QPID-4334: removed the firewall plugin and moved its functionality into the Access Control plugin.

Applied patch from Philip Harvey <phil@philharveyonline.com>.

git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1391430 13f79535-47bb-0310-9956-ffa450edef68

7 files changed, 550 insertions, 1 deletions

diff --git a/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclActionTest.java b/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclActionTest.java
new file mode 100644
index 0000000000..14620cff70
--- /dev/null
+++ b/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclActionTest.java
@@ -0,0 +1,66 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.qpid.server.security.access.config;
+
+import static org.mockito.Mockito.*;
+
+import org.apache.qpid.server.security.access.ObjectProperties;
+import org.apache.qpid.server.security.access.ObjectType;
+import org.apache.qpid.server.security.access.Operation;
+import org.apache.qpid.server.security.access.firewall.FirewallRule;
+
+import junit.framework.TestCase;
+
+public class AclActionTest extends TestCase
+{
+    public void testEqualsAndHashCode()
+    {
+        AclRulePredicates predicates = createAclRulePredicates();
+        ObjectType objectType = ObjectType.EXCHANGE;
+        Operation operation = Operation.ACCESS;
+
+        AclAction aclAction = new AclAction(operation, objectType, predicates);
+        AclAction equalAclAction = new AclAction(operation, objectType, predicates);
+
+        assertTrue(aclAction.equals(aclAction));
+        assertTrue(aclAction.equals(equalAclAction));
+        assertTrue(equalAclAction.equals(aclAction));
+
+        assertTrue(aclAction.hashCode() == equalAclAction.hashCode());
+
+        assertFalse("Different operation should cause aclActions to be unequal",
+                aclAction.equals(new AclAction(Operation.BIND, objectType, predicates)));
+
+        assertFalse("Different operation type should cause aclActions to be unequal",
+                aclAction.equals(new AclAction(operation, ObjectType.GROUP, predicates)));
+
+        assertFalse("Different predicates should cause aclActions to be unequal",
+                aclAction.equals(new AclAction(operation, objectType, createAclRulePredicates())));
+
+    }
+
+    private AclRulePredicates createAclRulePredicates()
+    {
+        AclRulePredicates predicates = mock(AclRulePredicates.class);
+        when(predicates.getFirewallRule()).thenReturn(mock(FirewallRule.class));
+        when(predicates.getObjectProperties()).thenReturn(mock(ObjectProperties.class));
+        return predicates;
+    }
+
+}
diff --git a/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclRulePredicatesTest.java b/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclRulePredicatesTest.java
new file mode 100644
index 0000000000..93b765d0fb
--- /dev/null
+++ b/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclRulePredicatesTest.java
@@ -0,0 +1,87 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.qpid.server.security.access.config;
+
+import static org.apache.qpid.server.security.access.ObjectProperties.Property.*;
+
+import org.apache.qpid.server.security.access.firewall.FirewallRule;
+import org.apache.qpid.server.security.access.firewall.FirewallRuleFactory;
+
+import static org.mockito.Mockito.*;
+
+import junit.framework.TestCase;
+
+public class AclRulePredicatesTest extends TestCase
+{
+    private AclRulePredicates _aclRulePredicates = new AclRulePredicates();
+    private FirewallRuleFactory _firewallRuleFactory = mock(FirewallRuleFactory.class);
+
+    @Override
+    protected void setUp() throws Exception
+    {
+        _aclRulePredicates.setFirewallRuleFactory(_firewallRuleFactory);
+
+        when(_firewallRuleFactory.createForHostname((String[]) any())).thenReturn(mock(FirewallRule.class));
+        when(_firewallRuleFactory.createForNetwork((String[]) any())).thenReturn(mock(FirewallRule.class));
+    }
+
+    public void testParse()
