(1);
-        }
-
-        final String methodName = "set" + argName;
-        return methodName;
-    }
-
-    protected void setPrincipalDatabase(final PrincipalDatabase principalDatabase)
-    {
-        _principalDatabase = principalDatabase;
-    }
 }

Modified: qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManager.java
URL: http://svn.apache.org/viewvc/qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManager.java?rev=1451244&r1=1451243&r2=1451244&view=diff
==============================================================================
--- qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManager.java (original)
+++ qpid/branches/asyncstore/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManager.java Thu Feb 28 16:14:30 2013
@@ -21,10 +21,10 @@ package org.apache.qpid.server.security.
 
 import java.io.IOException;
 import java.security.Principal;
-import java.util.Arrays;
 import java.util.HashMap;
 import java.util.Hashtable;
-import java.util.List;
+
+import javax.naming.AuthenticationException;
 import javax.naming.Context;
 import javax.naming.NamingEnumeration;
 import javax.naming.NamingException;
@@ -32,7 +32,6 @@ import javax.naming.directory.DirContext
 import javax.naming.directory.InitialDirContext;
 import javax.naming.directory.SearchControls;
 import javax.naming.directory.SearchResult;
-import javax.security.auth.Subject;
 import javax.security.auth.callback.Callback;
 import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.callback.NameCallback;
@@ -41,13 +40,10 @@ import javax.security.sasl.AuthorizeCall
 import javax.security.sasl.Sasl;
 import javax.security.sasl.SaslException;
 import javax.security.sasl.SaslServer;
-import org.apache.commons.configuration.Configuration;
-import org.apache.commons.configuration.ConfigurationException;
 import org.apache.log4j.Logger;
-import org.apache.qpid.server.configuration.plugins.ConfigurationPlugin;
-import org.apache.qpid.server.configuration.plugins.ConfigurationPluginFactory;
 import org.apache.qpid.server.security.auth.AuthenticationResult;
-import org.apache.qpid.server.security.auth.sasl.UsernamePrincipal;
+import org.apache.qpid.server.security.auth.AuthenticationResult.AuthenticationStatus;
+import org.apache.qpid.server.security.auth.UsernamePrincipal;
 import org.apache.qpid.server.security.auth.sasl.plain.PlainPasswordCallback;
 
 public class SimpleLDAPAuthenticationManager implements AuthenticationManager
@@ -55,123 +51,25 @@ public class SimpleLDAPAuthenticationMan
     private static final Logger _logger = Logger.getLogger(SimpleLDAPAuthenticationManager.class);
 
