Author: chirino
Date: Sat Jan 1 17:25:45 2011
New Revision: 1054262
URL: http://svn.apache.org/viewvc?rev=1054262&view=rev
Log:
Extracted group principals logic into it's own JAAS module. Simplifies
supporting the new certificate module. Handle wild cards in the kind attribute
of the acl rule.
Added:
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/CertificateLoginModule.scala
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileGroupLoginModule.scala
- copied, changed from r1054040,
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileLoginModule.scala
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileUserLoginModule.scala
- copied, changed from r1054040,
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileLoginModule.scala
Removed:
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileLoginModule.scala
Modified:
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala
activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/groups.properties
activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/login.config
activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-ssl-secure.xml
activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/login.config
activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/users.properties
activemq/activemq-apollo/trunk/apollo-stomp/src/test/scala/org/apache/activemq/apollo/stomp/StompTest.scala
activemq/activemq-apollo/trunk/apollo-website/src/documentation/user-manual.md
Added:
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/CertificateLoginModule.scala
URL:
http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/CertificateLoginModule.scala?rev=1054262&view=auto
==============================================================================
---
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/CertificateLoginModule.scala
(added)
+++
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/CertificateLoginModule.scala
Sat Jan 1 17:25:45 2011
@@ -0,0 +1,91 @@
+package org.apache.activemq.apollo.broker.security
+
+import java.io.IOException
+import java.security.Principal
+import javax.security.auth.Subject
+import javax.security.auth.callback.CallbackHandler
+import javax.security.auth.callback.UnsupportedCallbackException
+import javax.security.auth.login.FailedLoginException
+import javax.security.auth.login.LoginException
+import java.security.cert.X509Certificate
+import java.util.HashSet
+
+
+import java.{util => ju}
+import org.apache.activemq.apollo.util.Log
+import org.apache.activemq.jaas.CertificateCallback
+
+/**
+ * <p>
+ * </p>
+ *
+ * @author <a href="http://hiramchirino.com";>Hiram Chirino</a>
+ */
+object CertificateLoginModule extends Log
+
+/**
+ * <p>
+ * </p>
+ *
+ * @author <a href="http://hiramchirino.com";>Hiram Chirino</a>
+ */
+class CertificateLoginModule {
+
+ import CertificateLoginModule._
+
+ var callback_handler: CallbackHandler = _
+ var subject: Subject = _
+
+ var certificates: Array[X509Certificate] = _
+ var principals = new HashSet[Principal]()
+
+ /**
+ * Overriding to allow for proper initialization. Standard JAAS.
+ */
+ def initialize(subject: Subject, callback_handler: CallbackHandler,
shared_state: ju.Map[String, _], options: ju.Map[String, _]): Unit = {
+ this.subject = subject
+ this.callback_handler = callback_handler
+ }
+
+ def login: Boolean = {
+ val cert_callback = new CertificateCallback()
+ try {
+ callback_handler.handle(Array(cert_callback))
+ } catch {
+ case ioe: IOException =>
+ throw new LoginException(ioe.getMessage())
+ case uce: UnsupportedCallbackException =>
+ throw new LoginException(uce.getMessage() + " Unable to obtain client
certificates.")
