/** * Processes results from a directory query in the context of a given destination type and permission type. This * implementation should not be invoked concurrently. * * @param results * the results to process * @param destinationType * the type of the destination for which the directory results apply * @param permissionType * the type of the permission for which the directory results apply * * @throws Exception * if there is an error processing the results */ protected void processQueryResults(DefaultAuthorizationMap map, NamingEnumeration<SearchResult> results, DestinationType destinationType, PermissionType permissionType) throws Exception { while (results.hasMore()) { SearchResult result = results.next(); AuthorizationEntry entry = null; try { entry = getEntry(map, new LdapName(result.getNameInNamespace()), destinationType); } catch (Exception e) { LOG.error("Policy not applied! Error parsing authorization policy entry under {}", result.getNameInNamespace(), e); continue; } applyACL(entry, result, permissionType); } }
/** * Handler for removed policy entries in the directory. * * @param namingEvent * the removed entry event that occurred * @param destinationType * the type of the destination to which the event applies * @param permissionType * the permission type to which the event applies */ public void objectRemoved(NamingEvent namingEvent, DestinationType destinationType, PermissionType permissionType) { LOG.debug("Removing object: {}", namingEvent.getOldBinding()); Binding result = namingEvent.getOldBinding(); try { DefaultAuthorizationMap map = this.map.get(); LdapName name = new LdapName(result.getName()); AuthorizationEntry entry = getEntry(map, name, destinationType); applyAcl(entry, permissionType, new HashSet<Object>()); } catch (InvalidNameException e) { LOG.error("Policy not applied! Error parsing DN for object removal for removal of {}", result.getName(), e); } catch (Exception e) { LOG.error("Policy not applied! Error processing object removal for removal of {}", result.getName(), e); } }
/** * Provides synchronized and defensive access to the read ACLs for temp destinations as the super implementation * returns live copies of the ACLs and {@link AuthorizationEntry} is not setup for concurrent access. */ @Override public Set<Object> getTempDestinationReadACLs() { checkForUpdates(); DefaultAuthorizationMap map = this.map.get(); return transcribeSet(map.getTempDestinationReadACLs()); }
@Override public void run() { // Check again in case of stacked update request. if (context == null || (!refreshDisabled && (refreshInterval != -1 && System.currentTimeMillis() >= lastUpdated + refreshInterval))) { if (!isContextAlive()) { try { context = createContext(); } catch (NamingException ne) { // LDAP is down, use already cached values return; } } LOG.debug("Updating authorization map!"); try { query(); } catch (Exception e) { LOG.error("Error updating authorization map. Partial policy may be applied until the next successful update.", e); } } } });
DirContext currentContext = open(); entries.clear(); for (PermissionType permissionType : PermissionType.values()) { try { processQueryResults(newMap, currentContext.search(queueSearchBase, getFilterForPermissionType(permissionType), constraints), DestinationType.QUEUE, permissionType); } catch (Exception e) { LOG.error("Policy not applied!. Error processing policy under '{}' with filter '{}'", new Object[]{ queueSearchBase, getFilterForPermissionType(permissionType) }, e); processQueryResults(newMap, currentContext.search(topicSearchBase, getFilterForPermissionType(permissionType), constraints), DestinationType.TOPIC, permissionType); } catch (Exception e) { LOG.error("Policy not applied!. Error processing policy under '{}' with filter '{}'", new Object[]{ topicSearchBase, getFilterForPermissionType(permissionType) }, e); processQueryResults(newMap, currentContext.search(tempSearchBase, getFilterForPermissionType(permissionType), constraints), DestinationType.TEMP, permissionType); } catch (Exception e) { LOG.error("Policy not applied!. Error processing policy under '{}' with filter '{}'", new Object[]{ tempSearchBase, getFilterForPermissionType(permissionType) }, e); this.map.set(newMap); updated();
ActiveMQDestination oldDest = formatDestination(oldName, destinationType); ActiveMQDestination newDest = formatDestination(newName, destinationType); objectRemoved(namingEvent, destinationType, permissionType); NamingEnumeration<SearchResult> results = context.search(newName, getFilterForPermissionType(newPermissionType), controls); objectAdded(namingEvent, destinationType, newPermissionType); matchedToType = true; break;
if (isContextAlive()) { return context; context = createContext(); if (refreshInterval == -1 && !refreshDisabled) { eventContext = ((EventDirContext) context.lookup("")); eventContext.addNamingListener(queueSearchBase, getFilterForPermissionType(permissionType), constraints, this.new CachedLDAPAuthorizationMapNamespaceChangeListener(DestinationType.QUEUE, permissionType)); eventContext.addNamingListener(topicSearchBase, getFilterForPermissionType(permissionType), constraints, this.new CachedLDAPAuthorizationMapNamespaceChangeListener(DestinationType.TOPIC, permissionType)); eventContext.addNamingListener(tempSearchBase, getFilterForPermissionType(permissionType), constraints, this.new CachedLDAPAuthorizationMapNamespaceChangeListener(DestinationType.TEMP, permissionType));
