Author: jstrachan
Date: Wed Feb 15 04:38:40 2006
New Revision: 377995
URL: http://svn.apache.org/viewcvs?rev=377995&view=rev
Log:
refactor of the authorization plugin to make it easier to create alternative
data structures for capturing the different ACLs; such as a single tree based
authorization map
Added:
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/filter/DefaultDestinationMapEntry.java
(with props)
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationBroker.java
(with props)
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationEntry.java
(with props)
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationMap.java
(with props)
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationPlugin.java
(with props)
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/DefaultAuthorizationMap.java
(with props)
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/SimpleAuthorizationMap.java
(with props)
Removed:
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/SimpleAuthorizationBroker.java
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/SimpleAuthorizationPlugin.java
Modified:
incubator/activemq/trunk/activemq-core/src/test/java/org/apache/activemq/security/SimpleSecurityBrokerSystemTest.java
incubator/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/jaas-broker.xml
Added:
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/filter/DefaultDestinationMapEntry.java
URL:
http://svn.apache.org/viewcvs/incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/filter/DefaultDestinationMapEntry.java?rev=377995&view=auto
==============================================================================
---
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/filter/DefaultDestinationMapEntry.java
(added)
+++
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/filter/DefaultDestinationMapEntry.java
Wed Feb 15 04:38:40 2006
@@ -0,0 +1,37 @@
+/**
+ *
+ * Copyright 2005-2006 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.filter;
+
+/**
+ * A default entry in a DestinationMap which holds a single value.
+ *
+ * @org.apache.xbean.XBean element="destinationEntry"
+ *
+ * @version $Revision$
+ */
+public class DefaultDestinationMapEntry extends DestinationMapEntry {
+ private Object value;
+
+ public Object getValue() {
+ return value;
+ }
+
+ public void setValue(Object value) {
+ this.value = value;
+ }
+
+}
Propchange:
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/filter/DefaultDestinationMapEntry.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange:
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/filter/DefaultDestinationMapEntry.java
------------------------------------------------------------------------------
svn:keywords = Date Author Id Revision HeadURL
Propchange:
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/filter/DefaultDestinationMapEntry.java
------------------------------------------------------------------------------
svn:mime-type = text/plain
Added:
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationBroker.java
URL:
http://svn.apache.org/viewcvs/incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationBroker.java?rev=377995&view=auto
==============================================================================
---
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationBroker.java
(added)
+++
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationBroker.java
Wed Feb 15 04:38:40 2006
@@ -0,0 +1,201 @@
+/**
+ *
+ * Copyright 2005-2006 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.security;
+
+import org.apache.activemq.broker.Broker;
+import org.apache.activemq.broker.BrokerFilter;
+import org.apache.activemq.broker.ConnectionContext;
+import org.apache.activemq.broker.region.Destination;
+import org.apache.activemq.command.ActiveMQDestination;
+import org.apache.activemq.command.ActiveMQQueue;
+import org.apache.activemq.command.ActiveMQTempDestination;
+import org.apache.activemq.command.ActiveMQTopic;
+import org.apache.activemq.command.ConsumerInfo;
+import org.apache.activemq.command.Message;
+import org.apache.activemq.command.ProducerInfo;
+import org.apache.activemq.filter.BooleanExpression;
+import org.apache.activemq.filter.MessageEvaluationContext;
+
+import javax.jms.JMSException;
+
+import java.util.Set;
+
+
+/**
+ * Verifies if a authenticated user can do an operation against the broker
using an authorization map.
+ *
+ * @version $Revision$
+ */
+public class AuthorizationBroker extends BrokerFilter implements
SecurityAdminMBean {
+
+ private final AuthorizationMap authorizationMap;
+ private boolean filterReads = true;
+
+ public AuthorizationBroker(Broker next, AuthorizationMap authorizationMap)
{
+ super(next);
+ this.authorizationMap = authorizationMap;
+ }
+
+ public Destination addDestination(ConnectionContext context,
ActiveMQDestination destination) throws Throwable {
+ final SecurityContext securityContext = (SecurityContext)
context.getSecurityContext();
+ if( securityContext == null )
+ throw new SecurityException("User is not authenticated.");
+
+ // You don't need to be an admin to create temp destinations.
+ if( !destination.isTemporary()
+ ||
!((ActiveMQTempDestination)destination).getConnectionId().equals(context.getConnectionId().getValue())
) {
+
+ Set allowedACLs = authorizationMap.getAdminACLs(destination);
+ if(allowedACLs!=null && !securityContext.isInOneOf(allowedACLs))
+ throw new SecurityException("User
"+securityContext.getUserName()+" is not authorized to create: "+destination);
+ }
+
+ return super.addDestination(context, destination);
+ }
+
+ public void removeDestination(ConnectionContext context,
ActiveMQDestination destination, long timeout) throws Throwable {
+
+ final SecurityContext securityContext = (SecurityContext)
context.getSecurityContext();
+ if( securityContext == null )
+ throw new SecurityException("User is not authenticated.");
+
+ // You don't need to be an admin to remove temp destinations.
+ if( !destination.isTemporary()
+ ||
!((ActiveMQTempDestination)destination).getConnectionId().equals(context.getConnectionId().getValue())
) {
+
+ Set allowedACLs = authorizationMap.getAdminACLs(destination);
+ if(allowedACLs!=null && !securityContext.isInOneOf(allowedACLs))
+ throw new SecurityException("User
"+securityContext.getUserName()+" is not authorized to remove: "+destination);
+ }
+
+ super.removeDestination(context, destination, timeout);
+ }
+
+ public void addConsumer(ConnectionContext context, ConsumerInfo info)
throws Throwable {
+
+ final SecurityContext subject = (SecurityContext)
context.getSecurityContext();
+ if( subject == null )
+ throw new SecurityException("User is not authenticated.");
+
+ Set allowedACLs = authorizationMap.getReadACLs(info.getDestination());
+ if(allowedACLs!=null && !subject.isInOneOf(allowedACLs))
+ throw new SecurityException("User "+subject.getUserName()+" is not
authorized to read from: "+info.getDestination());
+ subject.getAuthorizedReadDests().put(info.getDestination(),
info.getDestination());
+
+ // Should we install a additional predicate on the consumer?
+ // This adds a little more overhead, but is more secure.
+ if( filterReads ) {
+
+ info.setAdditionalPredicate(new BooleanExpression() {
+ public boolean matches(MessageEvaluationContext message)
throws JMSException {
+ if(
!subject.getAuthorizedReadDests().contains(message.getDestination()) ) {
+ Set allowedACLs =
authorizationMap.getReadACLs(message.getDestination());
+ if(allowedACLs!=null &&
!subject.isInOneOf(allowedACLs))
+ return false;
+
subject.getAuthorizedReadDests().put(message.getDestination(),
message.getDestination());
+ }
+ return true;
+ }
+ public Object evaluate(MessageEvaluationContext message)
throws JMSException {
+ return matches(message) ? Boolean.TRUE : Boolean.FALSE;
+ }
+ });
+
+ }
+
+ super.addConsumer(context, info);
+ }
+
+ public void addProducer(ConnectionContext context, ProducerInfo info)
throws Throwable {
+
+ SecurityContext subject = (SecurityContext)
context.getSecurityContext();
+ if( subject == null )
+ throw new SecurityException("User is not authenticated.");
+
+ if( info.getDestination()!=null ) {
+ Set allowedACLs =
authorizationMap.getWriteACLs(info.getDestination());
+ if(allowedACLs!=null && !subject.isInOneOf(allowedACLs))
+ throw new SecurityException("User "+subject.getUserName()+" is
not authorized to write to: "+info.getDestination());
+ subject.getAuthorizedWriteDests().put(info.getDestination(),
info.getDestination());
+ }
+
+ super.addProducer(context, info);
+ }
+
+ public void send(ConnectionContext context, Message messageSend) throws
Throwable {
+ SecurityContext subject = (SecurityContext)
context.getSecurityContext();
+ if( subject == null )
+ throw new SecurityException("User is not authenticated.");
+
+ if(
!subject.getAuthorizedWriteDests().contains(messageSend.getDestination()) ) {
+ Set allowedACLs =
authorizationMap.getWriteACLs(messageSend.getDestination());
+ if(allowedACLs!=null && !subject.isInOneOf(allowedACLs))
+ throw new SecurityException("User "+subject.getUserName()+" is
not authorized to write to: "+messageSend.getDestination());
+
subject.getAuthorizedWriteDests().put(messageSend.getDestination(),
messageSend.getDestination());
+ }
+
+ super.send(context, messageSend);
+ }
+
+ // SecurityAdminMBean interface
+ //
-------------------------------------------------------------------------
+
+ public void addQueueRole(String queue, String operation, String role) {
+ addDestinationRole(new ActiveMQQueue(queue), operation, role);
+ }
+
+ public void addTopicRole(String topic, String operation, String role) {
+ addDestinationRole(new ActiveMQTopic(topic), operation, role);
+ }
+
+ public void removeQueueRole(String queue, String operation, String role) {
+ removeDestinationRole(new ActiveMQQueue(queue), operation, role);
+ }
+
+ public void removeTopicRole(String topic, String operation, String role) {
+ removeDestinationRole(new ActiveMQTopic(topic), operation, role);
+ }
+
+ public void addDestinationRole(javax.jms.Destination destination, String
operation, String role) {
+ }
+
+ public void removeDestinationRole(javax.jms.Destination destination,
String operation, String role) {
+ }
+
+
+ public void addRole(String role) {
+ }
+
+ public void addUserRole(String user, String role) {
+ }
+
+ public void removeRole(String role) {
+ }
+
+ public void removeUserRole(String user, String role) {
+ }
+
+ // Properties
+ //
-------------------------------------------------------------------------
+ public boolean isFilterReads() {
+ return filterReads;
+ }
+
+ public void setFilterReads(boolean filterReads) {
+ this.filterReads = filterReads;
+ }
+}
Propchange:
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationBroker.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange:
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationBroker.java
------------------------------------------------------------------------------
svn:keywords = Date Author Id Revision HeadURL
Propchange:
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationBroker.java
------------------------------------------------------------------------------
svn:mime-type = text/plain
Added:
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationEntry.java
URL:
http://svn.apache.org/viewcvs/incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationEntry.java?rev=377995&view=auto
==============================================================================
---
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationEntry.java
(added)
+++
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationEntry.java
Wed Feb 15 04:38:40 2006
@@ -0,0 +1,63 @@
+/**
+ *
+ * Copyright 2005-2006 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.security;
+
+import org.apache.activemq.filter.DestinationMapEntry;
+
+import java.util.Collections;
+import java.util.Set;
+
+/**
+ * Represents an entry in a [EMAIL PROTECTED] DefaultAuthorizationMap} for
assigning
+ * different operations (read, write, admin) of user roles to a specific
+ * destination or a hierarchical wildcard area of destinations.
+ *
+ * @org.apache.xbean.XBean
+ *
+ * @version $Revision$
+ */
+public class AuthorizationEntry extends DestinationMapEntry {
+
+ private Set readACLs = Collections.EMPTY_SET;
+ private Set writeACLs = Collections.EMPTY_SET;
+ private Set adminACLs = Collections.EMPTY_SET;
+
+ public Set getAdminACLs() {
+ return adminACLs;
+ }
+
+ public void setAdminACLs(Set adminACLs) {
+ this.adminACLs = adminACLs;
+ }
+
+ public Set getReadACLs() {
+ return readACLs;
+ }
+
+ public void setReadACLs(Set readACLs) {
+ this.readACLs = readACLs;
+ }
+
+ public Set getWriteACLs() {
+ return writeACLs;
+ }
+
+ public void setWriteACLs(Set writeACLs) {
+ this.writeACLs = writeACLs;
+ }
+
+}
Propchange:
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationEntry.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange:
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationEntry.java
------------------------------------------------------------------------------
svn:keywords = Date Author Id Revision HeadURL
Propchange:
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationEntry.java
------------------------------------------------------------------------------
svn:mime-type = text/plain
Added:
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationMap.java
URL:
http://svn.apache.org/viewcvs/incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationMap.java?rev=377995&view=auto
==============================================================================
---
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationMap.java
(added)
+++
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationMap.java
Wed Feb 15 04:38:40 2006
@@ -0,0 +1,44 @@
+/**
+ *
+ * Copyright 2005-2006 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.security;
+
+import org.apache.activemq.command.ActiveMQDestination;
+
+import java.util.Set;
+
+/**
+ *
+ * @version $Revision$
+ */
+public interface AuthorizationMap {
+
+ /**
+ * Returns the set of all ACLs capable of administering the given
destination
+ */
+ Set getAdminACLs(ActiveMQDestination destination);
+
+ /**
+ * Returns the set of all ACLs capable of reading (consuming from) the
given destination
+ */
+ Set getReadACLs(ActiveMQDestination destination);
+
+ /**
+ * Returns the set of all ACLs capable of writing to the given destination
+ */
+ Set getWriteACLs(ActiveMQDestination destination);
+
+}
Propchange:
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationMap.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange:
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationMap.java
------------------------------------------------------------------------------
svn:keywords = Date Author Id Revision HeadURL
Propchange:
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationMap.java
------------------------------------------------------------------------------
svn:mime-type = text/plain
Added:
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationPlugin.java
URL:
http://svn.apache.org/viewcvs/incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationPlugin.java?rev=377995&view=auto
==============================================================================
---
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationPlugin.java
(added)
+++
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationPlugin.java
Wed Feb 15 04:38:40 2006
@@ -0,0 +1,56 @@
+/**
+ *
+ * Copyright 2005-2006 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.security;
+
+import org.apache.activemq.broker.Broker;
+import org.apache.activemq.broker.BrokerPlugin;
+
+/**
+ * An authorization plugin where each operation on a destination is checked
+ * against an authorizationMap
+ *
+ * @org.apache.xbean.XBean
+ *
+ * @version $Revision$
+ */
+public class AuthorizationPlugin implements BrokerPlugin {
+
+ private AuthorizationMap authorizationMap;
+
+ public AuthorizationPlugin() {
+ }
+
+ public AuthorizationPlugin(AuthorizationMap authorizationMap) {
+ this.authorizationMap = authorizationMap;
+ }
+
+ public Broker installPlugin(Broker broker) {
+ if (authorizationMap == null) {
+ throw new IllegalArgumentException("You must configure an
'authorizationMap'");
+ }
+ return new AuthorizationBroker(broker, authorizationMap);
+ }
+
+ public AuthorizationMap getAuthorizationMap() {
+ return authorizationMap;
+ }
+
+ public void setAuthorizationMap(AuthorizationMap authorizationMap) {
+ this.authorizationMap = authorizationMap;
+ }
+
+}
Propchange:
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationPlugin.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange:
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationPlugin.java
------------------------------------------------------------------------------
svn:keywords = Date Author Id Revision HeadURL
Propchange:
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/AuthorizationPlugin.java
------------------------------------------------------------------------------
svn:mime-type = text/plain
Added:
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/DefaultAuthorizationMap.java
URL:
http://svn.apache.org/viewcvs/incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/DefaultAuthorizationMap.java?rev=377995&view=auto
==============================================================================
---
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/DefaultAuthorizationMap.java
(added)
+++
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/DefaultAuthorizationMap.java
Wed Feb 15 04:38:40 2006
@@ -0,0 +1,115 @@
+/**
+ *
+ * Copyright 2005-2006 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.security;
+
+import org.apache.activemq.command.ActiveMQDestination;
+import org.apache.activemq.filter.DestinationMap;
+
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Set;
+
+/**
+ * Represents a destination based configuration of policies so that individual
+ * destinations or wildcard hierarchies of destinations can be configured using
+ * different policies. Each entry in the map represents the authorization ACLs
for each operation.
+ *
+ * @org.apache.xbean.XBean element="authorizationMap"
+ *
+ * @version $Revision$
+ */
+public class DefaultAuthorizationMap extends DestinationMap implements
AuthorizationMap {
+
+ private AuthorizationEntry defaultEntry;
+
+ public DefaultAuthorizationMap() {
+ }
+
+ public DefaultAuthorizationMap(List authorizationEntries) {
+ setAuthorizationEntries(authorizationEntries);
+ }
+
+
+ public Set getAdminACLs(ActiveMQDestination destination) {
+ Set answer = new HashSet();
+ Set entries = get(destination);
+ entries.add(defaultEntry);
+
+ // now lets go through each entry adding individual
+ for (Iterator iter = entries.iterator(); iter.hasNext();) {
+ AuthorizationEntry entry = (AuthorizationEntry) iter.next();
+ answer.addAll(entry.getAdminACLs());
+ }
+ return answer;
+ }
+
+ public Set getReadACLs(ActiveMQDestination destination) {
+ Set answer = new HashSet();
+ Set entries = get(destination);
+ entries.add(defaultEntry);
+
+ // now lets go through each entry adding individual
+ for (Iterator iter = entries.iterator(); iter.hasNext();) {
+ AuthorizationEntry entry = (AuthorizationEntry) iter.next();
+ answer.addAll(entry.getReadACLs());
+ }
+ return answer;
+ }
+
+ public Set getWriteACLs(ActiveMQDestination destination) {
+ Set answer = new HashSet();
+ Set entries = get(destination);
+ entries.add(defaultEntry);
+
+ // now lets go through each entry adding individual
+ for (Iterator iter = entries.iterator(); iter.hasNext();) {
+ AuthorizationEntry entry = (AuthorizationEntry) iter.next();
+ answer.addAll(entry.getWriteACLs());
