diff options
| author | Martin Ritchie <ritchiem@apache.org> | 2009-04-13 14:02:47 +0000 |
|---|---|---|
| committer | Martin Ritchie <ritchiem@apache.org> | 2009-04-13 14:02:47 +0000 |
| commit | cbafa89d9bca60334e44a4a850374175dc4a843d (patch) | |
| tree | fafb09804353d946b28174fa711e52e646574e3e | |
| parent | 10e1d7b5aede1ee1ae0057c21b5b801a94ee693c (diff) | |
| download | qpid-python-cbafa89d9bca60334e44a4a850374175dc4a843d.tar.gz | |
QPID-1736: Timeout DNS lookups if they take more than 30 seconds.
merged from trunk r754934
git-svn-id: https://svn.apache.org/repos/asf/qpid/branches/0.5-fix@764472 13f79535-47bb-0310-9956-ffa450edef68
| -rw-r--r-- | qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/network/FirewallPlugin.java | 63 |
1 files changed, 60 insertions, 3 deletions
diff --git a/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/network/FirewallPlugin.java b/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/network/FirewallPlugin.java index 39397966f0..85026121ab 100644 --- a/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/network/FirewallPlugin.java +++ b/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/network/FirewallPlugin.java @@ -25,6 +25,7 @@ import java.net.InetSocketAddress; import java.net.SocketAddress; import java.util.Iterator; import java.util.List; +import java.util.concurrent.atomic.AtomicBoolean; import java.util.regex.Pattern; import org.apache.commons.configuration.CompositeConfiguration; @@ -42,6 +43,8 @@ import org.apache.qpid.util.NetMatcher; public class FirewallPlugin extends AbstractACLPlugin { + public class FirewallPluginException extends Exception {} + public static final ACLPluginFactory FACTORY = new ACLPluginFactory() { public boolean supportsTag(String name) @@ -60,6 +63,7 @@ public class FirewallPlugin extends AbstractACLPlugin public class FirewallRule { + private static final long DNS_TIMEOUT = 30000; private AuthzResult _access; private NetMatcher _network; private Pattern[] _hostnamePatterns; @@ -97,11 +101,15 @@ public class FirewallPlugin extends AbstractACLPlugin return networkStrings; } - public boolean match(InetAddress remote) + public boolean match(InetAddress remote) throws FirewallPluginException { if (_hostnamePatterns != null) { - String hostname = remote.getCanonicalHostName(); + String hostname = getHostname(remote); + if (hostname == null) + { + throw new FirewallPluginException(); + } for (Pattern pattern : _hostnamePatterns) { if (pattern.matcher(hostname).matches()) @@ -117,6 +125,48 @@ public class FirewallPlugin extends AbstractACLPlugin } } + /** + * @param remote the InetAddress to look up + * @return the hostname, null if not found or takes longer than 30s to find + */ + private String getHostname(final InetAddress remote) + { + final String[] hostname = new String[]{null}; + final AtomicBoolean done = new AtomicBoolean(false); + // Spawn thread + Thread thread = new Thread(new Runnable() + { + public void run() + { + hostname[0] = remote.getCanonicalHostName(); + done.getAndSet(true); + synchronized (done) + { + done.notifyAll(); + } + } + }); + + thread.run(); + long endTime = System.currentTimeMillis() + DNS_TIMEOUT; + + while (System.currentTimeMillis() < endTime && !done.get()) + { + try + { + synchronized (done) + { + done.wait(endTime - System.currentTimeMillis()); + } + } + catch (InterruptedException e) + { + // Check the time and if necessary sleep for a bit longer + } + } + return hostname[0]; + } + public AuthzResult getAccess() { return _access; @@ -146,7 +196,14 @@ public class FirewallPlugin extends AbstractACLPlugin boolean match = false; for (FirewallRule rule : _rules) { - match = rule.match(addr); + try + { + match = rule.match(addr); + } + catch (FirewallPluginException e) + { + return AuthzResult.DENIED; + } if (match) { return rule.getAccess(); |