if (dn.size() == (getPrefixLengthForDestinationType(destinationType) + 2)) { destination = formatDestination(dn.getRdn(dn.size() - 2), destinationType); } else if (dn.size() == (getPrefixLengthForDestinationType(destinationType) + 1)) { destination = formatDestination(dn.getRdn(dn.size() - 1), destinationType); } else { throw new IllegalArgumentException("Malformed DN for representing a permission or destination entry.");
/** * Provides synchronized access to the write ACLs for the destinations as {@link AuthorizationEntry} is not setup * for concurrent access. */ @Override public Set<Object> getWriteACLs(ActiveMQDestination destination) { checkForUpdates(); DefaultAuthorizationMap map = this.map.get(); return map.getWriteACLs(destination); }
dest = new ActiveMQQueue(formatDestinationName(destinationName)); break; case TOPIC: dest = new ActiveMQTopic(formatDestinationName(destinationName)); break; default:
applyAcl(entry, permissionType, members); } catch (Exception e) { LOG.error("Policy not applied! Error adding principals to ACL under {}", result.getNameInNamespace(), e);
@Override public void destroy() throws Exception { super.destroy(); }
@Override public void afterPropertiesSet() throws Exception { super.afterPropertiesSet(); }
DirContext currentContext = open(); entries.clear(); for (PermissionType permissionType : PermissionType.values()) { try { processQueryResults(newMap, currentContext.search(queueSearchBase, getFilterForPermissionType(permissionType), constraints), DestinationType.QUEUE, permissionType); } catch (Exception e) { LOG.error("Policy not applied!. Error processing policy under '{}' with filter '{}'", new Object[]{ queueSearchBase, getFilterForPermissionType(permissionType) }, e); processQueryResults(newMap, currentContext.search(topicSearchBase, getFilterForPermissionType(permissionType), constraints), DestinationType.TOPIC, permissionType); } catch (Exception e) { LOG.error("Policy not applied!. Error processing policy under '{}' with filter '{}'", new Object[]{ topicSearchBase, getFilterForPermissionType(permissionType) }, e); processQueryResults(newMap, currentContext.search(tempSearchBase, getFilterForPermissionType(permissionType), constraints), DestinationType.TEMP, permissionType); } catch (Exception e) { LOG.error("Policy not applied!. Error processing policy under '{}' with filter '{}'", new Object[]{ tempSearchBase, getFilterForPermissionType(permissionType) }, e); this.map.set(newMap); updated();
ActiveMQDestination oldDest = formatDestination(oldName, destinationType); ActiveMQDestination newDest = formatDestination(newName, destinationType); objectRemoved(namingEvent, destinationType, permissionType); NamingEnumeration<SearchResult> results = context.search(newName, getFilterForPermissionType(newPermissionType), controls); objectAdded(namingEvent, destinationType, newPermissionType); matchedToType = true; break;
@Override public void run() { // Check again in case of stacked update request. if (context == null || (!refreshDisabled && (refreshInterval != -1 && System.currentTimeMillis() >= lastUpdated + refreshInterval))) { if (!isContextAlive()) { try { context = createContext(); } catch (NamingException ne) { // LDAP is down, use already cached values return; } } LOG.debug("Updating authorization map!"); try { query(); } catch (Exception e) { LOG.error("Error updating authorization map. Partial policy may be applied until the next successful update.", e); } } } });
if (isContextAlive()) { return context; context = createContext(); if (refreshInterval == -1 && !refreshDisabled) { eventContext = ((EventDirContext) context.lookup("")); eventContext.addNamingListener(queueSearchBase, getFilterForPermissionType(permissionType), constraints, this.new CachedLDAPAuthorizationMapNamespaceChangeListener(DestinationType.QUEUE, permissionType)); eventContext.addNamingListener(topicSearchBase, getFilterForPermissionType(permissionType), constraints, this.new CachedLDAPAuthorizationMapNamespaceChangeListener(DestinationType.TOPIC, permissionType)); eventContext.addNamingListener(tempSearchBase, getFilterForPermissionType(permissionType), constraints, this.new CachedLDAPAuthorizationMapNamespaceChangeListener(DestinationType.TEMP, permissionType));
case TEMP: if (dn.size() != getPrefixLengthForDestinationType(destinationType) + 1) { case TOPIC: if (dn.size() != getPrefixLengthForDestinationType(destinationType) + 2) { throw new IllegalArgumentException("Malformed policy structure for a queue or topic destination " + "policy entry. The destination pattern and permission group entries should be " + "nested below the queue or topic policy base DN."); ActiveMQDestination dest = formatDestination(dn, destinationType);
/** * Provides synchronized access to the read ACLs for the destinations as {@link AuthorizationEntry} is not setup for * concurrent access. */ @Override public Set<Object> getReadACLs(ActiveMQDestination destination) { checkForUpdates(); DefaultAuthorizationMap map = this.map.get(); return map.getReadACLs(destination); }
dest = new ActiveMQQueue(formatDestinationName(destinationName)); break; case TOPIC: dest = new ActiveMQTopic(formatDestinationName(destinationName)); break; default: