KickJava   Java API By Example, From Geeks To Geeks.

Java > Open Source Codes > org > apache > activemq > security > AuthorizationBroker


1 /**
2  *
3  * Licensed to the Apache Software Foundation (ASF) under one or more
4  * contributor license agreements. See the NOTICE file distributed with
5  * this work for additional information regarding copyright ownership.
6  * The ASF licenses this file to You under the Apache License, Version 2.0
7  * (the "License"); you may not use this file except in compliance with
8  * the License. You may obtain a copy of the License at
9  *
10  * http://www.apache.org/licenses/LICENSE-2.0
11  *
12  * Unless required by applicable law or agreed to in writing, software
13  * distributed under the License is distributed on an "AS IS" BASIS,
14  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15  * See the License for the specific language governing permissions and
16  * limitations under the License.
17  */
18 package org.apache.activemq.security;
19
20 import org.apache.activemq.broker.Broker;
21 import org.apache.activemq.broker.BrokerFilter;
22 import org.apache.activemq.broker.ConnectionContext;
23 import org.apache.activemq.broker.ProducerBrokerExchange;
24 import org.apache.activemq.broker.region.Destination;
25 import org.apache.activemq.broker.region.Subscription;
26 import org.apache.activemq.command.ActiveMQDestination;
27 import org.apache.activemq.command.ActiveMQQueue;
28 import org.apache.activemq.command.ActiveMQTempDestination;
29 import org.apache.activemq.command.ActiveMQTopic;
30 import org.apache.activemq.command.ConsumerInfo;
31 import org.apache.activemq.command.Message;
32 import org.apache.activemq.command.ProducerInfo;
33 import org.apache.activemq.filter.BooleanExpression;
34 import org.apache.activemq.filter.MessageEvaluationContext;
35
36 import javax.jms.JMSException JavaDoc;
37
38 import java.util.Set JavaDoc;
39
40
41 /**
42  * Verifies if a authenticated user can do an operation against the broker using an authorization map.
43  *
44  * @version $Revision: 514131 $
45  */
46 public class AuthorizationBroker extends BrokerFilter implements SecurityAdminMBean {
47     
48     private final AuthorizationMap authorizationMap;
49
50     public AuthorizationBroker(Broker next, AuthorizationMap authorizationMap) {
51         super(next);
52         this.authorizationMap = authorizationMap;
53     }
54     
55     public Destination addDestination(ConnectionContext context, ActiveMQDestination destination) throws Exception JavaDoc {
56         final SecurityContext securityContext = (SecurityContext) context.getSecurityContext();
57         if( securityContext == null )
58             throw new SecurityException JavaDoc("User is not authenticated.");
59
60
61         //if(!((ActiveMQTempDestination)destination).getConnectionId().equals(context.getConnectionId().getValue()) ) {
62 if (!securityContext.isBrokerContext()) {
63             Set JavaDoc allowedACLs = null;
64             if(!destination.isTemporary()) {
65                 allowedACLs = authorizationMap.getAdminACLs(destination);
66             } else {
67                 allowedACLs = authorizationMap.getTempDestinationAdminACLs();
68             }
69          
70             if(allowedACLs!=null && !securityContext.isInOneOf(allowedACLs))
71                 throw new SecurityException JavaDoc("User "+securityContext.getUserName()+" is not authorized to create: "+destination);
72
73         }
74         // }
75
76         return super.addDestination(context, destination);
77     }
78     
79     public void removeDestination(ConnectionContext context, ActiveMQDestination destination, long timeout) throws Exception JavaDoc {
80         
81         final SecurityContext securityContext = (SecurityContext) context.getSecurityContext();
82         if( securityContext == null )
83             throw new SecurityException JavaDoc("User is not authenticated.");
84
85         Set JavaDoc allowedACLs = null;
86         if(!destination.isTemporary()) {
87             allowedACLs = authorizationMap.getAdminACLs(destination);
88         } else {
89             allowedACLs = authorizationMap.getTempDestinationAdminACLs();
90         }
91         
92         if(allowedACLs!=null && !securityContext.isInOneOf(allowedACLs))
93             throw new SecurityException JavaDoc("User "+securityContext.getUserName()+" is not authorized to remove: "+destination);
94
95         super.removeDestination(context, destination, timeout);
96     }
97     
98     public Subscription addConsumer(ConnectionContext context, ConsumerInfo info) throws Exception JavaDoc {
99         
100         final SecurityContext subject = (SecurityContext) context.getSecurityContext();
101         if( subject == null )
102             throw new SecurityException JavaDoc("User is not authenticated.");
103         
104         Set JavaDoc allowedACLs = null;
105         if(!info.getDestination().isTemporary()) {
106             allowedACLs = authorizationMap.getReadACLs(info.getDestination());
107         }else {
108             allowedACLs = authorizationMap.getTempDestinationReadACLs();
109         }
110
111         if(allowedACLs!=null && !subject.isInOneOf(allowedACLs))
112             throw new SecurityException JavaDoc("User "+subject.getUserName()+" is not authorized to read from: "+info.getDestination());
113         
114         subject.getAuthorizedReadDests().put(info.getDestination(), info.getDestination());
115         
116         /*
117          * Need to think about this a little more. We could do per message security checking
118          * to implement finer grained security checking. For example a user can only see messages
119          * with price>1000 . Perhaps this should just be another additional broker filter that installs
120          * this type of feature.
