summaryrefslogtreecommitdiff
path: root/qpid/java
diff options
context:
space:
mode:
Diffstat (limited to 'qpid/java')
-rw-r--r--qpid/java/broker/etc/broker_example.acl25
-rw-r--r--qpid/java/broker/src/main/java/org/apache/qpid/server/management/MBeanInvocationHandlerImpl.java7
2 files changed, 25 insertions, 7 deletions
diff --git a/qpid/java/broker/etc/broker_example.acl b/qpid/java/broker/etc/broker_example.acl
index 93955bb7f9..aae4ee3162 100644
--- a/qpid/java/broker/etc/broker_example.acl
+++ b/qpid/java/broker/etc/broker_example.acl
@@ -24,15 +24,32 @@
#Define a 'messaging-users' group with users 'client' and 'server' in it
GROUP messaging-users client server
+
### MANAGEMENT ####
-#Allow 'guest' to perform read operations on the Serverinformation mbean and view logger levels
-ACL ALLOW-LOG guest ACCESS METHOD component="ServerInformation"
-ACL ALLOW-LOG guest ACCESS METHOD component="LoggingManagement" name="viewEffectiveRuntimeLoggerLevels"
+# Allow everyone to perform read operations on the ServerInformation mbean
+# This is used for items such as querying the management API and broker release versions.
+ACL ALLOW-LOG ALL ACCESS METHOD component="ServerInformation"
-#Allow 'admin' all management operations
+# Allow 'admin' all management operations
ACL ALLOW-LOG admin ALL METHOD
+# Deny access to Shutdown, UserManagement, ConfigurationManagement and LoggingManagement for all other users
+# You could grant specific users access to these beans by adding ALLOW-LOG rules above for them
+ACL DENY-LOG ALL ACCESS METHOD component="Shutdown"
+ACL DENY-LOG ALL ACCESS METHOD component="UserManagement"
+ACL DENY-LOG ALL ACCESS METHOD component="ConfigurationManagement"
+ACL DENY-LOG ALL ACCESS METHOD component="LoggingManagement"
+
+# Allow 'guest' to view logger levels, and use getter methods on LoggingManagement
+# These are examples of redundant rules! The DENY-LOG rule above will be invoked
+# first and will deny the access to all methods of LoggingManagement for guest
+ACL ALLOW-LOG guest ACCESS METHOD component="LoggingManagement" name="viewEffectiveRuntimeLoggerLevels"
+ACL ALLOW-LOG guest ACCESS METHOD component="LoggingManagement" name="get*"
+
+# Allow everyone to perform all read operations on the mbeans not listened in the DENY-LOG rules above
+ACL ALLOW-LOG ALL ACCESS METHOD
+
### MESSAGING ###
#Example permissions for request-response based messaging.
diff --git a/qpid/java/broker/src/main/java/org/apache/qpid/server/management/MBeanInvocationHandlerImpl.java b/qpid/java/broker/src/main/java/org/apache/qpid/server/management/MBeanInvocationHandlerImpl.java
index 2aeef1c2a4..651372db16 100644
--- a/qpid/java/broker/src/main/java/org/apache/qpid/server/management/MBeanInvocationHandlerImpl.java
+++ b/qpid/java/broker/src/main/java/org/apache/qpid/server/management/MBeanInvocationHandlerImpl.java
@@ -87,8 +87,8 @@ public class MBeanInvocationHandlerImpl implements InvocationHandler, Notificati
return true;
}
- // Allow querying available object names
- if (methodName.equals("queryNames"))
+ // Allow querying available object names and mbeans
+ if (methodName.equals("queryNames") || methodName.equals("queryMBeans"))
{
return true;
}
@@ -108,7 +108,7 @@ public class MBeanInvocationHandlerImpl implements InvocationHandler, Notificati
public Object invoke(Object proxy, Method method, Object[] args) throws Throwable
{
- final String methodName = getMethodName(method, args);
+ String methodName = method.getName();
if (methodName.equals("getMBeanServer"))
{
@@ -173,6 +173,7 @@ public class MBeanInvocationHandlerImpl implements InvocationHandler, Notificati
security = _appRegistry.getVirtualHostRegistry().getVirtualHost(vhost).getSecurityManager();
}
+ methodName = getMethodName(method, args);
if (isAccessMethod(methodName) || impact == MBeanOperationInfo.INFO)
{
// Check for read-only method invocation permission
View Lorry Controller Status