diff options
author | Robert Godfrey <rgodfrey@apache.org> | 2014-02-20 15:46:29 +0000 |
---|---|---|
committer | Robert Godfrey <rgodfrey@apache.org> | 2014-02-20 15:46:29 +0000 |
commit | 608a0bb1b83fd2920dbc19dc2be399b27c62c1ba (patch) | |
tree | 72ce7b1d63c8d358aaa82d321b62caf56bccd298 /qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/SecurityManager.java | |
parent | e9f5602cdf5b100a348a2f95c620805ffab803b9 (diff) | |
download | qpid-python-608a0bb1b83fd2920dbc19dc2be399b27c62c1ba.tar.gz |
QPID-5567 : Further changes to SecurityMangager
git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1570239 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/SecurityManager.java')
-rwxr-xr-x | qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/SecurityManager.java | 86 |
1 files changed, 27 insertions, 59 deletions
diff --git a/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/SecurityManager.java b/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/SecurityManager.java index e5911d268b..85be4c6a3d 100755 --- a/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/SecurityManager.java +++ b/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/SecurityManager.java @@ -36,6 +36,8 @@ import org.apache.qpid.server.security.access.ObjectType; import org.apache.qpid.server.security.access.Operation; import org.apache.qpid.server.security.access.OperationLoggingDetails; +import javax.security.auth.Subject; + import static org.apache.qpid.server.security.access.ObjectType.BROKER; import static org.apache.qpid.server.security.access.ObjectType.EXCHANGE; import static org.apache.qpid.server.security.access.ObjectType.GROUP; @@ -54,8 +56,9 @@ import static org.apache.qpid.server.security.access.Operation.PURGE; import static org.apache.qpid.server.security.access.Operation.UNBIND; import static org.apache.qpid.server.security.access.Operation.UPDATE; -import java.net.SocketAddress; import java.security.AccessControlException; +import java.security.AccessController; +import java.security.Principal; import java.util.Collection; import java.util.Collections; import java.util.HashMap; @@ -67,7 +70,11 @@ public class SecurityManager implements ConfigurationChangeListener { private static final Logger _logger = Logger.getLogger(SecurityManager.class); - public static final ThreadLocal<Boolean> _accessChecksDisabled = new ClearingThreadLocal(false); + public static final Subject SYSTEM = new Subject(true, + Collections.singleton(new SystemPrincipal()), + Collections.emptySet(), + Collections.emptySet()); + private ConcurrentHashMap<String, AccessControl> _globalPlugins = new ConcurrentHashMap<String, AccessControl>(); private ConcurrentHashMap<String, AccessControl> _hostPlugins = new ConcurrentHashMap<String, AccessControl>(); @@ -76,51 +83,6 @@ public class SecurityManager implements ConfigurationChangeListener private Broker _broker; - /** - * A special ThreadLocal, which calls remove() on itself whenever the value is - * the default, to avoid leaving a default value set after its use has passed. - */ - private static final class ClearingThreadLocal extends ThreadLocal<Boolean> - { - private Boolean _defaultValue; - - public ClearingThreadLocal(Boolean defaultValue) - { - super(); - _defaultValue = defaultValue; - } - - @Override - protected Boolean initialValue() - { - return _defaultValue; - } - - @Override - public void set(Boolean value) - { - if (value == _defaultValue) - { - super.remove(); - } - else - { - super.set(value); - } - } - - @Override - public Boolean get() - { - Boolean value = super.get(); - if (value == _defaultValue) - { - super.remove(); - } - return value; - } - } - /* * Used by the Broker. */ @@ -190,6 +152,19 @@ public class SecurityManager implements ConfigurationChangeListener return _logger; } + private static final class SystemPrincipal implements Principal + { + private SystemPrincipal() + { + } + + @Override + public String getName() + { + return "SYSTEM"; + } + } + private abstract class AccessCheck { abstract Result allowed(AccessControl plugin); @@ -197,7 +172,9 @@ public class SecurityManager implements ConfigurationChangeListener private boolean checkAllPlugins(AccessCheck checker) { - if(_accessChecksDisabled.get()) + // If we are running as SYSTEM then no ACL checking + final Subject subject = Subject.getSubject(AccessController.getContext()); + if(subject != null && !subject.getPrincipals(SystemPrincipal.class).isEmpty()) { return true; } @@ -321,7 +298,7 @@ public class SecurityManager implements ConfigurationChangeListener { Result allowed(AccessControl plugin) { - return plugin.access(ObjectType.MANAGEMENT); + return plugin.authorise(Operation.ACCESS, ObjectType.MANAGEMENT, ObjectProperties.EMPTY); } })) { @@ -335,7 +312,7 @@ public class SecurityManager implements ConfigurationChangeListener { Result allowed(AccessControl plugin) { - return plugin.access(VIRTUALHOST); + return plugin.authorise(Operation.ACCESS, VIRTUALHOST, ObjectProperties.EMPTY); } })) { @@ -548,15 +525,6 @@ public class SecurityManager implements ConfigurationChangeListener } } - public static boolean setAccessChecksDisabled(final boolean status) - { - //remember current value - boolean current = _accessChecksDisabled.get(); - - _accessChecksDisabled.set(status); - - return current; - } private class PublishAccessCheck extends AccessCheck { |