diff options
author | Charles E. Rolke <chug@apache.org> | 2013-04-18 19:00:00 +0000 |
---|---|---|
committer | Charles E. Rolke <chug@apache.org> | 2013-04-18 19:00:00 +0000 |
commit | 731766b7a6b4d88c1a4d49bd3a4c655f24914db4 (patch) | |
tree | 0a34fae6f29116c2f957948cf86c693e00898838 /qpid/cpp/src/qpid/broker/ConnectionHandler.cpp | |
parent | eabc78640f9523be08732058581d726ef5f0e358 (diff) | |
download | qpid-python-qpid-4631.tar.gz |
QPID-4631: Lock down link creation using ACLqpid-4631
This commit makes link creation contingent on having an ACL file and then having an ACL rule approve the request. There is no longer a requirement for an explicit CREATE LINK rule; either 'allow all all' or 'deny all all' is sufficient.
git-svn-id: https://svn.apache.org/repos/asf/qpid/branches/qpid-4631@1469525 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'qpid/cpp/src/qpid/broker/ConnectionHandler.cpp')
-rw-r--r-- | qpid/cpp/src/qpid/broker/ConnectionHandler.cpp | 15 |
1 files changed, 4 insertions, 11 deletions
diff --git a/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp b/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp index 39a8664aab..13ff4cc15f 100644 --- a/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp +++ b/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp @@ -202,24 +202,17 @@ void ConnectionHandler::Handler::startOk(const ConnectionStartOkBody& body) AclModule* acl = connection.getBroker().getAcl(); FieldTable properties; if (acl) { - if (acl->isCreatelinkAcl()) { - if (!acl->authorise(connection.getUserId(),acl::ACT_CREATE,acl::OBJ_LINK,"")){ - proxy.close(framing::connection::CLOSE_CODE_CONNECTION_FORCED, - QPID_MSG("ACL denied " << connection.getUserId() - << " creating a federation link")); - return; - } - } else { + if (!acl->authorise(connection.getUserId(),acl::ACT_CREATE,acl::OBJ_LINK,"")){ proxy.close(framing::connection::CLOSE_CODE_CONNECTION_FORCED, QPID_MSG("ACL denied " << connection.getUserId() - << ". Federation links require explicit CREATE LINK ACL rules")); + << " creating a federation link")); return; } } else { proxy.close(framing::connection::CLOSE_CODE_CONNECTION_FORCED, QPID_MSG("ACL denied " << connection.getUserId() - << ". Federation links require ACL module and explicit CREATE LINK ACL rules")); - return; + << ". Federation links require ACL module and explicit authorization")); + return; } QPID_LOG(info, "Connection is a federation link"); } |