121          *
122          * If we did want to do that, then we would install a predicate. We should be careful since
123          * there may be an existing predicate already assigned and the consumer info may be sent to a remote
124          * broker, so it also needs to support being marshaled.
125          *
126             info.setAdditionalPredicate(new BooleanExpression() {
127                 public boolean matches(MessageEvaluationContext message) throws JMSException {
128                     if( !subject.getAuthorizedReadDests().contains(message.getDestination()) ) {
129                         Set allowedACLs = authorizationMap.getReadACLs(message.getDestination());
130                         if(allowedACLs!=null && !subject.isInOneOf(allowedACLs))
131                             return false;
132                         subject.getAuthorizedReadDests().put(message.getDestination(), message.getDestination());
133                     }
134                     return true;
135                 }
136                 public Object evaluate(MessageEvaluationContext message) throws JMSException {
137                     return matches(message) ? Boolean.TRUE : Boolean.FALSE;
138                 }
139             });
140         */
141         
142         return super.addConsumer(context, info);
143     }
144     
145     public void addProducer(ConnectionContext context, ProducerInfo info) throws Exception JavaDoc {
146         
147         SecurityContext subject = (SecurityContext) context.getSecurityContext();
148         if( subject == null )
149             throw new SecurityException JavaDoc("User is not authenticated.");
150         
151         if( info.getDestination()!=null ) {
152             
153             Set JavaDoc allowedACLs = null;
154             if(!info.getDestination().isTemporary()) {
155                 allowedACLs = authorizationMap.getWriteACLs(info.getDestination());
156             }else {
157                 allowedACLs = authorizationMap.getTempDestinationWriteACLs();
158             }
159             if(allowedACLs!=null && !subject.isInOneOf(allowedACLs))
160                 throw new SecurityException JavaDoc("User "+subject.getUserName()+" is not authorized to write to: "+info.getDestination());
161             
162             
163             subject.getAuthorizedWriteDests().put(info.getDestination(), info.getDestination());
164         }
165         
166         super.addProducer(context, info);
167     }
168         
169     public void send(ProducerBrokerExchange producerExchange, Message messageSend) throws Exception JavaDoc {
170         SecurityContext subject = (SecurityContext) producerExchange.getConnectionContext().getSecurityContext();
171         if( subject == null )
172             throw new SecurityException JavaDoc("User is not authenticated.");
173
174         if( !subject.getAuthorizedWriteDests().contains(messageSend.getDestination()) ) {
175             
176             Set JavaDoc allowedACLs = null;
177             if(!messageSend.getDestination().isTemporary()) {
178                 allowedACLs = authorizationMap.getWriteACLs(messageSend.getDestination());
179             }else {
180                 allowedACLs = authorizationMap.getTempDestinationWriteACLs();
181             }
182             
183             if(allowedACLs!=null && !subject.isInOneOf(allowedACLs))
184                 throw new SecurityException JavaDoc("User "+subject.getUserName()+" is not authorized to write to: "+messageSend.getDestination());
185             
186             subject.getAuthorizedWriteDests().put(messageSend.getDestination(), messageSend.getDestination());
187         }
188
189         super.send(producerExchange, messageSend);
190     }
191     
192     // SecurityAdminMBean interface
193 // -------------------------------------------------------------------------
194
195     public void addQueueRole(String JavaDoc queue, String JavaDoc operation, String JavaDoc role) {
196         addDestinationRole(new ActiveMQQueue(queue), operation, role);
197     }
198
199     public void addTopicRole(String JavaDoc topic, String JavaDoc operation, String JavaDoc role) {
200         addDestinationRole(new ActiveMQTopic(topic), operation, role);
201     }
202
203     public void removeQueueRole(String JavaDoc queue, String JavaDoc operation, String JavaDoc role) {
204         removeDestinationRole(new ActiveMQQueue(queue), operation, role);
205     }
206
207     public void removeTopicRole(String JavaDoc topic, String JavaDoc operation, String JavaDoc role) {
208         removeDestinationRole(new ActiveMQTopic(topic), operation, role);
209     }
210     
211     public void addDestinationRole(javax.jms.Destination JavaDoc destination, String JavaDoc operation, String JavaDoc role) {
212     }
213     
214     public void removeDestinationRole(javax.jms.Destination JavaDoc destination, String JavaDoc operation, String JavaDoc role) {
215     }
216
217
218     public void addRole(String JavaDoc role) {
219     }
220
221     public void addUserRole(String JavaDoc user, String JavaDoc role) {
222     }
223
224     public void removeRole(String JavaDoc role) {
225     }
226
227     public void removeUserRole(String JavaDoc user, String JavaDoc role) {
228     }
229
230 }
231
Popular Tags