     private static final String PLAIN_MECHANISM = "PLAIN";
-    private static final String DEFAULT_LDAP_CONTEXT_FACTORY = "com.sun.jndi.ldap.LdapCtxFactory";
-    private String _providerSearchURL;
-    private String _searchContext;
-    private String _searchFilter;
-    private String _providerAuthURL;
-    private String _ldapContextFactory;
-
-    public static class SimpleLDAPAuthenticationManagerConfiguration extends ConfigurationPlugin
-    {
-
-        public static final ConfigurationPluginFactory FACTORY =
-                new ConfigurationPluginFactory()
-                {
-                    public List<String> getParentPaths()
-                    {
-                        return Arrays.asList("security.simple-ldap-auth-manager");
-                    }
-
-                    public ConfigurationPlugin newInstance(final String path, final Configuration config) throws ConfigurationException
-                    {
-                        final ConfigurationPlugin instance = new SimpleLDAPAuthenticationManagerConfiguration();
-
-                        instance.setConfiguration(path, config);
-                        return instance;
-                    }
-                };
-
-        private static final String PROVIDER_URL = "provider-url";
-        private static final String PROVIDER_SEARCH_URL = "provider-search-url";
-        private static final String PROVIDER_AUTH_URL = "provider-auth-url";
-        private static final String SEARCH_CONTEXT = "search-context";
-        private static final String SEARCH_FILTER = "search-filter";
-        private static final String LDAP_CONTEXT_FACTORY = "ldap-context-factory";
-
-        public String[] getElementsProcessed()
-        {
-            return new String[] {PROVIDER_URL, PROVIDER_SEARCH_URL, PROVIDER_AUTH_URL, SEARCH_CONTEXT, SEARCH_FILTER,
-                                 LDAP_CONTEXT_FACTORY};
-        }
-
-        public void validateConfiguration() throws ConfigurationException
-        {
-        }
-
-        public String getLDAPContextFactory()
-        {
-            return getConfig().getString(LDAP_CONTEXT_FACTORY, DEFAULT_LDAP_CONTEXT_FACTORY);
-        }
-
-
-        public String getProviderURL()
-        {
-            return getConfig().getString(PROVIDER_URL);
-        }
-
-        public String getProviderSearchURL()
-        {
-            return getConfig().getString(PROVIDER_SEARCH_URL, getProviderURL());
-        }
-
-        public String getSearchContext()
-        {
-            return getConfig().getString(SEARCH_CONTEXT);
-        }
-
-        public String getSearchFilter()
-        {
-            return getConfig().getString(SEARCH_FILTER);
-        }
-
-        public String getProviderAuthURL()
-        {
-            return getConfig().getString(PROVIDER_AUTH_URL, getProviderURL());
-        }
-    }
-
-
-    public static final AuthenticationManagerPluginFactory<SimpleLDAPAuthenticationManager> FACTORY = new AuthenticationManagerPluginFactory<SimpleLDAPAuthenticationManager>()
-    {
-        public SimpleLDAPAuthenticationManager newInstance(final ConfigurationPlugin config) throws ConfigurationException
-        {
-            SimpleLDAPAuthenticationManagerConfiguration configuration =
-                    config == null
-                            ? null
-                            : (SimpleLDAPAuthenticationManagerConfiguration) config.getConfiguration(SimpleLDAPAuthenticationManagerConfiguration.class.getName());
-
-            // If there is no configuration for this plugin then don't load it.
-            if (configuration == null)
-            {
-                _logger.info("No authentication-manager configuration found for SimpleLDAPAuthenticationManager");
-                return null;
-            }
-            SimpleLDAPAuthenticationManager simpleLDAPAuthenticationManager = new SimpleLDAPAuthenticationManager();
-            simpleLDAPAuthenticationManager.configure(configuration);
-            return simpleLDAPAuthenticationManager;
-        }
-
-        public Class<SimpleLDAPAuthenticationManager> getPluginClass()
-        {
-            return SimpleLDAPAuthenticationManager.class;
-        }
-
-        public String getPluginName()
-        {
-            return SimpleLDAPAuthenticationManager.class.getName();
-        }
-    };
-
-
-    private SimpleLDAPAuthenticationManager()
-    {
+    private final String _providerSearchURL;
+    private final String _providerAuthURL;
+    private final String _searchContext;
+    private final String _searchFilter;
+    private final String _ldapContextFactory;
+
+    SimpleLDAPAuthenticationManager(String providerSearchUrl, String providerAuthUrl, String searchContext, String searchFilter, String ldapContextFactory)
+    {
+        _providerSearchURL = providerSearchUrl;
+        _providerAuthURL = providerAuthUrl;
+        _searchContext = searchContext;
+        _searchFilter = searchFilter;
+        _ldapContextFactory = ldapContextFactory;
     }
 
     @Override
     public void initialise()
     {
-
+        validateInitialDirContext();
     }
 
     @Override
@@ -205,10 +103,10 @@ public class SimpleLDAPAuthenticationMan
 
             if (server.isComplete())
             {
-                final Subject subject = new Subject();
-                _logger.debug("Authenticated as " + server.getAuthorizationID());
-                subject.getPrincipals().add(new UsernamePrincipal(server.getAuthorizationID()));
-                return new AuthenticationResult(subject);
+                String authorizationID = server.getAuthorizationID();
+                _logger.debug("Authenticated as " + authorizationID);
+
+                return new AuthenticationResult(new UsernamePrincipal(authorizationID));
             }
             else
             {
@@ -224,34 +122,74 @@ public class SimpleLDAPAuthenticationMan
     @Override
     public AuthenticationResult authenticate(String username, String password)
     {
-
         try
         {
-            return doLDAPNameAuthentication(getNameFromId(username), password);
+            AuthenticationResult result = doLDAPNameAuthentication(getNameFromId(username), password);
+            if(result.getStatus() == AuthenticationStatus.SUCCESS)
+            {
+                //Return a result based on the supplied username rather than the search name
+                return new AuthenticationResult(new UsernamePrincipal(username));
+            }
+            else
+            {
+                return result;
+            }
         }
         catch (NamingException e)
         {
-
             return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, e);
-
         }
     }
 
-    private AuthenticationResult doLDAPNameAuthentication(String username, String password) throws NamingException
+    private AuthenticationResult doLDAPNameAuthentication(String name, String password)
     {
+        if(name == null)
+        {
+            //The search didn't return anything, class as not-authenticated before it NPEs below
+            return new AuthenticationResult(AuthenticationStatus.CONTINUE);
+        }
+
         Hashtable<Object,Object> env = new Hashtable<Object,Object>();
         env.put(Context.INITIAL_CONTEXT_FACTORY, _ldapContextFactory);
         env.put(Context.PROVIDER_URL, _providerAuthURL);
 
         env.put(Context.SECURITY_AUTHENTICATION, "simple");
 
