(artemis) branch main updated: ARTEMIS-5909 respect wildcard delimiter when converting jmx object name to mops security settings match address

Tue, 03 Mar 2026 14:02:12 -0800 

This is an automated email from the ASF dual-hosted git repository.

tabish pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/artemis.git


The following commit(s) were added to refs/heads/main by this push:
     new 47f4adbdf8 ARTEMIS-5909 respect wildcard delimiter when converting jmx 
object name to mops security settings match address
47f4adbdf8 is described below

commit 47f4adbdf808091d2360f9288ef7b83668948ae4
Author: Gary Tully <[email protected]>
AuthorDate: Tue Feb 24 16:35:35 2026 +0000

    ARTEMIS-5909 respect wildcard delimiter when converting jmx object name to 
mops security settings match address
---
 .../management/ArtemisRbacInvocationHandler.java   | 14 ++++----
 .../ArtemisRbacMBeanServerBuilderTest.java         | 41 ++++++++++++++++++++++
 .../isolated/security/JmxSecurityTest.java         | 15 ++++++++
 3 files changed, 64 insertions(+), 6 deletions(-)

diff --git 
a/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/ArtemisRbacInvocationHandler.java
 
b/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/ArtemisRbacInvocationHandler.java
index 4715f83f30..9453d90e5b 100644
--- 
a/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/ArtemisRbacInvocationHandler.java
+++ 
b/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/ArtemisRbacInvocationHandler.java
@@ -54,6 +54,7 @@ public class ArtemisRbacInvocationHandler implements 
GuardInvocationHandler {
    Pattern viewPermissionMatcher;
    SimpleString rbacPrefix;
    SimpleString mBeanServerRbacAddressPrefix;
+   char addressDelimiter;
 
    ArtemisRbacInvocationHandler(MBeanServer mbeanServer) {
       delegate = mbeanServer;
@@ -157,7 +158,8 @@ public class ArtemisRbacInvocationHandler implements 
GuardInvocationHandler {
 
             viewPermissionMatcher = 
Pattern.compile(activeMQServer.getConfiguration().getViewPermissionMethodMatchPattern());
             rbacPrefix = 
SimpleString.of(activeMQServer.getConfiguration().getManagementRbacPrefix());
-            mBeanServerRbacAddressPrefix = rbacPrefix.concat(".mbeanserver.");
+            addressDelimiter = 
activeMQServer.getConfiguration().getWildcardConfiguration().getDelimiter();
+            mBeanServerRbacAddressPrefix = 
rbacPrefix.concat(addressDelimiter).concat("mbeanserver").concat(addressDelimiter);
 
             serverControl.getServer().registerActivateCallback(new 
ActivateCallback() {
                @Override
@@ -306,21 +308,21 @@ public class ArtemisRbacInvocationHandler implements 
GuardInvocationHandler {
          }
       } else {
          // non artemis broker domain, prefix with domain
-         rbacAddress = rbacAddress.concat('.').concat(objectName.getDomain());
+         rbacAddress = 
rbacAddress.concat(addressDelimiter).concat(objectName.getDomain());
          type = removeQuotes(objectName.getKeyProperty("type"));
       }
 
       if (type != null) {
-         rbacAddress = rbacAddress.concat('.').concat(type);
+         rbacAddress = rbacAddress.concat(addressDelimiter).concat(type);
       }
       if (component != null) {
-         rbacAddress = rbacAddress.concat('.').concat(component);
+         rbacAddress = rbacAddress.concat(addressDelimiter).concat(component);
       }
       if (name != null) {
-         rbacAddress = rbacAddress.concat('.').concat(name);
+         rbacAddress = rbacAddress.concat(addressDelimiter).concat(name);
       }
       if (methodName != null) {
-         rbacAddress = rbacAddress.concat('.').concat(methodName);
+         rbacAddress = rbacAddress.concat(addressDelimiter).concat(methodName);
       }
 
       return rbacAddress;
diff --git 
a/artemis-server/src/test/java/org/apache/activemq/artemis/core/server/management/ArtemisRbacMBeanServerBuilderTest.java
 
b/artemis-server/src/test/java/org/apache/activemq/artemis/core/server/management/ArtemisRbacMBeanServerBuilderTest.java
index b591d9e9cc..f29feba88c 100644
--- 
a/artemis-server/src/test/java/org/apache/activemq/artemis/core/server/management/ArtemisRbacMBeanServerBuilderTest.java
+++ 
b/artemis-server/src/test/java/org/apache/activemq/artemis/core/server/management/ArtemisRbacMBeanServerBuilderTest.java
@@ -50,6 +50,7 @@ import org.apache.activemq.artemis.api.core.RoutingType;
 import org.apache.activemq.artemis.api.core.SimpleString;
 import org.apache.activemq.artemis.api.core.management.ActiveMQServerControl;
 import org.apache.activemq.artemis.api.core.management.ObjectNameBuilder;
+import org.apache.activemq.artemis.core.config.WildcardConfiguration;
 import org.apache.activemq.artemis.core.security.CheckType;
 import org.apache.activemq.artemis.core.security.Role;
 import org.apache.activemq.artemis.core.server.ActiveMQServer;
@@ -81,6 +82,7 @@ public class ArtemisRbacMBeanServerBuilderTest extends 
ServerTestBase {
       ArtemisRbacInvocationHandler handler = (ArtemisRbacInvocationHandler) 
Proxy.getInvocationHandler(proxy);
       handler.brokerDomain = "a.b";
       handler.rbacPrefix = SimpleString.of("jmx");
+      handler.addressDelimiter = 
WildcardConfiguration.DEFAULT_WILDCARD_CONFIGURATION.getDelimiter();
 
