[
https://issues.apache.org/jira/browse/QPID-5567?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13915866#comment-13915866
]
Robbie Gemmell commented on QPID-5567:
--------------------------------------
For https://svn.apache.org/r1569934
===================================
- We are creating the Subject differently for 0-8/9/9-1 sessions than for 0-10
and 1.0.
{noformat}
_subject = new Subject(false,
session.getAuthorizedSubject().getPrincipals(),
session.getAuthorizedSubject().getPublicCredentials(),
session.getAuthorizedSubject().getPrivateCredentials());
_subject.getPrincipals().add(new SessionPrincipal(this));
vs
_subject.getPrincipals().addAll(connection.getSubject().getPrincipals());
_subject.getPrincipals().add(new SessionPrincipal(this));
{noformat}
- Missed the comment when you did the actual TODO :)
{noformat}
+++
b/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java
@@ -119,37 +120,22 @@ public class HttpManagementUtil
public static void assertManagementAccess(final SecurityManager
securityManager, Subject subject, LogActor actor)
{
// TODO: We should eliminate SecurityManager.setThreadSubject in
favour of Subject.doAs
- SecurityManager.setThreadSubject(subject); // Required for
accessManagement check
CurrentActor.set(actor);
try
{
- try
+ Subject.doAs(subject, new PrivilegedAction<Void>()
{noformat}
For https://svn.apache.org/r1570411
====================================
- Todo what? Avoid the cast?
{noformat}
@@ -316,12 +319,15 @@ public class SecurityManager implements
ConfigurationChangeListener
}
}))
{
- throw new AccessControlException("Permission denied: " +
vhostname);
+ throw new AccessControlException("Permission denied: " +
connection.getVirtualHostName());
}
}
- public void authoriseConsume(final AMQQueue queue)
+ public void authoriseCreateConsumer(final Consumer consumer)
{
+ // TODO
+ final AMQQueue queue = (AMQQueue) consumer.getMessageSource();
+
if(!checkAllPlugins(new AccessCheck()
{
Result allowed(AccessControl plugin)
{noformat}
> [Java Broker] Remove SecurityManager "CurrentSubject" thread local, and
> always use the subject from the current AccessControlContext
> ------------------------------------------------------------------------------------------------------------------------------------
>
> Key: QPID-5567
> URL: https://issues.apache.org/jira/browse/QPID-5567
> Project: Qpid
> Issue Type: Improvement
> Components: Java Broker
> Reporter: Rob Godfrey
> Assignee: Robbie Gemmell
> Fix For: 0.27
>
>
> Rather than invent our own security context, we should use the one Java
> provides.
> Moreover since we perform security checks based on the Connection and Session
> of the user, we should add these as "Principals" of the current subject.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
