Modified: qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/ExchangeDestination.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/ExchangeDestination.java?rev=1750734&r1=1750733&r2=1750734&view=diff ============================================================================== --- qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/ExchangeDestination.java (original) +++ qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/ExchangeDestination.java Wed Jun 29 23:23:09 2016 @@ -20,6 +20,9 @@ */ package org.apache.qpid.server.protocol.v1_0; +import java.util.Collections; + +import org.apache.qpid.server.model.VirtualHost; import org.apache.qpid.server.protocol.v1_0.type.Outcome; import org.apache.qpid.server.protocol.v1_0.type.messaging.Accepted; import org.apache.qpid.server.protocol.v1_0.type.messaging.Rejected; @@ -27,6 +30,8 @@ import org.apache.qpid.server.protocol.v import org.apache.qpid.server.protocol.v1_0.type.messaging.TerminusExpiryPolicy; import org.apache.qpid.server.message.InstanceProperties; import org.apache.qpid.server.model.Exchange; +import org.apache.qpid.server.security.SecurityManager; +import org.apache.qpid.server.security.SecurityToken; import org.apache.qpid.server.txn.ServerTransaction; public class ExchangeDestination implements ReceivingDestination, SendingDestination @@ -96,6 +101,19 @@ public class ExchangeDestination impleme } @Override + public void authorizePublish(final SecurityToken securityToken, final Message_1_0 message) + { + final SecurityManager securityManager = + _exchange.getParent(VirtualHost.class).getBroker().getSecurityManager(); + + securityManager + .authoriseExecute(securityToken, _exchange, "publish", + Collections.<String,Object>singletonMap("routingKey", getRoutingAddress(message))); + + + } + + @Override public String getRoutingAddress(final Message_1_0 message) { String routingAddress;
Modified: qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/NodeReceivingDestination.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/NodeReceivingDestination.java?rev=1750734&r1=1750733&r2=1750734&view=diff ============================================================================== --- qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/NodeReceivingDestination.java (original) +++ qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/NodeReceivingDestination.java Wed Jun 29 23:23:09 2016 @@ -20,6 +20,11 @@ */ package org.apache.qpid.server.protocol.v1_0; +import java.util.Collections; + +import org.apache.qpid.server.model.Broker; +import org.apache.qpid.server.model.ConfiguredObject; +import org.apache.qpid.server.model.VirtualHost; import org.apache.qpid.server.protocol.v1_0.type.Outcome; import org.apache.qpid.server.protocol.v1_0.type.messaging.Accepted; import org.apache.qpid.server.protocol.v1_0.type.messaging.Rejected; @@ -27,6 +32,8 @@ import org.apache.qpid.server.protocol.v import org.apache.qpid.server.protocol.v1_0.type.messaging.TerminusExpiryPolicy; import org.apache.qpid.server.message.InstanceProperties; import org.apache.qpid.server.message.MessageDestination; +import org.apache.qpid.server.security.SecurityManager; +import org.apache.qpid.server.security.SecurityToken; import org.apache.qpid.server.txn.ServerTransaction; public class NodeReceivingDestination implements ReceivingDestination @@ -97,6 +104,24 @@ public class NodeReceivingDestination im } @Override + public void authorizePublish(final SecurityToken securityToken, final Message_1_0 message) + { + if(_destination instanceof ConfiguredObject) + { + ConfiguredObject<?> object = (ConfiguredObject)_destination; + final SecurityManager securityManager = + object.getModel().getAncestor(Broker.class, object).getSecurityManager(); + + securityManager + .authoriseExecute(securityToken, object, "publish", + Collections.<String, Object>singletonMap("routingKey", + getRoutingAddress(message))); + } + + + } + + @Override public String getRoutingAddress(final Message_1_0 message) { MessageMetaData_1_0.MessageHeader_1_0 messageHeader = message.getMessageHeader(); Modified: qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/QueueDestination.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/QueueDestination.java?rev=1750734&r1=1750733&r2=1750734&view=diff ============================================================================== --- qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/QueueDestination.java (original) +++ qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/QueueDestination.java Wed Jun 29 23:23:09 2016 @@ -20,10 +20,15 @@ */ package org.apache.qpid.server.protocol.v1_0; +import java.util.Collections; + +import org.apache.qpid.server.model.VirtualHost; import org.apache.qpid.server.protocol.v1_0.type.Outcome; import org.apache.qpid.server.protocol.v1_0.type.messaging.Accepted; import org.apache.qpid.server.message.MessageReference; import org.apache.qpid.server.model.Queue; +import org.apache.qpid.server.security.SecurityManager; +import org.apache.qpid.server.security.SecurityToken; import org.apache.qpid.server.store.MessageEnqueueRecord; import org.apache.qpid.server.txn.ServerTransaction; @@ -32,11 +37,13 @@ public class QueueDestination extends Me private static final Accepted ACCEPTED = new Accepted(); private static final Outcome[] OUTCOMES = new Outcome[] { ACCEPTED }; private final String _address; + private final Queue<?> _queue; public QueueDestination(Queue<?