public Broker installPlugin(Broker broker) { if (map == null) { throw new IllegalArgumentException("You must configure a 'map' property"); } return new AuthorizationBroker(broker, map); }
@Override public void addTopicRole(String topic, String operation, String role) { addDestinationRole(new ActiveMQTopic(topic), operation, role); }
protected boolean checkDestinationAdmin(SecurityContext securityContext, ActiveMQDestination destination) { Destination existing = this.getDestinationMap(destination).get(destination); if (existing != null) { return true; } if (!securityContext.isBrokerContext()) { Set<?> allowedACLs = null; if (!destination.isTemporary()) { allowedACLs = authorizationMap.getAdminACLs(destination); } else { allowedACLs = authorizationMap.getTempDestinationAdminACLs(); } if (allowedACLs != null && !securityContext.isInOneOf(allowedACLs)) { return false; } } return true; }
@Override public Destination addDestination(ConnectionContext context, ActiveMQDestination destination,boolean create) throws Exception { final SecurityContext securityContext = checkSecurityContext(context); if (!checkDestinationAdmin(securityContext, destination)) { throw new SecurityException("User " + securityContext.getUserName() + " is not authorized to create: " + destination); } return super.addDestination(context, destination,create); }
@Override public void addSubscription(ConnectionContext context, Subscription sub) throws Exception { // authorize subscription final SecurityContext securityContext = broker.checkSecurityContext(context); final AuthorizationMap authorizationMap = broker.getAuthorizationMap(); // use the destination being filtered, instead of the destination from the consumerinfo in the subscription // since that could be a wildcard destination final ActiveMQDestination destination = next.getActiveMQDestination(); Set<?> allowedACLs; if (!destination.isTemporary()) { allowedACLs = authorizationMap.getReadACLs(destination); } else { allowedACLs = authorizationMap.getTempDestinationReadACLs(); } if (!securityContext.isBrokerContext() && allowedACLs != null && !securityContext.isInOneOf(allowedACLs) ) { throw new SecurityException("User " + securityContext.getUserName() + " is not authorized to read from: " + destination); } super.addSubscription(context, sub); }
@Override public void removeQueueRole(String queue, String operation, String role) { removeDestinationRole(new ActiveMQQueue(queue), operation, role); }
@Override public void addProducer(ConnectionContext context, ProducerInfo info) throws Exception { final SecurityContext securityContext = checkSecurityContext(context); if (!securityContext.isBrokerContext() && info.getDestination() != null) { Set<?> allowedACLs = null; if (!info.getDestination().isTemporary()) { allowedACLs = authorizationMap.getWriteACLs(info.getDestination()); } else { allowedACLs = authorizationMap.getTempDestinationWriteACLs(); } if (allowedACLs != null && !securityContext.isInOneOf(allowedACLs)) { throw new SecurityException("User " + securityContext.getUserName() + " is not authorized to write to: " + info.getDestination()); } securityContext.getAuthorizedWriteDests().put(info.getDestination(), info.getDestination()); } super.addProducer(context, info); }
@Override public void removeDestination(ConnectionContext context, ActiveMQDestination destination, long timeout) throws Exception { final SecurityContext securityContext = checkSecurityContext(context); if (!checkDestinationAdmin(securityContext, destination)) { throw new SecurityException("User " + securityContext.getUserName() + " is not authorized to remove: " + destination); } securityContext.getAuthorizedWriteDests().remove(destination); super.removeDestination(context, destination, timeout); }
@Override public void removeTopicRole(String topic, String operation, String role) { removeDestinationRole(new ActiveMQTopic(topic), operation, role); }
@Override public void addSubscription(ConnectionContext context, Subscription sub) throws Exception { // authorize subscription final SecurityContext securityContext = broker.checkSecurityContext(context); final AuthorizationMap authorizationMap = broker.getAuthorizationMap(); // use the destination being filtered, instead of the destination from the consumerinfo in the subscription // since that could be a wildcard destination final ActiveMQDestination destination = next.getActiveMQDestination(); Set<?> allowedACLs; if (!destination.isTemporary()) { allowedACLs = authorizationMap.getReadACLs(destination); } else { allowedACLs = authorizationMap.getTempDestinationReadACLs(); } if (!securityContext.isBrokerContext() && allowedACLs != null && !securityContext.isInOneOf(allowedACLs) ) { throw new SecurityException("User " + securityContext.getUserName() + " is not authorized to read from: " + destination); } super.addSubscription(context, sub); }