+ }
+
+ certificates = cert_callback.getCertificates()
+ if (certificates == null || certificates.isEmpty) {
+ throw new FailedLoginException("No associated certificates")
+ }
+ return true
+ }
+
+ def commit: Boolean = {
+ for (cert <- certificates) {
+ principals.add(cert.getSubjectX500Principal)
+ }
+ subject.getPrincipals().addAll(principals)
+ certificates = null;
+ debug("commit")
+ return true
+ }
+
+ def abort: Boolean = {
+ certificates = null;
+ debug("abort")
+ return true
+ }
+
+ def logout: Boolean = {
+ subject.getPrincipals().removeAll(principals)
+ principals.clear
+ debug("logout")
+ return true
+ }
+
+}
\ No newline at end of file
Copied:
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileGroupLoginModule.scala
(from r1054040,
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileLoginModule.scala)
URL:
http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileGroupLoginModule.scala?p2=activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileGroupLoginModule.scala&p1=activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileLoginModule.scala&r1=1054040&r2=1054262&rev=1054262&view=diff
==============================================================================
---
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileLoginModule.scala
(original)
+++
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileGroupLoginModule.scala
Sat Jan 1 17:25:45 2011
@@ -1,3 +1,5 @@
+package org.apache.activemq.apollo.broker.security
+
/**
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
@@ -14,20 +16,13 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-package org.apache.activemq.apollo.broker.security
-
import java.io.File
import java.io.FileInputStream
import java.io.IOException
import java.security.Principal
import java.util.Properties
import javax.security.auth.Subject
-import javax.security.auth.callback.Callback
import javax.security.auth.callback.CallbackHandler
-import javax.security.auth.callback.NameCallback
-import javax.security.auth.callback.PasswordCallback
-import javax.security.auth.callback.UnsupportedCallbackException
-import javax.security.auth.login.FailedLoginException
import javax.security.auth.login.LoginException
import javax.security.auth.spi.LoginModule
@@ -36,106 +31,79 @@ import org.apache.activemq.jaas.UserPrin
import java.{util => ju}
import org.apache.activemq.apollo.util.{FileSupport, Log}
import FileSupport._
+import java.util.regex.Pattern
-object FileLoginModule extends Log {
+object FileGroupLoginModule extends Log {
val LOGIN_CONFIG = "java.security.auth.login.config"
- val USERS_FILE = "users_file"
- val GROUPS_FILE = "groups_file"
+ val FILE_OPTION = "file"
+ val MATCH_OPTION = "match"
+ val SEPARATOR_OPTION = "separator"
}
/**
* <p>
+ * This login module adds additional GroupPrincipals to the
+ * subject based on existing principle already associated with the principal
+ * and a groups file.
* </p>
*
* @author <a href="http://hiramchirino.com";>Hiram Chirino</a>
*/
-class FileLoginModule extends LoginModule {
+class FileGroupLoginModule extends LoginModule {
- import FileLoginModule._
+ import FileGroupLoginModule._
+ private var separator: String = _
+ private var match_kind: String = _
private var subject: Subject = _
- private var callback_handler: CallbackHandler = _
-
- private var user_file: File = _
- private var group_file: File = _
+ private var file: File = _
- private val users = new Properties()
private val groups = new Properties()
-
- private var user: String = _
private val principals = new ju.HashSet[Principal]()
def initialize(subject: Subject, callback_handler: CallbackHandler,
shared_state: ju.Map[String, _], options: ju.Map[String, _]): Unit = {
-
this.subject = subject
- this.callback_handler = callback_handler
-
val base_dir = if (System.getProperty(LOGIN_CONFIG) != null) {
new File(System.getProperty(LOGIN_CONFIG)).getParentFile()
} else {
new File(".")
}
- user_file = new File(base_dir,
options.get(USERS_FILE).asInstanceOf[String])
- group_file = new File(base_dir,
options.get(GROUPS_FILE).asInstanceOf[String])
+ match_kind = Option(options.get(MATCH_OPTION)).
+ map(_.asInstanceOf[String]).
+ getOrElse(classOf[UserPrincipal].getName)
+
+ separator = Option(options.get(SEPARATOR_OPTION)).
+ map(_.asInstanceOf[String]).