       try {
          handler.addressFrom(null);
@@ -165,6 +167,7 @@ public class ArtemisRbacMBeanServerBuilderTest extends 
ServerTestBase {
          (ArtemisRbacInvocationHandler) Proxy.getInvocationHandler(proxy);
       handler.brokerDomain = 
ActiveMQDefaultConfiguration.getDefaultJmxDomain();
       handler.rbacPrefix = 
SimpleString.of(ActiveMQDefaultConfiguration.getManagementRbacPrefix());
+      handler.addressDelimiter = 
WildcardConfiguration.DEFAULT_WILDCARD_CONFIGURATION.getDelimiter();
 
       for (Method m : ObjectNameBuilder.class.getDeclaredMethods()) {
          if (Modifier.isPublic(m.getModifiers()) && ObjectName.class == 
m.getReturnType()) {
@@ -578,6 +581,44 @@ public class ArtemisRbacMBeanServerBuilderTest extends 
ServerTestBase {
       assertInstanceOf(Set.class, result);
    }
 
+   @Test
+   public void testQueryWithCustomDelimeter() throws Exception {
+
+      MBeanServer proxy = underTest.newMBeanServer("d", mbeanServer, 
mBeanServerDelegate);
+
+      final ActiveMQServer server = createServer(false);
+      server.setMBeanServer(proxy);
+      
server.getConfiguration().setJMXManagementEnabled(true).setSecurityEnabled(true).getWildcardConfiguration().setDelimiter('&');
+
+      Set<Role> roles = new HashSet<>();
+      roles.add(new Role("viewers", false, false, false, false, false, false, 
false, false, false, false, true, false));
+      
server.getConfiguration().putSecurityRoles("mops&mbeanserver&queryNames", 
roles);
+
+      server.start();
+
+      Hashtable<String, String> attrs = new Hashtable<>();
+      attrs.put("broker", "bb");
+      attrs.put("type", "security");
+      attrs.put("area", "jmx");
+      attrs.put("name", "*");
+
+      final ObjectName queryName = new ObjectName("*", attrs);
+
+      Subject viewSubject = new Subject();
+      viewSubject.getPrincipals().add(new UserPrincipal("v"));
+      viewSubject.getPrincipals().add(new RolePrincipal("viewers"));
+
+      Object result = SecurityManagerShim.callAs(viewSubject, 
(Callable<Object>) () -> {
+         try {
+            return proxy.queryNames(queryName, null);
+         } catch (Exception e1) {
+            return e1;
+         }
+      });
+      assertNotNull(result);
+      assertInstanceOf(Set.class, result);
+   }
+
    @Test
    public void testQueryAllFiltered() throws Exception {
 
diff --git 
a/tests/integration-tests-isolated/src/test/java/org/apache/activemq/artemis/tests/integration/isolated/security/JmxSecurityTest.java
 
b/tests/integration-tests-isolated/src/test/java/org/apache/activemq/artemis/tests/integration/isolated/security/JmxSecurityTest.java
index 303029acef..68634bd40b 100644
--- 
a/tests/integration-tests-isolated/src/test/java/org/apache/activemq/artemis/tests/integration/isolated/security/JmxSecurityTest.java
+++ 
b/tests/integration-tests-isolated/src/test/java/org/apache/activemq/artemis/tests/integration/isolated/security/JmxSecurityTest.java
@@ -274,6 +274,21 @@ public class JmxSecurityTest {
       fr.getConfigurations();
    }
 
+   @Test
+   public void testJxmAuthFlightRecorderWithCustomWildcardDelimiter() throws 
Exception {
+
+      server.getConfiguration().getWildcardConfiguration().setDelimiter('-');
+      Set<Role> roles = new HashSet<>();
+      roles.add(new Role("programmers", false, false, false, false, true, 
false, false, false, false, false, true, false));
+      server.getConfiguration().putSecurityRoles("jmx-jdk.management.jfr-#", 
roles);
+
+      server.start();
+
+      ObjectName runtimeName = new ObjectName("jdk.management.jfr", "type", 
"FlightRecorder");
+      FlightRecorderMXBean fr = 
JMX.newMXBeanProxy(ManagementFactory.getPlatformMBeanServer(), runtimeName, 
FlightRecorderMXBean.class, false);
+      fr.getConfigurations();
+   }
+
    @Test
    public void testQueueAuthorization() throws Exception {
       final SimpleString ADDRESS = SimpleString.of("address");


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to