@Override public void send(ProducerBrokerExchange producerExchange, Message messageSend) throws Exception { final SecurityContext securityContext = checkSecurityContext(producerExchange.getConnectionContext()); if (!securityContext.isBrokerContext() && !securityContext.getAuthorizedWriteDests().containsValue(messageSend.getDestination())) { Set<?> allowedACLs = null; if (!messageSend.getDestination().isTemporary()) { allowedACLs = authorizationMap.getWriteACLs(messageSend.getDestination()); } else { allowedACLs = authorizationMap.getTempDestinationWriteACLs(); } if (allowedACLs != null && !securityContext.isInOneOf(allowedACLs)) { throw new SecurityException("User " + securityContext.getUserName() + " is not authorized to write to: " + messageSend.getDestination()); } securityContext.getAuthorizedWriteDests().put(messageSend.getDestination(), messageSend.getDestination()); } super.send(producerExchange, messageSend); }
@Override public void addDestinationInfo(ConnectionContext context, DestinationInfo info) throws Exception { final SecurityContext securityContext = checkSecurityContext(context); if (!checkDestinationAdmin(securityContext, info.getDestination())) { throw new SecurityException("User " + securityContext.getUserName() + " is not authorized to create: " + info.getDestination()); } super.addDestinationInfo(context, info); }
@Override public void addQueueRole(String queue, String operation, String role) { addDestinationRole(new ActiveMQQueue(queue), operation, role); }
@Override public void removeQueueRole(String queue, String operation, String role) { removeDestinationRole(new ActiveMQQueue(queue), operation, role); }
@Override public void addSubscription(ConnectionContext context, Subscription sub) throws Exception { // authorize subscription final SecurityContext securityContext = broker.checkSecurityContext(context); final AuthorizationMap authorizationMap = broker.getAuthorizationMap(); // use the destination being filtered, instead of the destination from the consumerinfo in the subscription // since that could be a wildcard destination final ActiveMQDestination destination = next.getActiveMQDestination(); Set<?> allowedACLs; if (!destination.isTemporary()) { allowedACLs = authorizationMap.getReadACLs(destination); } else { allowedACLs = authorizationMap.getTempDestinationReadACLs(); } if (!securityContext.isBrokerContext() && allowedACLs != null && !securityContext.isInOneOf(allowedACLs) ) { throw new SecurityException("User " + securityContext.getUserName() + " is not authorized to read from: " + destination); } super.addSubscription(context, sub); }
@Override public Subscription addConsumer(ConnectionContext context, ConsumerInfo info) throws Exception { final SecurityContext securityContext = checkSecurityContext(context);
public Broker installPlugin(Broker broker) { if (map == null) { throw new IllegalArgumentException("You must configure a 'map' property"); } return new AuthorizationBroker(broker, map); }
protected boolean checkDestinationAdmin(SecurityContext securityContext, ActiveMQDestination destination) { Destination existing = this.getDestinationMap(destination).get(destination); if (existing != null) { return true; } if (!securityContext.isBrokerContext()) { Set<?> allowedACLs = null; if (!destination.isTemporary()) { allowedACLs = authorizationMap.getAdminACLs(destination); } else { allowedACLs = authorizationMap.getTempDestinationAdminACLs(); } if (allowedACLs != null && !securityContext.isInOneOf(allowedACLs)) { return false; } } return true; }
@Override public void removeDestinationInfo(ConnectionContext context, DestinationInfo info) throws Exception { final SecurityContext securityContext = checkSecurityContext(context); if (!checkDestinationAdmin(securityContext, info.getDestination())) { throw new SecurityException("User " + securityContext.getUserName() + " is not authorized to remove: " + info.getDestination()); } securityContext.getAuthorizedWriteDests().remove(info.getDestination()); super.removeDestinationInfo(context, info); }
@Override public void addQueueRole(String queue, String operation, String role) { addDestinationRole(new ActiveMQQueue(queue), operation, role); }