+ getOrElse("|")
- debug("Initialized user_file=%s group_file=%s", user_file, group_file)
+ file = new File(base_dir, options.get(FILE_OPTION).asInstanceOf[String])
+ debug("Initialized file=%s, match=%s", file, match_kind)
}
def login: Boolean = {
try {
- users.clear()
- using( new FileInputStream(user_file) ) { in=>
- users.load(in)
- }
- EncryptionSupport.decrypt(users)
- } catch {
- case ioe: IOException => throw new LoginException("Unable to load user
properties file " + user_file)
- }
-
- try {
groups.clear
- using( new FileInputStream(group_file) ) { in=>
+ using( new FileInputStream(file) ) { in=>
groups.load(in)
}
} catch {
- case ioe: IOException => throw new LoginException("Unable to load group
properties file " + group_file)
- }
-
- val callbacks = new Array[Callback](2)
- callbacks(0) = new NameCallback("Username: ")
- callbacks(1) = new PasswordCallback("Password: ", false)
- try {
- callback_handler.handle(callbacks)
- } catch {
- case ioe: IOException =>
- throw new LoginException(ioe.getMessage())
- case uce: UnsupportedCallbackException =>
- throw new LoginException(uce.getMessage() + " not available to obtain
information from user")
- }
-
- user = callbacks(0).asInstanceOf[NameCallback].getName()
- var tmpPassword = callbacks(1).asInstanceOf[PasswordCallback].getPassword()
- if (tmpPassword == null) {
- tmpPassword = new Array[Char](0)
- }
- val password = users.getProperty(user)
-
- if (password == null || !password.equals(new String(tmpPassword))) {
- throw new FailedLoginException("Invalid user id or password")
+ case ioe: IOException => throw new LoginException("Unable to load group
properties file " + file)
}
- debug("login %s", user)
- true
+ false
}
def commit: Boolean = {
- principals.add(new UserPrincipal(user))
+
+ import collection.JavaConversions._
+ val principles = subject.getPrincipals.filter(_.getClass.getName ==
match_kind).map(_.getName)
+
val en = groups.keys()
while (en.hasMoreElements()) {
val group_name = en.nextElement().asInstanceOf[String]
- val users = groups.getProperty(group_name).split(",").map(_.trim)
+ val users =
groups.getProperty(group_name).split(Pattern.quote(separator)).map(_.trim)
users.foreach { x =>
- if (user == x) {
+ if ( principles.contains(x) ) {
principals.add(new GroupPrincipal(group_name))
}
}
@@ -143,13 +111,11 @@ class FileLoginModule extends LoginModul
subject.getPrincipals().addAll(principals)
- user = null
debug("commit")
return true
}
def abort: Boolean = {
- user = null
debug("abort")
return true
}
@@ -157,10 +123,9 @@ class FileLoginModule extends LoginModul
def logout: Boolean = {
subject.getPrincipals().removeAll(principals)
principals.clear
- user = null
debug("logout")
return true
}
-}
+}
\ No newline at end of file
Copied:
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileUserLoginModule.scala
(from r1054040,
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileLoginModule.scala)
URL:
http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileUserLoginModule.scala?p2=activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileUserLoginModule.scala&p1=activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileLoginModule.scala&r1=1054040&r2=1054262&rev=1054262&view=diff
==============================================================================
---
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileLoginModule.scala
(original)
+++
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileUserLoginModule.scala
Sat Jan 1 17:25:45 2011
@@ -31,37 +31,33 @@ import javax.security.auth.login.FailedL
import javax.security.auth.login.LoginException
import javax.security.auth.spi.LoginModule
-import org.apache.activemq.jaas.GroupPrincipal
import org.apache.activemq.jaas.UserPrincipal
import java.{util => ju}
import org.apache.activemq.apollo.util.{FileSupport, Log}
import FileSupport._
-object FileLoginModule extends Log {
+object FileUserLoginModule extends Log {
val LOGIN_CONFIG = "java.security.auth.login.config"
- val USERS_FILE = "users_file"
- val GROUPS_FILE = "groups_file"
+ val FILE_OPTION = "file"
}
/**
* <p>
+ * Uses a userid=password property file to control who can
+ * login.
* </p>
*
* @author <a href="http://hiramchirino.com";>Hiram Chirino</a>
*/
-class FileLoginModule extends LoginModule {
+class FileUserLoginModule extends LoginModule {
- import FileLoginModule._
+ import FileUserLoginModule._
private var subject: Subject = _
private var callback_handler: CallbackHandler = _
- private var user_file: File = _
- private var group_file: File = _
-
+ private var file: File = _
private val users = new Properties()
- private val groups = new Properties()
-
private var user: String = _
private val principals = new ju.HashSet[Principal]()
@@ -76,30 +72,20 @@ class FileLoginModule extends LoginModul
new File(".")