+ }
+ return answer;
+ }
+
+ public AuthorizationEntry getEntryFor(ActiveMQDestination destination) {
+ AuthorizationEntry answer = (AuthorizationEntry)
chooseValue(destination);
+ if (answer == null) {
+ answer = getDefaultEntry();
+ }
+ return answer;
+ }
+
+ /**
+ * Sets the individual entries on the authorization map
+ *
+ * @org.apache.xbean.ElementType
class="org.apache.activemq.security.AuthorizationEntry"
+ */
+ public void setAuthorizationEntries(List entries) {
+ super.setEntries(entries);
+ }
+
+ public AuthorizationEntry getDefaultEntry() {
+ return defaultEntry;
+ }
+
+ public void setDefaultEntry(AuthorizationEntry defaultEntry) {
+ this.defaultEntry = defaultEntry;
+ }
+
+ protected Class getEntryClass() {
+ return AuthorizationEntry.class;
+ }
+}
Propchange:
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/DefaultAuthorizationMap.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange:
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/DefaultAuthorizationMap.java
------------------------------------------------------------------------------
svn:keywords = Date Author Id Revision HeadURL
Propchange:
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/DefaultAuthorizationMap.java
------------------------------------------------------------------------------
svn:mime-type = text/plain
Added:
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/SimpleAuthorizationMap.java
URL:
http://svn.apache.org/viewcvs/incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/SimpleAuthorizationMap.java?rev=377995&view=auto
==============================================================================
---
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/SimpleAuthorizationMap.java
(added)
+++
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/SimpleAuthorizationMap.java
Wed Feb 15 04:38:40 2006
@@ -0,0 +1,83 @@
+/**
+ *
+ * Copyright 2005-2006 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.security;
+
+import org.apache.activemq.command.ActiveMQDestination;
+import org.apache.activemq.filter.DestinationMap;
+
+import java.util.Set;
+
+/**
+ * An AuthorizationMap which is configured with individual DestinationMaps for
+ * each operation.
+ *
+ * @org.apache.xbean.XBean
+ *
+ * @version $Revision$
+ */
+public class SimpleAuthorizationMap implements AuthorizationMap {
+
+ private DestinationMap writeACLs;
+ private DestinationMap readACLs;
+ private DestinationMap adminACLs;
+
+ public SimpleAuthorizationMap() {
+ }
+
+ public SimpleAuthorizationMap(DestinationMap writeACLs, DestinationMap
readACLs, DestinationMap adminACLs) {
+ this.writeACLs = writeACLs;
+ this.readACLs = readACLs;
+ this.adminACLs = adminACLs;
+ }
+
+ public Set getAdminACLs(ActiveMQDestination destination) {
+ return adminACLs.get(destination);
+ }
+
+ public Set getReadACLs(ActiveMQDestination destination) {
+ return readACLs.get(destination);
+ }
+
+ public Set getWriteACLs(ActiveMQDestination destination) {
+ return writeACLs.get(destination);
+ }
+
+ public DestinationMap getAdminACLs() {
+ return adminACLs;
+ }
+
+ public void setAdminACLs(DestinationMap adminACLs) {
+ this.adminACLs = adminACLs;
+ }
+
+ public DestinationMap getReadACLs() {
+ return readACLs;
+ }
+
+ public void setReadACLs(DestinationMap readACLs) {
+ this.readACLs = readACLs;
+ }
+
+ public DestinationMap getWriteACLs() {
+ return writeACLs;
+ }
+
+ public void setWriteACLs(DestinationMap writeACLs) {
+ this.writeACLs = writeACLs;
+ }
+
+}
Propchange:
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/SimpleAuthorizationMap.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange:
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/SimpleAuthorizationMap.java
------------------------------------------------------------------------------
svn:keywords = Date Author Id Revision HeadURL
Propchange:
incubator/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/SimpleAuthorizationMap.java
------------------------------------------------------------------------------
svn:mime-type = text/plain
Modified:
incubator/activemq/trunk/activemq-core/src/test/java/org/apache/activemq/security/SimpleSecurityBrokerSystemTest.java
URL:
http://svn.apache.org/viewcvs/incubator/activemq/trunk/activemq-core/src/test/java/org/apache/activemq/security/SimpleSecurityBrokerSystemTest.java?rev=377995&r1=377994&r2=377995&view=diff
==============================================================================
---
incubator/activemq/trunk/activemq-core/src/test/java/org/apache/activemq/security/SimpleSecurityBrokerSystemTest.java
(original)
+++
incubator/activemq/trunk/activemq-core/src/test/java/org/apache/activemq/security/SimpleSecurityBrokerSystemTest.java
Wed Feb 15 04:38:40 2006
@@ -34,7 +34,7 @@
/**
* Tests that the broker allows/fails access to destinations based on the
* security policy installed on the broker.
- *
+ *
* @version $Revision$
*/
public class SimpleSecurityBrokerSystemTest extends SecurityTestSupport {
@@ -46,50 +46,43 @@
public BrokerPlugin authorizationPlugin;
public BrokerPlugin authenticationPlugin;
+ public AuthorizationMap createAuthorizationMap() {
+ DestinationMap readAccess = new DestinationMap();
+ readAccess.put(new ActiveMQQueue(">"), admins);
+ readAccess.put(new ActiveMQQueue("USERS.>"), users);
+ readAccess.put(new ActiveMQQueue("GUEST.>"), guests);
+ readAccess.put(new ActiveMQTopic(">"), admins);
+ readAccess.put(new ActiveMQTopic("USERS.>"), users);
+ readAccess.put(new ActiveMQTopic("GUEST.>"), guests);
+
+ DestinationMap writeAccess = new DestinationMap();
+ writeAccess.put(new ActiveMQQueue(">"), admins);
+ writeAccess.put(new ActiveMQQueue("USERS.>"), users);
+ writeAccess.put(new ActiveMQQueue("GUEST.>"), users);
+ writeAccess.put(new ActiveMQQueue("GUEST.>"), guests);
+ writeAccess.put(new ActiveMQTopic(">"), admins);
+ writeAccess.put(new ActiveMQTopic("USERS.>"), users);
+ writeAccess.put(new ActiveMQTopic("GUEST.>"), users);
+ writeAccess.put(new ActiveMQTopic("GUEST.>"), guests);
+
+ readAccess.put(new ActiveMQTopic("ActiveMQ.Advisory.>"), guests);
+ readAccess.put(new ActiveMQTopic("ActiveMQ.Advisory.>"), users);
+ writeAccess.put(new ActiveMQTopic("ActiveMQ.Advisory.>"), guests);
+ writeAccess.put(new ActiveMQTopic("ActiveMQ.Advisory.>"), users);
+
+ DestinationMap adminAccess = new DestinationMap();
+ adminAccess.put(new ActiveMQTopic(">"), admins);
+ adminAccess.put(new ActiveMQTopic(">"), users);
+ adminAccess.put(new ActiveMQTopic(">"), guests);
+ adminAccess.put(new ActiveMQQueue(">"), admins);
+ adminAccess.put(new ActiveMQQueue(">"), users);
+ adminAccess.put(new ActiveMQQueue(">"), guests);
- class SimpleAuthorizationFactory implements BrokerPlugin {
- public Broker installPlugin(Broker broker) {
-
- DestinationMap readAccess = new DestinationMap();
- readAccess.put(new ActiveMQQueue(">"), admins);
- readAccess.put(new ActiveMQQueue("USERS.>"), users);
- readAccess.put(new ActiveMQQueue("GUEST.>"), guests);
- readAccess.put(new ActiveMQTopic(">"), admins);
- readAccess.put(new ActiveMQTopic("USERS.>"), users);
- readAccess.put(new ActiveMQTopic("GUEST.>"), guests);
-
- DestinationMap writeAccess = new DestinationMap();
- writeAccess.put(new ActiveMQQueue(">"), admins);
- writeAccess.put(new ActiveMQQueue("USERS.>"), users);
- writeAccess.put(new ActiveMQQueue("GUEST.>"), users);
- writeAccess.put(new ActiveMQQueue("GUEST.>"), guests);
- writeAccess.put(new ActiveMQTopic(">"), admins);
- writeAccess.put(new ActiveMQTopic("USERS.>"), users);
- writeAccess.put(new ActiveMQTopic("GUEST.>"), users);
- writeAccess.put(new ActiveMQTopic("GUEST.>"), guests);
-
- readAccess.put(new ActiveMQTopic("ActiveMQ.Advisory.>"), guests);
- readAccess.put(new ActiveMQTopic("ActiveMQ.Advisory.>"), users);
- writeAccess.put(new ActiveMQTopic("ActiveMQ.Advisory.>"), guests);
- writeAccess.put(new ActiveMQTopic("ActiveMQ.Advisory.>"), users);
-
- DestinationMap adminAccess = new DestinationMap();
- adminAccess.put(new ActiveMQTopic(">"), admins);
- adminAccess.put(new ActiveMQTopic(">"), users);
- adminAccess.put(new ActiveMQTopic(">"), guests);
- adminAccess.put(new ActiveMQQueue(">"), admins);
- adminAccess.put(new ActiveMQQueue(">"), users);
- adminAccess.put(new ActiveMQQueue(">"), guests);
-
- return new SimpleAuthorizationBroker(broker, writeAccess,
readAccess, adminAccess);
- }
- public String toString() {
- return "SimpleAuthorizationBroker";
- }
+ return new SimpleAuthorizationMap(writeAccess, readAccess,
adminAccess);
}
class SimpleAuthenticationFactory implements BrokerPlugin {
- public Broker installPlugin(Broker broker) {
+ public Broker installPlugin(Broker broker) {
HashMap u = new HashMap();
u.put("system", "manager");
@@ -97,12 +90,13 @@
u.put("guest", "password");
HashMap groups = new HashMap();
- groups.put("system", new HashSet(Arrays.asList(new
Object[]{admins, users})));
- groups.put("user", new HashSet(Arrays.asList(new
Object[]{users})));
- groups.put("guest", new HashSet(Arrays.asList(new
Object[]{guests})));
+ groups.put("system", new HashSet(Arrays.asList(new Object[] {
admins, users })));
+ groups.put("user", new HashSet(Arrays.asList(new Object[] { users
})));
+ groups.put("guest", new HashSet(Arrays.asList(new Object[] {
guests })));
return new SimpleAuthenticationBroker(broker, u, groups);
}
+
public String toString() {
return "SimpleAuthenticationBroker";
}
@@ -110,14 +104,14 @@
static {
String path = System.getProperty("java.security.auth.login.config");
- if( path == null ) {
+ if (path == null) {
URL resource =
SimpleSecurityBrokerSystemTest.class.getClassLoader().getResource("login.config");
- if( resource!=null ) {
+ if (resource != null) {
path = resource.getFile();
System.setProperty("java.security.auth.login.config", path);
}
}
- System.out.println("Path to login config: "+path);
+ System.out.println("Path to login config: " + path);
}
public static Test suite() {
@@ -129,96 +123,71 @@
}
public void initCombos() {
- addCombinationValues("authorizationPlugin", new Object[] {
- new SimpleAuthorizationFactory(),
- });
- addCombinationValues("authenticationPlugin", new Object[] {
- new SimpleAuthenticationFactory(),
- new JassAuthenticationPlugin(),
- });
+ addCombinationValues("authorizationPlugin", new Object[] { new
AuthorizationPlugin(createAuthorizationMap()), });
+ addCombinationValues("authenticationPlugin", new Object[] { new
SimpleAuthenticationFactory(), new JassAuthenticationPlugin(), });
}
protected BrokerService createBroker() throws Exception {
BrokerService broker = new BrokerService();
- broker.setPlugins(new BrokerPlugin[] {authorizationPlugin,
authenticationPlugin});
+ broker.setPlugins(new BrokerPlugin[] { authorizationPlugin,
authenticationPlugin });
broker.setPersistent(false);
return broker;
}
public void initCombosForTestUserReceiveFails() {
- addCombinationValues("userName", new Object[] {"user"});
- addCombinationValues("password", new Object[] {"password"});
- addCombinationValues("destination", new Object[] {
- new ActiveMQQueue("TEST"),
- new ActiveMQTopic("TEST"),
- new ActiveMQQueue("GUEST.BAR"),
- new ActiveMQTopic("GUEST.BAR"),
- });
+ addCombinationValues("userName", new Object[] { "user" });
+ addCombinationValues("password", new Object[] { "password" });
+ addCombinationValues("destination", new Object[] { new
ActiveMQQueue("TEST"), new ActiveMQTopic("TEST"), new
ActiveMQQueue("GUEST.BAR"),
+ new ActiveMQTopic("GUEST.BAR"), });
}
+
public void initCombosForTestInvalidAuthentication() {
- addCombinationValues("userName", new Object[] {"user"});
- addCombinationValues("password", new Object[] {"password"});
+ addCombinationValues("userName", new Object[] { "user" });
+ addCombinationValues("password", new Object[] { "password" });
}
+
public void initCombosForTestUserReceiveSucceeds() {
- addCombinationValues("userName", new Object[] {"user"});
- addCombinationValues("password", new Object[] {"password"});
- addCombinationValues("destination", new Object[] {
- new ActiveMQQueue("USERS.FOO"),
- new ActiveMQTopic("USERS.FOO"),
- });
+ addCombinationValues("userName", new Object[] { "user" });
+ addCombinationValues("password", new Object[] { "password" });
+ addCombinationValues("destination", new Object[] { new
ActiveMQQueue("USERS.FOO"), new ActiveMQTopic("USERS.FOO"), });
}
+
public void initCombosForTestGuestReceiveSucceeds() {
- addCombinationValues("userName", new Object[] {"guest"});
- addCombinationValues("password", new Object[] {"password"});
- addCombinationValues("destination", new Object[] {
- new ActiveMQQueue("GUEST.BAR"),
- new ActiveMQTopic("GUEST.BAR"),
- });
+ addCombinationValues("userName", new Object[] { "guest" });
+ addCombinationValues("password", new Object[] { "password" });
+ addCombinationValues("destination", new Object[] { new
ActiveMQQueue("GUEST.BAR"), new ActiveMQTopic("GUEST.BAR"), });
}
+
public void initCombosForTestGuestReceiveFails() {
- addCombinationValues("userName", new Object[] {"guest"});