-        env.put(Context.SECURITY_PRINCIPAL, username);
+        env.put(Context.SECURITY_PRINCIPAL, name);
         env.put(Context.SECURITY_CREDENTIALS, password);
-        DirContext ctx = new InitialDirContext(env);
-        ctx.close();
-        final Subject subject = new Subject();
-        subject.getPrincipals().add(new UsernamePrincipal(username));
-        return new AuthenticationResult(subject);
+
+        DirContext ctx = null;
+        try
+        {
+            ctx = new InitialDirContext(env);
+
+            //Authentication succeeded
+            return new AuthenticationResult(new UsernamePrincipal(name));
+        }
+        catch(AuthenticationException ae)
+        {
+            //Authentication failed
+            return new AuthenticationResult(AuthenticationStatus.CONTINUE);
+        }
+        catch (NamingException e)
+        {
+            //Some other failure
+            return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, e);
+        }
+        finally
+        {
+            if(ctx != null)
+            {
+                try
+                {
+                    ctx.close();
+                }
+                catch (Exception e)
+                {
+                    _logger.warn("Exception closing InitialDirContext", e);
+                }
+            }
+        }
     }
 
     @Override
@@ -259,17 +197,8 @@ public class SimpleLDAPAuthenticationMan
     {
     }
 
-    @Override
-    public void configure(ConfigurationPlugin config) throws ConfigurationException
+    private void validateInitialDirContext()
     {
-        SimpleLDAPAuthenticationManagerConfiguration ldapConfig = (SimpleLDAPAuthenticationManagerConfiguration) config;
-
-        _ldapContextFactory = ldapConfig.getLDAPContextFactory();
-        _providerSearchURL = ldapConfig.getProviderSearchURL();
-        _providerAuthURL = ldapConfig.getProviderAuthURL();
-        _searchContext = ldapConfig.getSearchContext();
-        _searchFilter = ldapConfig.getSearchFilter();
-
         Hashtable<String,Object> env = new Hashtable<String, Object>();
         env.put(Context.INITIAL_CONTEXT_FACTORY, _ldapContextFactory);
         env.put(Context.PROVIDER_URL, _providerSearchURL);
@@ -277,11 +206,11 @@ public class SimpleLDAPAuthenticationMan
 
         try
         {
-            new InitialDirContext(env);
+            new InitialDirContext(env).close();
         }
         catch (NamingException e)
         {
-            throw new ConfigurationException("Unable to establish anonymous connection to the ldap server at " + _providerSearchURL, e);
+            throw new RuntimeException("Unable to establish anonymous connection to the ldap server at " + _providerSearchURL, e);
         }
     }
 
@@ -305,19 +234,11 @@ public class SimpleLDAPAuthenticationMan
                     }
                     catch (NamingException e)
                     {
-                        _logger.info("SASL Authentication Error", e);
+                        _logger.warn("SASL Authentication Exception", e);
                     }
                     if(password != null)
                     {
-                        try
-                        {
-                            authenticated = doLDAPNameAuthentication(name, password);
-
-                        }
-                        catch (NamingException e)
-                        {
-                            authenticated = new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, e);
-                        }
+                        authenticated = doLDAPNameAuthentication(name, password);
                     }
                 }
                 else if (callback instanceof PlainPasswordCallback)
@@ -325,17 +246,10 @@ public class SimpleLDAPAuthenticationMan
                     password = ((PlainPasswordCallback)callback).getPlainPassword();
                     if(name != null)
                     {
-                        try
+                        authenticated = doLDAPNameAuthentication(name, password);
+                        if(authenticated.getStatus()== AuthenticationResult.AuthenticationStatus.SUCCESS)
                         {
-                            authenticated = doLDAPNameAuthentication(name, password);
-                            if(authenticated.getStatus()== AuthenticationResult.AuthenticationStatus.SUCCESS)
-                            {
-                                ((PlainPasswordCallback)callback).setAuthenticated(true);
-                            }
-                        }
-                        catch (NamingException e)
-                        {
-                            authenticated = new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, e);
+                            ((PlainPasswordCallback)callback).setAuthenticated(true);
                         }
                     }
                 }
@@ -357,7 +271,6 @@ public class SimpleLDAPAuthenticationMan
         env.put(Context.INITIAL_CONTEXT_FACTORY, _ldapContextFactory);
         env.put(Context.PROVIDER_URL, _providerSearchURL);
 
-
         env.put(Context.SECURITY_AUTHENTICATION, "none");
         DirContext ctx = null;
 
@@ -382,7 +295,14 @@ public class SimpleLDAPAuthenticationMan
         }
         finally
         {
-            ctx.close();
+            try
+            {
+                ctx.close();
+            }
+            catch (Exception e)
+            {
+                _logger.warn("Exception closing InitialDirContext", e);
+            }
         }
 
     }



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org


Mime
View raw message