}
- user_file = new File(base_dir,
options.get(USERS_FILE).asInstanceOf[String])
- group_file = new File(base_dir,
options.get(GROUPS_FILE).asInstanceOf[String])
+ file = new File(base_dir, options.get(FILE_OPTION).asInstanceOf[String])
- debug("Initialized user_file=%s group_file=%s", user_file, group_file)
+ debug("Initialized file=%s", file)
}
def login: Boolean = {
try {
users.clear()
- using( new FileInputStream(user_file) ) { in=>
+ using( new FileInputStream(file) ) { in=>
users.load(in)
}
EncryptionSupport.decrypt(users)
} catch {
- case ioe: IOException => throw new LoginException("Unable to load user
properties file " + user_file)
- }
-
- try {
- groups.clear
- using( new FileInputStream(group_file) ) { in=>
- groups.load(in)
- }
- } catch {
- case ioe: IOException => throw new LoginException("Unable to load group
properties file " + group_file)
+ case ioe: IOException => throw new LoginException("Unable to load user
properties file " + file)
}
val callbacks = new Array[Callback](2)
@@ -130,17 +116,6 @@ class FileLoginModule extends LoginModul
def commit: Boolean = {
principals.add(new UserPrincipal(user))
- val en = groups.keys()
- while (en.hasMoreElements()) {
- val group_name = en.nextElement().asInstanceOf[String]
- val users = groups.getProperty(group_name).split(",").map(_.trim)
- users.foreach { x =>
- if (user == x) {
- principals.add(new GroupPrincipal(group_name))
- }
- }
- }
-
subject.getPrincipals().addAll(principals)
user = null
Modified:
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala
URL:
http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala?rev=1054262&r1=1054261&r2=1054262&view=diff
==============================================================================
---
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala
(original)
+++
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala
Sat Jan 1 17:25:45 2011
@@ -58,16 +58,30 @@ class SecurityContext {
def is_allowed(acl:List[PrincipalDTO], default_kinds:List[String]):Boolean =
{
- def matches(p:PrincipalDTO):Boolean = {
- if( p.kind==null ) {
- default_kinds.foreach { kind=>
- if( principles.contains(new PrincipalDTO(p.allow, kind)) ) {
- return true;
+ def kind_matches(kind:String):Boolean = {
+ kind match {
+ case null=>
+ return !principles.map(_.kind).intersect(default_kinds.toSet).isEmpty
+ case "*"=>
+ return true;
+ case kind=>
+ return principles.map(_.kind).contains(kind)
+ }
+ }
+
+ def principal_matches(p:PrincipalDTO):Boolean = {
+ p.kind match {
+ case null=>
+ default_kinds.foreach { kind=>
+ if( principles.contains(new PrincipalDTO(p.allow, kind)) ) {
+ return true;
+ }
}
- }
- return false;
- } else {
- return principles.contains(p)
+ return false;
+ case "*"=>
+ return principles.map(_.allow).contains(p.allow)
+ case kind=>
+ return principles.contains(p)
}
}
@@ -75,18 +89,18 @@ class SecurityContext {
p.deny match {
case null =>
case "*"=>
- return false;
+ return !kind_matches(p.kind)
case id =>
- if( matches(new PrincipalDTO(id, p.kind)) ) {
+ if( principal_matches(new PrincipalDTO(id, p.kind)) ) {
return false;
}
}
p.allow match {
case null =>
case "*"=>
- return true;
+ return kind_matches(p.kind)
case id =>
- if( matches(new PrincipalDTO(id, p.kind)) ) {
+ if( principal_matches(new PrincipalDTO(id, p.kind)) ) {
return true
}
}
Modified:
activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/groups.properties
URL:
http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/groups.properties?rev=1054262&r1=1054261&r2=1054262&view=diff
==============================================================================
---
activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/groups.properties
(original)
+++
activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/groups.properties
Sat Jan 1 17:25:45 2011
@@ -19,6 +19,6 @@
# Allows you to place multiple users in a group.
# Example:
#
-# power_users=admin,chirino
+# power_users=admin|chirino
#
admins=admin
\ No newline at end of file
Modified:
activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/login.config
URL:
http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/login.config?rev=1054262&r1=1054261&r2=1054262&view=diff
==============================================================================
---
activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/login.config
(original)
+++
activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/login.config
Sat Jan 1 17:25:45 2011
@@ -17,17 +17,33 @@
apollo {
//
- // Sets up simple file based security
+ // Allow ssl certificate based authentication. Only certificates that
+ // are trusted by the keystore will get added.