> queue, final String address) { super(queue); + _queue = queue; _address = address; } @@ -93,6 +100,20 @@ public class QueueDestination extends Me } @Override + public void authorizePublish(final SecurityToken securityToken, final Message_1_0 message) + { + + final SecurityManager securityManager = + _queue.getParent(VirtualHost.class).getBroker().getSecurityManager(); + + securityManager + .authoriseExecute(securityToken, _queue, "publish", + Collections.<String,Object>singletonMap("routingKey", getRoutingAddress(message))); + + + } + + @Override public String getAddress() { return _address; Modified: qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/ReceivingDestination.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/ReceivingDestination.java?rev=1750734&r1=1750733&r2=1750734&view=diff ============================================================================== --- qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/ReceivingDestination.java (original) +++ qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/ReceivingDestination.java Wed Jun 29 23:23:09 2016 @@ -22,6 +22,7 @@ package org.apache.qpid.server.protocol. import org.apache.qpid.server.protocol.v1_0.type.Outcome; +import org.apache.qpid.server.security.SecurityToken; import org.apache.qpid.server.txn.ServerTransaction; public interface ReceivingDestination extends Destination @@ -36,4 +37,6 @@ public interface ReceivingDestination ex String getRoutingAddress(Message_1_0 message); String getAddress(); + + void authorizePublish(SecurityToken securityToken, final Message_1_0 message); } Modified: qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/ReceivingLink_1_0.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/ReceivingLink_1_0.java?rev=1750734&r1=1750733&r2=1750734&view=diff ============================================================================== --- qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/ReceivingLink_1_0.java (original) +++ qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/ReceivingLink_1_0.java Wed Jun 29 23:23:09 2016 @@ -199,13 +199,11 @@ public class ReceivingLink_1_0 implement final SecurityManager securityManager = getSession().getConnection().getBroker().getSecurityManager(); try { - securityManager.authorisePublish(false, - _destination.getRoutingAddress(message), - _destination.getAddress(), - _addressSpace.getName(), - _attachment.getSession().getSubject(), - message.getMessageHeader().getUserId(), - _attachment.getSession().getAMQPConnection()); + Session_1_0 session = getSession(); + + session.getAMQPConnection() + .checkAuthorizedMessagePrincipal(message.getMessageHeader().getUserId()); + _destination.authorizePublish(session.getSecurityToken(), message); Outcome outcome = _destination.send(message, transaction); Modified: qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/Session_1_0.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/Session_1_0.java?rev=1750734&r1=1750733&r2=1750734&view=diff ============================================================================== --- qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/Session_1_0.java (original) +++ qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/Session_1_0.java Wed Jun 29 23:23:09 2016 @@ -91,6 +91,7 @@ import org.apache.qpid.server.model.Sess import org.apache.qpid.server.protocol.AMQSessionModel; import org.apache.qpid.server.protocol.ConsumerListener; import org.apache.qpid.server.protocol.LinkRegistry; +import org.apache.qpid.server.security.SecurityToken; import org.apache.qpid.server.transport.AMQPConnection; import org.apache.qpid.server.txn.AutoCommitTransaction; import org.apache.qpid.server.txn.ServerTransaction; @@ -104,6 +105,7 @@ public class Session_1_0 implements AMQS private static final Logger _logger = LoggerFactory.getLogger(Session_1_0.class); private static final Symbol LIFETIME_POLICY = Symbol.valueOf("lifetime-policy"); private final AccessControlContext _accessControllerContext; + private final SecurityToken _securityToken; private AutoCommitTransaction _transaction; private final LinkedHashMap<Integer, ServerTransaction> _openTransactions = @@ -180,6 +182,7 @@ public class Session_1_0 implements AMQS _subject.getPrincipals().addAll(connection.getSubject().getPrincipals()); _subject.getPrincipals().add(new SessionPrincipal(this)); _accessControllerContext = org.apache.qpid.server.security.SecurityManager.getAccessControlContextFromSubject(_subject); + _securityToken = connection.getBroker().getSecurityManager().newToken(_subject); } public void setReceivingChannel(final short receivingChannel) @@ -1387,6 +1390,11 @@ public class Session_1_0 implements AMQS return _connection.getAddressSpace(); } + public SecurityToken getSecurityToken() + { + return _securityToken; + } + private class SubjectSpecificReceivingLinkListener implements ReceivingLinkListener { Modified: qpid/java/trunk/broker-plugins/management-amqp/src/main/java/org/apache/qpid/server/management/amqp/ManagementAddressSpace.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-amqp/src/main/java/org/apache/qpid/server/management/amqp/ManagementAddressSpace.java?rev=1750734&r1=1750733&r2=1750734&view=diff ============================================================================== --- qpid/java/trunk/broker-plugins/management-amqp/src/main/java/org/apache/qpid/server/management/amqp/ManagementAddressSpace.java (original) +++ qpid/java/trunk/broker-plugins/management-amqp/src/main/java/org/apache/qpid/server/management/amqp/ManagementAddressSpace.java Wed Jun 29 23:23:09 2016 @@ -157,8 +157,7 @@ public class ManagementAddressSpace impl public boolean authoriseCreateConnection(final AMQPConnection<?