QPID-4631: Lock down link creation using ACLqpid-4631

This commit makes link creation contingent on having an ACL file and then having an ACL rule approve the request. There is no longer a requirement for an explicit CREATE LINK rule; either 'allow all all' or 'deny all all' is sufficient. git-svn-id: https://svn.apache.org/repos/asf/qpid/branches/qpid-4631@1469525 13f79535-47bb-0310-9956-ffa450edef68
author: Charles E. Rolke <chug@apache.org> 2013-04-18 19:00:00 +0000
committer: Charles E. Rolke <chug@apache.org> 2013-04-18 19:00:00 +0000
commit: 731766b7a6b4d88c1a4d49bd3a4c655f24914db4 (patch)
tree: 0a34fae6f29116c2f957948cf86c693e00898838 /qpid/cpp/src/qpid/broker/ConnectionHandler.cpp
parent: eabc78640f9523be08732058581d726ef5f0e358 (diff)
download: qpid-python-qpid-4631.tar.gz
1 files changed, 4 insertions, 11 deletions
diff --git a/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp b/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp
index 39a8664aab..13ff4cc15f 100644
--- a/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp
+++ b/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp
@@ -202,24 +202,17 @@ void ConnectionHandler::Handler::startOk(const ConnectionStartOkBody& body)
         AclModule* acl =  connection.getBroker().getAcl();
         FieldTable properties;
         if (acl) {
-            if (acl->isCreatelinkAcl()) {
-                if (!acl->authorise(connection.getUserId(),acl::ACT_CREATE,acl::OBJ_LINK,"")){
-                    proxy.close(framing::connection::CLOSE_CODE_CONNECTION_FORCED,
-                                QPID_MSG("ACL denied " << connection.getUserId()
-                                         << " creating a federation link"));
-                    return;
-                }
-            } else {
+            if (!acl->authorise(connection.getUserId(),acl::ACT_CREATE,acl::OBJ_LINK,"")){
                 proxy.close(framing::connection::CLOSE_CODE_CONNECTION_FORCED,
                             QPID_MSG("ACL denied " << connection.getUserId()
-                                << ". Federation links require explicit CREATE LINK ACL rules"));
+                                        << " creating a federation link"));
                 return;
             }
         } else {
             proxy.close(framing::connection::CLOSE_CODE_CONNECTION_FORCED,
                         QPID_MSG("ACL denied " << connection.getUserId()
-                            << ". Federation links require ACL module and explicit CREATE LINK ACL rules"));
-                        return;
+                            << ". Federation links require ACL module and explicit authorization"));
+            return;
         }
         QPID_LOG(info, "Connection is a federation link");
     }
author	Charles E. Rolke <chug@apache.org>	2013-04-18 19:00:00 +0000
committer	Charles E. Rolke <chug@apache.org>	2013-04-18 19:00:00 +0000
commit	731766b7a6b4d88c1a4d49bd3a4c655f24914db4 (patch)
tree	0a34fae6f29116c2f957948cf86c693e00898838 /qpid/cpp/src/qpid/broker/ConnectionHandler.cpp
parent	eabc78640f9523be08732058581d726ef5f0e358 (diff)
download	qpid-python-qpid-4631.tar.gz