//
- org.apache.activemq.apollo.broker.security.FileLoginModule required
- users_file="users.properties"
- groups_file="groups.properties"
- ;
+ // adds: javax.security.auth.x500.X500Principal
+ //
+ org.apache.activemq.apollo.broker.security.CertificateLoginModule optional;
+ //
+ // Allow user/password authentication checked against the user.properties
file.
+ //
+ // adds: org.apache.activemq.jaas.UserPrincipal
+ //
+ org.apache.activemq.apollo.broker.security.FileUserLoginModule optional
+ file="users.properties";
//
- // You could use any JAAS based login module too.
+ // Maps the cert and password logins to groups using the groups.properties
file.
//
- // com.sun.security.auth.module.UnixLoginModule optional;
+ // adds: org.apache.activemq.jaas.GroupPrincipal
+ //
+ org.apache.activemq.apollo.broker.security.FileGroupLoginModule optional
+ match="org.apache.activemq.jaas.UserPrincipal"
+ file="groups.properties";
+
+ org.apache.activemq.apollo.broker.security.FileGroupLoginModule optional
+ match="javax.security.auth.x500.X500Principal"
+ file="groups.properties";
+
};
\ No newline at end of file
Modified:
activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-ssl-secure.xml
URL:
http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-ssl-secure.xml?rev=1054262&r1=1054261&r2=1054262&view=diff
==============================================================================
---
activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-ssl-secure.xml
(original)
+++
activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-ssl-secure.xml
Sat Jan 1 17:25:45 2011
@@ -22,6 +22,11 @@
<virtual_host id="default" purge_on_startup="true">
<host_name>localhost</host_name>
+
+ <acl>
+ <connect allow="connect_group"/>
+ </acl>
+
</virtual_host>
<key_storage file="${basedir}/src/test/resources/apollo.ks"
password="password" key_password="password"/>
Modified:
activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/login.config
URL:
http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/login.config?rev=1054262&r1=1054261&r2=1054262&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/login.config
(original)
+++ activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/login.config
Sat Jan 1 17:25:45 2011
@@ -16,28 +16,24 @@
// ---------------------------------------------------------------------------
StompSecurityTest {
+ org.apache.activemq.apollo.broker.security.FileUserLoginModule optional
+ file="users.properties";
+
//
// For testing purposes, we do a funny thing where we set the user
// file to also be used as the groups file. This only works for the
// test since user==password==group for our tests.
//
- org.apache.activemq.apollo.broker.security.FileLoginModule required
- users_file="users.properties"
- groups_file="users.properties"
- ;
+ org.apache.activemq.apollo.broker.security.FileGroupLoginModule optional
+ file="users.properties";
};
StompSslSecurityTest {
+ org.apache.activemq.apollo.broker.security.CertificateLoginModule optional;
- //
- // For testing purposes, we do a funny thing where we set the user
- // file to also be used as the groups file. This only works for the
- // test since user==password==group for our tests.
- //
- org.apache.activemq.jaas.TextFileCertificateLoginModule required
- org.apache.activemq.jaas.textfiledn.user="users.properties"
- org.apache.activemq.jaas.textfiledn.group="users.properties"
- ;
+ org.apache.activemq.apollo.broker.security.FileGroupLoginModule optional
+ match="javax.security.auth.x500.X500Principal"
+ file="users.properties";
};
\ No newline at end of file
Modified:
activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/users.properties
URL:
http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/users.properties?rev=1054262&r1=1054261&r2=1054262&view=diff
==============================================================================
---
activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/users.properties
(original)
+++
activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/users.properties
Sat Jan 1 17:25:45 2011
@@ -2,22 +2,20 @@
## Licensed to the Apache Software Foundation (ASF) under one or more
## contributor license agreements. See the NOTICE file distributed with
## this work for additional information regarding copyright ownership.
-## The ASF licenses this file to You under the Apache License, Version 2.0
+## The ASF licenses this file to You under the Apache License| Version 2.0
## (the "License"); you may not use this file except in compliance with
## the License. You may obtain a copy of the License at
##
## http://www.apache.org/licenses/LICENSE-2.0
##
-## Unless required by applicable law or agreed to in writing, software
-## distributed under the License is distributed on an "AS IS" BASIS,
-## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## Unless required by applicable law or agreed to in writing| software
+## distributed under the License is distributed on an "AS IS" BASIS|
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND| either express or implied.