+    {
+        String name = "name";
+        String className = "class";
+
+        _aclRulePredicates.parse(NAME.name(), name);
+        _aclRulePredicates.parse(CLASS.name(), className);
+
+        assertEquals(name, _aclRulePredicates.getObjectProperties().get(NAME));
+        assertEquals(className, _aclRulePredicates.getObjectProperties().get(CLASS));
+    }
+
+    public void testParseHostnameFirewallRule()
+    {
+        String hostname = "hostname1,hostname2";
+        _aclRulePredicates.parse(FROM_HOSTNAME.name(), hostname);
+
+        verify(_firewallRuleFactory).createForHostname(new String[] {"hostname1", "hostname2"});
+    }
+
+    public void testParseNetworkFirewallRule()
+    {
+        _aclRulePredicates.setFirewallRuleFactory(_firewallRuleFactory);
+
+        String networks = "network1,network2";
+        _aclRulePredicates.parse(FROM_NETWORK.name(), networks);
+
+        verify(_firewallRuleFactory).createForNetwork(new String[] {"network1", "network2"});
+    }
+
+    public void testParseThrowsExceptionIfBothHostnameAndNetworkSpecified()
+    {
+        _aclRulePredicates.parse(FROM_NETWORK.name(), "network1,network2");
+        try
+        {
+            _aclRulePredicates.parse(FROM_HOSTNAME.name(), "hostname1,hostname2");
+            fail("Exception not thrown");
+        }
+        catch(IllegalStateException e)
+        {
+            // pass
+        }
+    }
+}
diff --git a/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/ClientActionTest.java b/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/ClientActionTest.java
new file mode 100644
index 0000000000..ae5d3fda74
--- /dev/null
+++ b/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/ClientActionTest.java
@@ -0,0 +1,79 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.qpid.server.security.access.config;
+
+import static org.mockito.Mockito.*;
+
+import java.net.InetAddress;
+
+import org.apache.qpid.server.security.access.firewall.FirewallRule;
+
+import junit.framework.TestCase;
+
+public class ClientActionTest extends TestCase
+{
+    private Action _action = mock(Action.class);
+    private AclAction _ruleAction = mock(AclAction.class);
+    private InetAddress _addressOfClient = mock(InetAddress.class);
+
+    private ClientAction _clientAction = new ClientAction(_action);
+
+    public void testMatches_returnsTrueWhenActionsMatchAndNoFirewallRule()
+    {
+        when(_action.matches(any(Action.class))).thenReturn(true);
+        when(_ruleAction.getFirewallRule()).thenReturn(null);
+
+        assertTrue(_clientAction.matches(_ruleAction, _addressOfClient));
+    }
+
+    public void testMatches_returnsFalseWhenActionsDontMatch()
+    {
+        FirewallRule firewallRule = mock(FirewallRule.class);
+        when(firewallRule.matches(_addressOfClient)).thenReturn(true);
+
+        when(_action.matches(any(Action.class))).thenReturn(false);
+        when(_ruleAction.getFirewallRule()).thenReturn(firewallRule);
+
+        assertFalse(_clientAction.matches(_ruleAction, _addressOfClient));
+    }
+
+    public void testMatches_returnsTrueWhenActionsAndFirewallRuleMatch()
+    {
+        FirewallRule firewallRule = mock(FirewallRule.class);
+        when(firewallRule.matches(_addressOfClient)).thenReturn(true);
+
+        when(_action.matches(any(Action.class))).thenReturn(true);
+        when(_ruleAction.getFirewallRule()).thenReturn(firewallRule);
+
+        assertTrue(_clientAction.matches(_ruleAction, _addressOfClient));
+    }
+
+    public void testMatches_ignoresFirewallRuleIfClientAddressIsNull()
+    {
+        FirewallRule firewallRule = mock(FirewallRule.class);
+
+        when(_action.matches(any(Action.class))).thenReturn(true);
+        when(_ruleAction.getFirewallRule()).thenReturn(firewallRule);
+
+        assertTrue(_clientAction.matches(_ruleAction, null));
+
+        verifyZeroInteractions(firewallRule);
+    }
+
+}
diff --git a/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleTest.java b/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleTest.java
new file mode 100644
index 0000000000..2ae7759679
--- /dev/null
+++ b/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleTest.java
@@ -0,0 +1,53 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.qpid.server.security.access.config;
+
+import static org.mockito.Mockito.*;
+
+import org.apache.qpid.server.security.access.Permission;
+
+import junit.framework.TestCase;
+
+public class RuleTest extends TestCase
+{
+    public void testEqualsAndHashCode()
+    {
+        AclAction aclAction = mock(AclAction.class);
+        String identity = "identity";
+        Permission allow = Permission.ALLOW;
+
+        Rule rule = new Rule(identity, aclAction, allow);
+        Rule equalRule = new Rule(identity, aclAction, allow);
+
+        assertTrue(rule.equals(rule));
+        assertTrue(rule.equals(equalRule));
+        assertTrue(equalRule.equals(rule));
+
+        assertTrue(rule.hashCode() == equalRule.hashCode());
+
+        assertFalse("Different identity should cause rules to be unequal",
+                rule.equals(new Rule("identity2", aclAction, allow)));
+
+        assertFalse("Different action should cause rules to be unequal",
+                rule.equals(new Rule(identity, mock(AclAction.class), allow)));
+
+        assertFalse("Different permission should cause rules to be unequal",
+                rule.equals(new Rule(identity, aclAction, Permission.DENY)));
+    }
+}
diff --git a/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/firewall/HostnameFirewallRuleTest.java b/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/firewall/HostnameFirewallRuleTest.java
new file mode 100644
index 0000000000..be82cb294a
--- /dev/null
+++ b/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/firewall/HostnameFirewallRuleTest.java
@@ -0,0 +1,99 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.qpid.server.security.access.firewall;
+
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import java.net.InetAddress;
+
+import org.apache.qpid.server.security.access.firewall.HostnameFirewallRule;
+
+import junit.framework.TestCase;
+
+public class HostnameFirewallRuleTest extends TestCase
+{
+    private InetAddress _addressNotInRule;
+
+    private HostnameFirewallRule _HostnameFirewallRule;
+
+    @Override
+    protected void setUp() throws Exception
+    {
+        _addressNotInRule = InetAddress.getByName("127.0.0.1");
+    }
+
+    public void testSingleHostname() throws Exception
+    {
+        String hostnameInRule = "hostnameInRule";
+        InetAddress addressWithMatchingHostname = mock(InetAddress.class);
+        when(addressWithMatchingHostname.getCanonicalHostName()).thenReturn(hostnameInRule);
+
+        _HostnameFirewallRule = new HostnameFirewallRule(hostnameInRule);
+
+        assertFalse(_HostnameFirewallRule.matches(_addressNotInRule));
+        assertTrue(_HostnameFirewallRule.matches(addressWithMatchingHostname));
+    }
+
+    public void testSingleHostnameWilcard() throws Exception
+    {
+        String hostnameInRule = ".*FOO.*";
+        InetAddress addressWithMatchingHostname = mock(InetAddress.class);
+        when(addressWithMatchingHostname.getCanonicalHostName()).thenReturn("xxFOOxx");
+
+        _HostnameFirewallRule = new HostnameFirewallRule(hostnameInRule);
+
+        assertFalse(_HostnameFirewallRule.matches(_addressNotInRule));
+        assertTrue(_HostnameFirewallRule.matches(addressWithMatchingHostname));
+    }
+
+    public void testMultipleHostnames() throws Exception
+    {
+        String[] hostnamesInRule = new String[] {"hostnameInRule1", "hostnameInRule2"};
+
+        _HostnameFirewallRule = new HostnameFirewallRule(hostnamesInRule);
+
+        assertFalse(_HostnameFirewallRule.matches(_addressNotInRule));
+        for (String hostnameInRule : hostnamesInRule)
+        {
+            InetAddress addressWithMatchingHostname = mock(InetAddress.class);
+            when(addressWithMatchingHostname.getCanonicalHostName()).thenReturn(hostnameInRule);
+
+            assertTrue(_HostnameFirewallRule.matches(addressWithMatchingHostname));
+        }
+    }
+
+    public void testEqualsAndHashCode()
+    {
+        String hostname1 = "hostname1";
+        String hostname2 = "hostname2";
+
+        HostnameFirewallRule rule = new HostnameFirewallRule(hostname1, hostname2);
+        HostnameFirewallRule equalRule = new HostnameFirewallRule(hostname1, hostname2);
+
+        assertTrue(rule.equals(rule));
+        assertTrue(rule.equals(equalRule));
+        assertTrue(equalRule.equals(rule));
+
+        assertTrue(rule.hashCode() == equalRule.hashCode());
+
+        assertFalse("Different hostnames should cause rules to be unequal",
+                rule.equals(new HostnameFirewallRule(hostname1, "different-hostname")));
+    }
+}
diff --git a/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/firewall/NetworkFirewallRuleTest.java b/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/firewall/NetworkFirewallRuleTest.java
new file mode 100644
index 0000000000..e521039db2
--- /dev/null
+++ b/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/firewall/NetworkFirewallRuleTest.java
@@ -0,0 +1,115 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.qpid.server.security.access.firewall;
+
+import java.net.InetAddress;
+
+import org.apache.qpid.server.security.access.firewall.NetworkFirewallRule;
+
+import junit.framework.TestCase;
+
+public class NetworkFirewallRuleTest extends TestCase
+{
+    private static final String LOCALHOST_IP = "127.0.0.1";
+    private static final String OTHER_IP_1 = "192.168.23.1";
+    private static final String OTHER_IP_2 = "192.168.23.2";
+
+    private InetAddress _addressNotInRule;
+
+    private NetworkFirewallRule _networkFirewallRule;
+
+    @Override
+    protected void setUp() throws Exception
+    {
+        _addressNotInRule = InetAddress.getByName(LOCALHOST_IP);
+    }
+
+    public void testIpRule() throws Exception
+    {
+        String ipAddressInRule = OTHER_IP_1;
+
+        _networkFirewallRule = new NetworkFirewallRule(ipAddressInRule);
+
+        assertFalse(_networkFirewallRule.matches(_addressNotInRule));
+        assertTrue(_networkFirewallRule.matches(InetAddress.getByName(ipAddressInRule)));
+    }
+
+    public void testNetMask() throws Exception
+    {
+        String ipAddressInRule = "192.168.23.0/24";
+        _networkFirewallRule = new NetworkFirewallRule(ipAddressInRule);
+
+        assertFalse(_networkFirewallRule.matches(InetAddress.getByName("192.168.24.1")));
+        assertTrue(_networkFirewallRule.matches(InetAddress.getByName("192.168.23.0")));
+        assertTrue(_networkFirewallRule.matches(InetAddress.getByName("192.168.23.255")));
+    }
+
+    public void testWildcard() throws Exception
+    {
+        // Test xxx.xxx.*
+
+        assertFalse(new NetworkFirewallRule("192.168.*")
+             .matches(InetAddress.getByName("192.169.1.0")));
+
+        assertTrue(new NetworkFirewallRule("192.168.*")
+            .matches(InetAddress.getByName("192.168.1.0")));
+
+        assertTrue(new NetworkFirewallRule("192.168.*")
+            .matches(InetAddress.getByName("192.168.255.255")));
+
+        // Test xxx.xxx.xxx.*
+
+        assertFalse(new NetworkFirewallRule("192.168.1.*")
+             .matches(InetAddress.getByName("192.169.2.0")));
+
+        assertTrue(new NetworkFirewallRule("192.168.1.*")
+            .matches(InetAddress.getByName("192.168.1.0")));
+
+        assertTrue(new NetworkFirewallRule("192.168.1.*")
+            .matches(InetAddress.getByName("192.168.1.255")));
+    }
+
+    public void testMultipleNetworks() throws Exception
+    {
+        String[] ipAddressesInRule = new String[] {OTHER_IP_1, OTHER_IP_2};
+
+        _networkFirewallRule = new NetworkFirewallRule(ipAddressesInRule);
+
+        assertFalse(_networkFirewallRule.matches(_addressNotInRule));
+        for (String ipAddressInRule : ipAddressesInRule)
+        {
+            assertTrue(_networkFirewallRule.matches(InetAddress.getByName(ipAddressInRule)));
+        }
+    }
+
+    public void testEqualsAndHashCode()
+    {
+        NetworkFirewallRule rule = new NetworkFirewallRule(LOCALHOST_IP, OTHER_IP_1);
+        NetworkFirewallRule equalRule = new NetworkFirewallRule(LOCALHOST_IP, OTHER_IP_1);
+
+        assertTrue(rule.equals(rule));
+        assertTrue(rule.equals(equalRule));
+        assertTrue(equalRule.equals(rule));
+
+        assertTrue(rule.hashCode() == equalRule.hashCode());
+
+        assertFalse("Different networks should cause rules to be unequal",
+                rule.equals(new NetworkFirewallRule(LOCALHOST_IP, OTHER_IP_2)));
+    }
+}
diff --git a/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/plugins/AccessControlTest.java b/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/plugins/AccessControlTest.java
index 2385bcc3dd..a65c442bcf 100644
--- a/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/plugins/AccessControlTest.java
+++ b/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/plugins/AccessControlTest.java
@@ -20,6 +20,13 @@
  */
 package org.apache.qpid.server.security.access.plugins;
 
+import static org.mockito.Mockito.*;
+
+import java.net.InetAddress;
+import java.net.InetSocketAddress;
+
+import javax.security.auth.Subject;
+
 import junit.framework.TestCase;
 
 import org.apache.commons.configuration.ConfigurationException;
@@ -194,6 +201,49 @@ public class AccessControlTest extends TestCase
         assertEquals(Result.DEFER, result);
     }
 
+    public void testAccess() throws Exception
+    {
+        Subject subject = TestPrincipalUtils.createTestSubject("user1");
+        SecurityManager.setThreadSubject(subject);
+
+        RuleSet mockRuleSet = mock(RuleSet.class);
+        ConfigurationPlugin accessControlConfiguration = createConfiguration(mockRuleSet);
+
+        InetAddress inetAddress = InetAddress.getLocalHost();
+        InetSocketAddress inetSocketAddress = new InetSocketAddress(inetAddress, 1);
+
+        AccessControl accessControl = AccessControl.FACTORY.newInstance(accessControlConfiguration);
+
+        accessControl.access(ObjectType.VIRTUALHOST, inetSocketAddress);
+
+        verify(mockRuleSet).check(subject, Operation.ACCESS, ObjectType.VIRTUALHOST, ObjectProperties.EMPTY, inetAddress);
+    }
+
+    public void testAccessIsDeniedIfRuleThrowsException() throws Exception
+    {
+        Subject subject = TestPrincipalUtils.createTestSubject("user1");
+        SecurityManager.setThreadSubject(subject);
+
+        InetAddress inetAddress = InetAddress.getLocalHost();
+        InetSocketAddress inetSocketAddress = new InetSocketAddress(inetAddress, 1);
+
+        RuleSet mockRuleSet = mock(RuleSet.class);
+        when(mockRuleSet.check(
+                subject,
+                Operation.ACCESS,
+                ObjectType.VIRTUALHOST,
+                ObjectProperties.EMPTY,
+                inetAddress)).thenThrow(new RuntimeException());
+
+        ConfigurationPlugin accessControlConfiguration = createConfiguration(mockRuleSet);
+
+        AccessControl accessControl = AccessControl.FACTORY.newInstance(accessControlConfiguration);
+        Result result = accessControl.access(ObjectType.VIRTUALHOST, inetSocketAddress);
+
+        assertEquals(Result.DENIED, result);
+    }
+
+
     /**
      * Tests that a grant access method rule allows any access operation to be performed on a specified component
      */
@@ -332,7 +382,7 @@ public class AccessControlTest extends TestCase
         final ConfigurationPlugin cp = new ConfigurationPlugin()
         {
             @SuppressWarnings("unchecked")
-            public AccessControlConfiguration  getConfiguration(final String plugin)
+            public AccessControlConfiguration getConfiguration(final String plugin)
             {
                 return new AccessControlConfiguration()
                 {