Author: gtully
Date: Thu Mar 1 16:36:12 2012
New Revision: 1295661
URL: http://svn.apache.org/viewvc?rev=1295661&view=rev
Log:
https://issues.apache.org/jira/browse/AMQ-3749 - Composite destinations break
simple authorisation through role aggregation. additional tests and fix - ldap
did need some work
Modified:
activemq/trunk/activemq-core/src/main/java/org/apache/activemq/filter/DestinationMap.java
activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/DefaultAuthorizationMap.java
activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/LDAPAuthorizationMap.java
activemq/trunk/activemq-core/src/test/java/org/apache/activemq/security/CachedLDAPSecurityTest.java
activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/activemq-ldap.xml
Modified:
activemq/trunk/activemq-core/src/main/java/org/apache/activemq/filter/DestinationMap.java
URL:
http://svn.apache.org/viewvc/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/filter/DestinationMap.java?rev=1295661&r1=1295660&r2=1295661&view=diff
==============================================================================
---
activemq/trunk/activemq-core/src/main/java/org/apache/activemq/filter/DestinationMap.java
(original)
+++
activemq/trunk/activemq-core/src/main/java/org/apache/activemq/filter/DestinationMap.java
Thu Mar 1 16:36:12 2012
@@ -17,6 +17,7 @@
package org.apache.activemq.filter;
import java.util.HashSet;
+import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.SortedSet;
@@ -230,4 +231,23 @@ public class DestinationMap {
topicRootNode = new DestinationMapNode(null);
tempTopicRootNode = new DestinationMapNode(null);
}
+
+ public static Set union(Set existing, Set candidates) {
+ if ( candidates != null ) {
+ if (existing != null) {
+ for (Iterator<Object> iterator = existing.iterator();
iterator.hasNext();) {
+ Object toMatch = iterator.next();
+ if (!candidates.contains(toMatch)) {
+ iterator.remove();
+ }
+ }
+ } else {
+ existing = candidates;
+ }
+ } else if ( existing != null ) {
+ existing.clear();
+ }
+ return existing;
+ }
+
}
Modified:
activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/DefaultAuthorizationMap.java
URL:
http://svn.apache.org/viewvc/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/DefaultAuthorizationMap.java?rev=1295661&r1=1295660&r2=1295661&view=diff
==============================================================================
---
activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/DefaultAuthorizationMap.java
(original)
+++
activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/DefaultAuthorizationMap.java
Thu Mar 1 16:36:12 2012
@@ -153,23 +153,6 @@ public class DefaultAuthorizationMap ext
return findWildcardMatches(key);
}
- private Set union(Set existing, Set candidates) {
- if ( candidates != null ) {
- if (existing != null) {
- for (Iterator<Object> iterator = existing.iterator();
iterator.hasNext();) {
- Object toMatch = iterator.next();
- if (!candidates.contains(toMatch)) {
- iterator.remove();
- }
- }
- } else {
- existing = candidates;
- }
- } else if ( existing != null ) {
- existing.clear();
- }
- return existing;
- }
/**
* Sets the individual entries on the authorization map
Modified:
activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/LDAPAuthorizationMap.java
URL:
http://svn.apache.org/viewvc/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/LDAPAuthorizationMap.java?rev=1295661&r1=1295660&r2=1295661&view=diff
==============================================================================
---
activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/LDAPAuthorizationMap.java
(original)
+++
activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security/LDAPAuthorizationMap.java
Thu Mar 1 16:36:12 2012
@@ -35,6 +35,7 @@ import javax.naming.directory.SearchResu
