diff options
| author | Martin Ritchie <ritchiem@apache.org> | 2007-04-06 08:21:01 +0000 |
|---|---|---|
| committer | Martin Ritchie <ritchiem@apache.org> | 2007-04-06 08:21:01 +0000 |
| commit | 44b15052309ed169a16fa1aedbe05b07d4705b5d (patch) | |
| tree | 5b50de146e3c5a0ed7e7ffd16c56b539995ca053 /java | |
| parent | 7890dfb7d5192c5f752c5daaa4eb7b23d426135b (diff) | |
| download | qpid-python-44b15052309ed169a16fa1aedbe05b07d4705b5d.tar.gz | |
QPID-416 Update to Access control to allow simply read/write permissions per Virtual host.
access - updated file to have examples of access control.
AccessManager - Deprecated old isAuthorised method
Implemented new isAuthorized method on all AccessManagers
git-svn-id: https://svn.apache.org/repos/asf/incubator/qpid/branches/M2@526091 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'java')
8 files changed, 81 insertions, 21 deletions
diff --git a/java/broker/etc/access b/java/broker/etc/access index 273c9ced41..cb1b871f77 100644 --- a/java/broker/etc/access +++ b/java/broker/etc/access @@ -1 +1 @@ -guest:test
+guest:localhost(w),test(rw)
diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/access/AccessManager.java b/java/broker/src/main/java/org/apache/qpid/server/security/access/AccessManager.java index a97a56da55..d70a6dc8f4 100644 --- a/java/broker/src/main/java/org/apache/qpid/server/security/access/AccessManager.java +++ b/java/broker/src/main/java/org/apache/qpid/server/security/access/AccessManager.java @@ -20,9 +20,13 @@ */ package org.apache.qpid.server.security.access; +import java.security.Principal; + public interface AccessManager { - //AccessResult isAuthorized(Accessable accessObject, Principal username, AccessRights rights); + AccessResult isAuthorized(Accessable accessObject, Principal username, AccessRights.Rights rights); + + @Deprecated AccessResult isAuthorized(Accessable accessObject, String username); String getName(); diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/access/AccessManagerImpl.java b/java/broker/src/main/java/org/apache/qpid/server/security/access/AccessManagerImpl.java index 3620a0dcdc..1ccb13cf62 100644 --- a/java/broker/src/main/java/org/apache/qpid/server/security/access/AccessManagerImpl.java +++ b/java/broker/src/main/java/org/apache/qpid/server/security/access/AccessManagerImpl.java @@ -23,13 +23,13 @@ package org.apache.qpid.server.security.access; import org.apache.commons.configuration.Configuration; import org.apache.commons.configuration.ConfigurationException; import org.apache.qpid.server.registry.ApplicationRegistry; +import org.apache.qpid.server.security.auth.sasl.UsernamePrincipal; import org.apache.qpid.configuration.PropertyUtils; -import org.apache.qpid.configuration.PropertyException; import org.apache.log4j.Logger; import java.util.List; import java.lang.reflect.Method; -import java.lang.reflect.InvocationTargetException; +import java.security.Principal; public class AccessManagerImpl implements AccessManager { @@ -121,9 +121,13 @@ public class AccessManagerImpl implements AccessManager } } - public AccessResult isAuthorized(Accessable accessObject, String username) { + return isAuthorized(accessObject, new UsernamePrincipal(username), AccessRights.Rights.READ); + } + + public AccessResult isAuthorized(Accessable accessObject, Principal user, AccessRights.Rights rights) + { if (_accessManager == null) { if (ApplicationRegistry.getInstance().getAccessManager() == this) @@ -133,17 +137,16 @@ public class AccessManagerImpl implements AccessManager } else { - return ApplicationRegistry.getInstance().getAccessManager().isAuthorized(accessObject, username); + return ApplicationRegistry.getInstance().getAccessManager().isAuthorized(accessObject, user, rights); } } else { - return _accessManager.isAuthorized(accessObject, username); + return _accessManager.isAuthorized(accessObject, user, rights); } } - public String getName - () + public String getName() { return "AccessManagerImpl"; } diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/access/AllowAll.java b/java/broker/src/main/java/org/apache/qpid/server/security/access/AllowAll.java index b2e4094edd..1ddca3a64e 100644 --- a/java/broker/src/main/java/org/apache/qpid/server/security/access/AllowAll.java +++ b/java/broker/src/main/java/org/apache/qpid/server/security/access/AllowAll.java @@ -20,9 +20,16 @@ */ package org.apache.qpid.server.security.access; +import java.security.Principal; + public class AllowAll implements AccessManager { + public AccessResult isAuthorized(Accessable accessObject, Principal username, AccessRights.Rights rights) + { + return new AccessResult(this, AccessResult.AccessStatus.GRANTED); + } + public AccessResult isAuthorized(Accessable accessObject, String username) { return new AccessResult(this, AccessResult.AccessStatus.GRANTED); diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/access/DenyAll.java b/java/broker/src/main/java/org/apache/qpid/server/security/access/DenyAll.java index 0e62d2657f..bf40eeba4e 100644 --- a/java/broker/src/main/java/org/apache/qpid/server/security/access/DenyAll.java +++ b/java/broker/src/main/java/org/apache/qpid/server/security/access/DenyAll.java @@ -20,8 +20,15 @@ */ package org.apache.qpid.server.security.access; +import java.security.Principal; + public class DenyAll implements AccessManager { + public AccessResult isAuthorized(Accessable accessObject, Principal username, AccessRights.Rights rights) + { + return new AccessResult(this, AccessResult.AccessStatus.REFUSED); + } + public AccessResult isAuthorized(Accessable accessObject, String username) { return new AccessResult(this, AccessResult.AccessStatus.REFUSED); diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/access/FileAccessManager.java b/java/broker/src/main/java/org/apache/qpid/server/security/access/FileAccessManager.java index 3bf2397350..291bc714ed 100644 --- a/java/broker/src/main/java/org/apache/qpid/server/security/access/FileAccessManager.java +++ b/java/broker/src/main/java/org/apache/qpid/server/security/access/FileAccessManager.java @@ -21,6 +21,7 @@ package org.apache.qpid.server.security.access; import org.apache.qpid.server.virtualhost.VirtualHost; +import org.apache.qpid.server.security.auth.sasl.UsernamePrincipal; import org.apache.log4j.Logger; import java.io.IOException; @@ -29,6 +30,7 @@ import java.io.FileReader; import java.io.FileNotFoundException; import java.io.File; import java.util.regex.Pattern; +import java.security.Principal; /** * Represents a user database where the account information is stored in a simple flat file. @@ -71,9 +73,17 @@ public class FileAccessManager implements AccessManager * * @return a list of virtualhosts */ - private String[] lookupVirtualHost(String user) + private VirtualHostAccess[] lookupVirtualHost(String user) { - return lookup(user, VIRTUALHOST_INDEX); + String[] results = lookup(user, VIRTUALHOST_INDEX); + VirtualHostAccess vhosts[] = new VirtualHostAccess[results.length]; + + for (int index = 0; index < results.length; index++) + { + vhosts[index] = new VirtualHostAccess(results[index]); + } + + return vhosts; } @@ -117,20 +127,31 @@ public class FileAccessManager implements AccessManager return null; } - public AccessResult isAuthorized(Accessable accessObject, String username) { + return isAuthorized(accessObject, new UsernamePrincipal(username), AccessRights.Rights.READ); + } + + public AccessResult isAuthorized(Accessable accessObject, Principal user, AccessRights.Rights rights) + { if (accessObject instanceof VirtualHost) { - String[] hosts = lookupVirtualHost(username); + VirtualHostAccess[] hosts = lookupVirtualHost(user.getName()); if (hosts != null) { - for (String host : hosts) + for (VirtualHostAccess host : hosts) { - if (accessObject.getAccessableName().equals(host)) + if (accessObject.getAccessableName().equals(host.getVirtualHost())) { - return new AccessResult(this, AccessResult.AccessStatus.GRANTED); + if (host.getAccessRights().allows(rights)) + { + return new AccessResult(this, AccessResult.AccessStatus.GRANTED); + } + else + { + return new AccessResult(this, AccessResult.AccessStatus.REFUSED); + } } } } diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalDatabaseAccessManager.java b/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalDatabaseAccessManager.java index 02b3dba17d..6ccadb2e7d 100644 --- a/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalDatabaseAccessManager.java +++ b/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalDatabaseAccessManager.java @@ -22,8 +22,11 @@ package org.apache.qpid.server.security.access; import org.apache.qpid.server.registry.ApplicationRegistry; import org.apache.qpid.server.security.auth.database.PrincipalDatabase; +import org.apache.qpid.server.security.auth.sasl.UsernamePrincipal; import org.apache.log4j.Logger; +import java.security.Principal; + public class PrincipalDatabaseAccessManager implements AccessManager { private static final Logger _logger = Logger.getLogger(PrincipalDatabaseAccessManager.class); @@ -58,15 +61,21 @@ public class PrincipalDatabaseAccessManager implements AccessManager } } + public AccessResult isAuthorized(Accessable accessObject, String username) { + return isAuthorized(accessObject, new UsernamePrincipal(username), AccessRights.Rights.READ); + } + + public AccessResult isAuthorized(Accessable accessObject, Principal username, AccessRights.Rights rights) + { AccessResult result; if (_database == null) { if (_default != null) { - result = _default.isAuthorized(accessObject, username); + result = _default.isAuthorized(accessObject, username, rights); } else { @@ -78,11 +87,11 @@ public class PrincipalDatabaseAccessManager implements AccessManager if (!(_database instanceof AccessManager)) { _logger.warn("Specified PrincipalDatabase is not an AccessManager so using default AccessManager"); - result = _default.isAuthorized(accessObject, username); + result = _default.isAuthorized(accessObject, username, rights); } else { - result = ((AccessManager) _database).isAuthorized(accessObject, username); + result = ((AccessManager) _database).isAuthorized(accessObject, username, rights); } } diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordVhostFilePrincipalDatabase.java b/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordVhostFilePrincipalDatabase.java index af81b70296..598f8f8b4c 100644 --- a/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordVhostFilePrincipalDatabase.java +++ b/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordVhostFilePrincipalDatabase.java @@ -23,12 +23,15 @@ package org.apache.qpid.server.security.auth.database; import org.apache.qpid.server.security.access.AccessManager; import org.apache.qpid.server.security.access.AccessResult; import org.apache.qpid.server.security.access.Accessable; +import org.apache.qpid.server.security.access.AccessRights; +import org.apache.qpid.server.security.auth.sasl.UsernamePrincipal; import org.apache.qpid.server.virtualhost.VirtualHost; import org.apache.log4j.Logger; import java.io.IOException; import java.io.BufferedReader; import java.io.FileReader; +import java.security.Principal; /** * Represents a user database where the account information is stored in a simple flat file. @@ -91,9 +94,15 @@ public class PlainPasswordVhostFilePrincipalDatabase extends PlainPasswordFilePr public AccessResult isAuthorized(Accessable accessObject, String username) { + return isAuthorized(accessObject, new UsernamePrincipal(username), AccessRights.Rights.READ); + } + + public AccessResult isAuthorized(Accessable accessObject, Principal user, AccessRights.Rights rights) + { + if (accessObject instanceof VirtualHost) { - String[] hosts = lookupVirtualHost(username); + String[] hosts = lookupVirtualHost(user.getName()); if (hosts != null) { @@ -114,5 +123,5 @@ public class PlainPasswordVhostFilePrincipalDatabase extends PlainPasswordFilePr { return "PlainPasswordVhostFile"; } - + } |