## See the License for the specific language governing permissions and
## limitations under the License.
## ---------------------------------------------------------------------------
-connect_group=can_only_connect,can_send_create_queue,can_send_queue,can_receive_queue,can_consume_queue,can_send_create_topic,can_send_topic,can_recieve_topic,can_consume_create_ds,can_consume_ds
-
-ssl_user=CN=ssl_user
+connect_group=CN=ssl_user|can_only_connect|can_send_create_queue|can_send_queue|can_receive_queue|can_consume_queue|can_send_create_topic|can_send_topic|can_recieve_topic|can_consume_create_ds|can_consume_ds
can_not_connect=can_not_connect
can_only_connect=can_only_connect
Modified:
activemq/activemq-apollo/trunk/apollo-stomp/src/test/scala/org/apache/activemq/apollo/stomp/StompTest.scala
URL:
http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-stomp/src/test/scala/org/apache/activemq/apollo/stomp/StompTest.scala?rev=1054262&r1=1054261&r2=1054262&view=diff
==============================================================================
---
activemq/activemq-apollo/trunk/apollo-stomp/src/test/scala/org/apache/activemq/apollo/stomp/StompTest.scala
(original)
+++
activemq/activemq-apollo/trunk/apollo-stomp/src/test/scala/org/apache/activemq/apollo/stomp/StompTest.scala
Sat Jan 1 17:25:45 2011
@@ -1044,11 +1044,6 @@ class StompSslSecurityTest extends Stomp
override val broker_config_uri: String =
"xml:classpath:apollo-stomp-ssl-secure.xml"
- client.key_storeage = new KeyStorage
- client.key_storeage.config.file =
basedir/"src"/"test"/"resources"/"client.ks"
- client.key_storeage.config.password = "password"
- client.key_storeage.config.key_password = "password"
-
override protected def beforeAll = {
// System.setProperty("javax.net.debug", "all")
try {
@@ -1060,7 +1055,15 @@ class StompSslSecurityTest extends Stomp
super.beforeAll
}
- test("Connect with no id password") {
+ def use_client_cert = {
+ client.key_storeage = new KeyStorage
+ client.key_storeage.config.file =
basedir/"src"/"test"/"resources"/"client.ks"
+ client.key_storeage.config.password = "password"
+ client.key_storeage.config.key_password = "password"
+ }
+
+ test("Connect with cert and no id password") {
+ use_client_cert
connect("1.1", client)
}
Modified:
activemq/activemq-apollo/trunk/apollo-website/src/documentation/user-manual.md
URL:
http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-website/src/documentation/user-manual.md?rev=1054262&r1=1054261&r2=1054262&view=diff
==============================================================================
---
activemq/activemq-apollo/trunk/apollo-website/src/documentation/user-manual.md
(original)
+++
activemq/activemq-apollo/trunk/apollo-website/src/documentation/user-manual.md
Sat Jan 1 17:25:45 2011
@@ -494,7 +494,7 @@ If a configuration resource does not hav
it, then the resource allows anyone to access all it's actions. The `acl`
is made up of a list of authorization rule entries. Each entry defines
that action the rule applies to and if the rule is allowing or denying
-access to a user principal. The special `*` value matches all users.
+access to a user principal.
Users can have many principals of many different kinds associated with
them. The rules will only match up against principals of type
@@ -509,10 +509,13 @@ definition. Example:
{pygmentize:: xml}
<acl>
<send deny="chirino" kind="org.apache.activemq.jaas.UserPrincipal"/>
- <send allow="*"/>
+ <send allow="*" kind="*"/>
</acl>
{pygmentize}
+The special `*` value acts like a wild card and can be used in the `deny`,
+`allow`, and `kind` attributes.
+
The order in which rule entries are defined are significant when the user
matches multiple entries. The first entry the user matches determines if he
will have access to the action. For example, lets say a user is groups
