git commit: [KARAF-3293]more fine-grained way to specify the jmx.acl.whitelist.cfg

Thu, 16 Oct 2014 00:40:18 -0700 

Repository: karaf
Updated Branches:
  refs/heads/karaf-2.x afa3c6692 -> edb7b1bc4


[KARAF-3293]more fine-grained way to specify the jmx.acl.whitelist.cfg


Project: http://git-wip-us.apache.org/repos/asf/karaf/repo
Commit: http://git-wip-us.apache.org/repos/asf/karaf/commit/edb7b1bc
Tree: http://git-wip-us.apache.org/repos/asf/karaf/tree/edb7b1bc
Diff: http://git-wip-us.apache.org/repos/asf/karaf/diff/edb7b1bc

Branch: refs/heads/karaf-2.x
Commit: edb7b1bc40be6ad65d65c9e1b3c18ba2a2ca80a3
Parents: afa3c66
Author: Freeman Fang <[email protected]>
Authored: Thu Oct 16 15:39:07 2014 +0800
Committer: Freeman Fang <[email protected]>
Committed: Thu Oct 16 15:39:07 2014 +0800

----------------------------------------------------------------------
 .../karaf/management/KarafMBeanServerGuard.java | 30 +++++++++++++-------
 1 file changed, 20 insertions(+), 10 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/karaf/blob/edb7b1bc/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
----------------------------------------------------------------------
diff --git 
a/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
 
b/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
index 0271a62..be323fd 100644
--- 
a/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
+++ 
b/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
@@ -23,11 +23,9 @@ import java.security.AccessControlContext;
 import java.security.AccessController;
 import java.security.Principal;
 import java.util.ArrayList;
-import java.util.Collection;
 import java.util.Collections;
 import java.util.Enumeration;
 import java.util.List;
-import java.util.StringTokenizer;
 import java.util.regex.Pattern;
 
 import javax.management.Attribute;
@@ -198,7 +196,7 @@ public class KarafMBeanServerGuard implements 
InvocationHandler {
     }
 
     private boolean canInvoke(ObjectName objectName, String methodName, 
String[] signature) throws IOException {
-        if (canBypassRBAC(objectName)) {
+        if (canBypassRBAC(objectName, methodName)) {
             return true;
         }
         for (String role : getRequiredRoles(objectName, methodName, 
signature)) {
@@ -219,9 +217,9 @@ public class KarafMBeanServerGuard implements 
InvocationHandler {
         }
         if (prefix == null) {
             LOG.debug("Attribute " + attributeName + " can not be found for 
MBean " + objectName.toString());
+        } else {
+            handleInvoke(objectName, prefix + attributeName, new Object[]{}, 
new String[]{});
         }
-
-        handleInvoke(objectName, prefix + attributeName, new Object[]{}, new 
String[]{});
     }
 
     private void handleGetAttributes(MBeanServer proxy, ObjectName objectName, 
String[] attributeNames) throws JMException, IOException {
@@ -252,7 +250,7 @@ public class KarafMBeanServerGuard implements 
InvocationHandler {
         }
     }
     
-    private boolean canBypassRBAC(ObjectName objectName) {
+    private boolean canBypassRBAC(ObjectName objectName, String operationName) 
{
         List<String> allBypassObjectName = new ArrayList<String>();
         try {
             Configuration[] configs = 
configAdmin.listConfigurations("(service.pid=" + JMX_ACL_WHITELIST + ")");
@@ -272,16 +270,28 @@ public class KarafMBeanServerGuard implements 
InvocationHandler {
         } 
 
         for (String pid : iterateDownPids(getNameSegments(objectName))) {
-            if (!pid.equals("jmx.acl") 
-                && 
allBypassObjectName.contains(pid.substring("jmx.acl.".length()))) {
-                return true;
+            if (!pid.equals("jmx.acl"))  {
+                for (String bypassObjectName : allBypassObjectName) {
+                    String objectNameAndMethod[] = bypassObjectName.split(";");
+                    if (objectNameAndMethod.length > 1) {
+                        //check both the ObjectName and MethodName
+                        if 
(bypassObjectName.equals(pid.substring("jmx.acl.".length()) 
+                            + ";" + operationName)) {
+                            return true;
+                        }
+                    } else {
+                        if 
(bypassObjectName.equals(pid.substring("jmx.acl.".length()))) {
+                            return true;
+                        }
+                    }
+                }
             }
         }
         return false;
     }
 
     void handleInvoke(ObjectName objectName, String operationName, Object[] 
params, String[] signature) throws IOException {
-        if (canBypassRBAC(objectName)) {
+        if (canBypassRBAC(objectName, operationName)) {
             return;
         }
         for (String role : getRequiredRoles(objectName, operationName, params, 
signature)) {

Reply via email to