> connection) { SecurityManager securityManager = _broker.getSecurityManager(); - securityManager.authoriseCreateConnection(connection); - securityManager.accessManagement(); + securityManager.authoriseExecute(_broker, "manage", Collections.<String,Object>emptyMap()); return true; } Modified: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java?rev=1750734&r1=1750733&r2=1750734&view=diff ============================================================================== --- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java (original) +++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java Wed Jun 29 23:23:09 2016 @@ -113,7 +113,7 @@ public class HttpManagementUtil subject = createServletConnectionSubject(request, subject); - assertManagementAccess(broker.getSecurityManager(), subject); + assertManagementAccess(broker, subject); saveAuthorisedSubject(request, subject); } @@ -130,14 +130,14 @@ public class HttpManagementUtil return subject; } - public static void assertManagementAccess(final SecurityManager securityManager, Subject subject) + public static void assertManagementAccess(final Broker<?> broker, Subject subject) { Subject.doAs(subject, new PrivilegedAction<Void>() { @Override public Void run() { - securityManager.accessManagement(); + broker.getSecurityManager().authoriseExecute(broker,"manage",Collections.<String,Object>emptyMap()); return null; } }); Modified: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticator.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticator.java?rev=1750734&r1=1750733&r2=1750734&view=diff ============================================================================== --- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticator.java (original) +++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticator.java Wed Jun 29 23:23:09 2016 @@ -206,7 +206,7 @@ public class OAuth2InteractiveAuthentica private void authoriseManagement(final Subject subject) { Broker broker = (Broker) oauth2Provider.getParent(Broker.class); - HttpManagementUtil.assertManagementAccess(broker.getSecurityManager(), subject); + HttpManagementUtil.assertManagementAccess(broker, subject); } }; } Modified: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.java?rev=1750734&r1=1750733&r2=1750734&view=diff ============================================================================== --- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.java (original) +++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.java Wed Jun 29 23:23:09 2016 @@ -220,7 +220,7 @@ public class SaslServlet extends Abstrac Broker broker = getBroker(); try { - HttpManagementUtil.assertManagementAccess(broker.getSecurityManager(), original); + HttpManagementUtil.assertManagementAccess(broker, original); Subject subject = HttpManagementUtil.createServletConnectionSubject(request, original); HttpManagementUtil.saveAuthorisedSubject(request, subject); Modified: qpid/java/trunk/broker-plugins/management-http/src/test/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticatorTest.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/test/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticatorTest.java?rev=1750734&r1=1750733&r2=1750734&view=diff ============================================================================== --- qpid/java/trunk/broker-plugins/management-http/src/test/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticatorTest.java (original) +++ qpid/java/trunk/broker-plugins/management-http/src/test/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticatorTest.java Wed Jun 29 23:23:09 2016 @@ -22,6 +22,7 @@ package org.apache.qpid.server.managemen import static org.mockito.Matchers.any; import static org.mockito.Matchers.anyInt; +import static org.mockito.Matchers.anyMap; import static org.mockito.Matchers.anyString; import static org.mockito.Matchers.eq; import static org.mockito.Mockito.doAnswer; @@ -307,7 +308,7 @@ public class OAuth2InteractiveAuthentica } return null; } - }).when(mockSecurityManager).accessManagement(); + }).when(mockSecurityManager).authoriseExecute(eq(mockBroker), eq("manage"), anyMap()); when(mockBroker.getSecurityManager()).thenReturn(mockSecurityManager); when(authenticationProvider.getAuthorizationEndpointURI()).thenReturn(new URI(TEST_AUTHORIZATION_ENDPOINT)); Modified: qpid/java/trunk/systests/src/test/java/org/apache/qpid/server/security/acl/ExternalACLTest.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/systests/src/test/java/org/apache/qpid/server/security/acl/ExternalACLTest.java?rev=1750734&r1=1750733&r2=1750734&view=diff ============================================================================== --- qpid/java/trunk/systests/src/test/java/org/apache/qpid/server/security/acl/ExternalACLTest.java (original) +++ qpid/java/trunk/systests/src/test/java/org/apache/qpid/server/security/acl/ExternalACLTest.java Wed Jun 29 23:23:09 2016 @@ -76,7 +76,7 @@ public class ExternalACLTest extends Abs private void assertAccessDeniedException(JMSException e) { - assertEquals("Unexpected exception message", "Error creating connection: Permission denied: test", e.getMessage()); + assertEquals("Unexpected exception message", "Error creating connection: Permission denied on VirtualHost 'test' to perform 'connect' operation", e.getMessage()); // JMSException -> linkedException -> cause = AMQException (403 or 320) Exception linkedException = e.getLinkedException(); --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