import org.apache.activemq.advisory.AdvisorySupport;
import org.apache.activemq.command.ActiveMQDestination;
+import org.apache.activemq.filter.DestinationMap;
import org.apache.activemq.jaas.GroupPrincipal;
import org.apache.activemq.jaas.LDAPLoginModule;
import org.slf4j.Logger;
@@ -362,9 +363,12 @@ public class LDAPAuthorizationMap implem
protected Set<GroupPrincipal> getCompositeACLs(ActiveMQDestination
destination, String roleBase, String roleAttribute) {
ActiveMQDestination[] dests = destination.getCompositeDestinations();
- Set<GroupPrincipal> acls = new HashSet<GroupPrincipal>();
+ Set<GroupPrincipal> acls = null;
for (ActiveMQDestination dest : dests) {
- acls.addAll(getACLs(dest, roleBase, roleAttribute));
+ acls = DestinationMap.union(acls, getACLs(dest, roleBase,
roleAttribute));
+ if (acls == null || acls.isEmpty()) {
+ break;
+ }
}
return acls;
}
Modified:
activemq/trunk/activemq-core/src/test/java/org/apache/activemq/security/CachedLDAPSecurityTest.java
URL:
http://svn.apache.org/viewvc/activemq/trunk/activemq-core/src/test/java/org/apache/activemq/security/CachedLDAPSecurityTest.java?rev=1295661&r1=1295660&r2=1295661&view=diff
==============================================================================
---
activemq/trunk/activemq-core/src/test/java/org/apache/activemq/security/CachedLDAPSecurityTest.java
(original)
+++
activemq/trunk/activemq-core/src/test/java/org/apache/activemq/security/CachedLDAPSecurityTest.java
Thu Mar 1 16:36:12 2012
@@ -33,6 +33,7 @@ import org.junit.runner.RunWith;
import javax.jms.*;
import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.fail;
@RunWith( FrameworkRunner.class )
@@ -77,6 +78,38 @@ public class CachedLDAPSecurityTest exte
}
@Test
+ public void testSendDenied() throws Exception {
+ ActiveMQConnectionFactory factory = new
ActiveMQConnectionFactory("tcp://localhost:61616");
+ Connection conn = factory.createQueueConnection("jdoe", "sunflower");
+ Session sess = conn.createSession(false, Session.AUTO_ACKNOWLEDGE);
+ conn.start();
+ Queue queue = sess.createQueue("ADMIN.FOO");
+
+ MessageProducer producer = sess.createProducer(queue);
+ try {
+ producer.send(sess.createTextMessage("test"));
+ fail("expect auth exception");
+ } catch (JMSException expected) {
+ }
+ }
+
+ @Test
+ public void testCompositeSendDenied() throws Exception {
+ ActiveMQConnectionFactory factory = new
ActiveMQConnectionFactory("tcp://localhost:61616");
+ Connection conn = factory.createQueueConnection("jdoe", "sunflower");
+ Session sess = conn.createSession(false, Session.AUTO_ACKNOWLEDGE);
+ conn.start();
+ Queue queue = sess.createQueue("TEST.FOO,ADMIN.FOO");
+
+ MessageProducer producer = sess.createProducer(queue);
+ try {
+ producer.send(sess.createTextMessage("test"));
+ fail("expect auth exception");
+ } catch (JMSException expected) {
+ }
+ }
+
+ @Test
public void testTempDestinations() throws Exception {
ActiveMQConnectionFactory factory = new
ActiveMQConnectionFactory("tcp://localhost:61616");
Connection conn = factory.createQueueConnection("jdoe", "sunflower");
Modified:
activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/activemq-ldap.xml
URL:
http://svn.apache.org/viewvc/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/activemq-ldap.xml?rev=1295661&r1=1295660&r2=1295661&view=diff
==============================================================================
---
activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/activemq-ldap.xml
(original)
+++
activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/activemq-ldap.xml
Thu Mar 1 16:36:12 2012
@@ -27,6 +27,10 @@
<broker useJmx="false" xmlns="http://activemq.apache.org/schema/core";
persistent="false">
+ <destinations>
+ <queue physicalName="ADMIN.FOO" />
+ </destinations>
+
<plugins>
<simpleAuthenticationPlugin>
<users>