- addCombinationValues("password", new Object[] {"password"});
- addCombinationValues("destination", new Object[] {
- new ActiveMQQueue("TEST"),
- new ActiveMQTopic("TEST"),
- new ActiveMQQueue("USERS.FOO"),
- new ActiveMQTopic("USERS.FOO"),
- });
+ addCombinationValues("userName", new Object[] { "guest" });
+ addCombinationValues("password", new Object[] { "password" });
+ addCombinationValues("destination", new Object[] { new
ActiveMQQueue("TEST"), new ActiveMQTopic("TEST"), new
ActiveMQQueue("USERS.FOO"),
+ new ActiveMQTopic("USERS.FOO"), });
}
+
public void initCombosForTestUserSendSucceeds() {
- addCombinationValues("userName", new Object[] {"user"});
- addCombinationValues("password", new Object[] {"password"});
- addCombinationValues("destination", new Object[] {
- new ActiveMQQueue("USERS.FOO"),
- new ActiveMQQueue("GUEST.BAR"),
- new ActiveMQTopic("USERS.FOO"),
- new ActiveMQTopic("GUEST.BAR"),
- });
+ addCombinationValues("userName", new Object[] { "user" });
+ addCombinationValues("password", new Object[] { "password" });
+ addCombinationValues("destination", new Object[] { new
ActiveMQQueue("USERS.FOO"), new ActiveMQQueue("GUEST.BAR"), new
ActiveMQTopic("USERS.FOO"),
+ new ActiveMQTopic("GUEST.BAR"), });
}
+
public void initCombosForTestUserSendFails() {
- addCombinationValues("userName", new Object[] {"user"});
- addCombinationValues("password", new Object[] {"password"});
- addCombinationValues("destination", new Object[] {
- new ActiveMQQueue("TEST"),
- new ActiveMQTopic("TEST"),
- });
+ addCombinationValues("userName", new Object[] { "user" });
+ addCombinationValues("password", new Object[] { "password" });
+ addCombinationValues("destination", new Object[] { new
ActiveMQQueue("TEST"), new ActiveMQTopic("TEST"), });
}
+
public void initCombosForTestGuestSendFails() {
- addCombinationValues("userName", new Object[] {"guest"});
- addCombinationValues("password", new Object[] {"password"});
- addCombinationValues("destination", new Object[] {
- new ActiveMQQueue("TEST"),
- new ActiveMQTopic("TEST"),
- new ActiveMQQueue("USERS.FOO"),
- new ActiveMQTopic("USERS.FOO"),
- });
+ addCombinationValues("userName", new Object[] { "guest" });
+ addCombinationValues("password", new Object[] { "password" });
+ addCombinationValues("destination", new Object[] { new
ActiveMQQueue("TEST"), new ActiveMQTopic("TEST"), new
ActiveMQQueue("USERS.FOO"),
+ new ActiveMQTopic("USERS.FOO"), });
}
+
public void initCombosForTestGuestSendSucceeds() {
- addCombinationValues("userName", new Object[] {"guest"});
- addCombinationValues("password", new Object[] {"password"});
- addCombinationValues("destination", new Object[] {
- new ActiveMQQueue("GUEST.BAR"),
- new ActiveMQTopic("GUEST.BAR"),
- });
+ addCombinationValues("userName", new Object[] { "guest" });
+ addCombinationValues("password", new Object[] { "password" });
+ addCombinationValues("destination", new Object[] { new
ActiveMQQueue("GUEST.BAR"), new ActiveMQTopic("GUEST.BAR"), });
}
}
Modified:
incubator/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/jaas-broker.xml
URL:
http://svn.apache.org/viewcvs/incubator/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/jaas-broker.xml?rev=377995&r1=377994&r2=377995&view=diff
==============================================================================
---
incubator/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/jaas-broker.xml
(original)
+++
incubator/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/jaas-broker.xml
Wed Feb 15 04:38:40 2006
@@ -24,6 +24,14 @@
<plugins>
<!-- use JAAS to authenticate using the login.config file on the
classpath to configure JAAS -->
<jassAuthenticationPlugin configuration="activemq-domain"/>
+
+ <!-- lets configure a simple authorization mechanism -->
+ <authorizationPlugin>
+ <authorizationEntries>
+ <authorizationEntry topic=">" read="" write="" admin=""/>
+ <authorizationEntry queue=">" read="" write="" admin=""/>
+ </authorizationEntries>
+ </authorizationPlugin>
</plugins>
</broker>
