summaryrefslogtreecommitdiff
path: root/java/broker/src/main/java/org/apache/qpid/server/model/adapter/AuthenticationProviderAdapter.java
diff options
context:
space:
mode:
Diffstat (limited to 'java/broker/src/main/java/org/apache/qpid/server/model/adapter/AuthenticationProviderAdapter.java')
-rw-r--r--java/broker/src/main/java/org/apache/qpid/server/model/adapter/AuthenticationProviderAdapter.java199
1 files changed, 125 insertions, 74 deletions
diff --git a/java/broker/src/main/java/org/apache/qpid/server/model/adapter/AuthenticationProviderAdapter.java b/java/broker/src/main/java/org/apache/qpid/server/model/adapter/AuthenticationProviderAdapter.java
index 8c2bc98ba7..ac4b0255d5 100644
--- a/java/broker/src/main/java/org/apache/qpid/server/model/adapter/AuthenticationProviderAdapter.java
+++ b/java/broker/src/main/java/org/apache/qpid/server/model/adapter/AuthenticationProviderAdapter.java
@@ -29,38 +29,50 @@ import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import java.util.UUID;
+
import javax.security.auth.login.AccountNotFoundException;
import org.apache.log4j.Logger;
-import org.apache.qpid.server.model.*;
-import org.apache.qpid.server.registry.ApplicationRegistry;
+import org.apache.qpid.server.model.AuthenticationProvider;
+import org.apache.qpid.server.model.Broker;
+import org.apache.qpid.server.model.ConfiguredObject;
+import org.apache.qpid.server.model.IllegalStateTransitionException;
+import org.apache.qpid.server.model.LifetimePolicy;
+import org.apache.qpid.server.model.PasswordCredentialManagingAuthenticationProvider;
+import org.apache.qpid.server.model.State;
+import org.apache.qpid.server.model.Statistics;
+import org.apache.qpid.server.model.UUIDGenerator;
+import org.apache.qpid.server.model.User;
+import org.apache.qpid.server.model.VirtualHostAlias;
+import org.apache.qpid.server.configuration.updater.TaskExecutor;
+import org.apache.qpid.server.security.SubjectCreator;
import org.apache.qpid.server.security.access.Operation;
+import org.apache.qpid.server.security.auth.UsernamePrincipal;
import org.apache.qpid.server.security.auth.database.PrincipalDatabase;
import org.apache.qpid.server.security.auth.manager.AuthenticationManager;
import org.apache.qpid.server.security.auth.manager.PrincipalDatabaseAuthenticationManager;
-import org.apache.qpid.server.security.auth.sasl.UsernamePrincipal;
+import org.apache.qpid.server.security.group.GroupPrincipalAccessor;
+import org.apache.qpid.server.security.SecurityManager;
public abstract class AuthenticationProviderAdapter<T extends AuthenticationManager> extends AbstractAdapter implements AuthenticationProvider
{
private static final Logger LOGGER = Logger.getLogger(AuthenticationProviderAdapter.class);
- private final BrokerAdapter _broker;
private final T _authManager;
+ protected final Broker _broker;
- private AuthenticationProviderAdapter(BrokerAdapter brokerAdapter,
- final T authManager)
- {
- super(UUIDGenerator.generateRandomUUID());
- _broker = brokerAdapter;
- _authManager = authManager;
- }
+ private GroupPrincipalAccessor _groupAccessor;
- public static AuthenticationProviderAdapter createAuthenticationProviderAdapter(BrokerAdapter brokerAdapter,
- final AuthenticationManager authManager)
+ private Object _type;
+
+ private AuthenticationProviderAdapter(UUID id, Broker broker, final T authManager, Map<String, Object> attributes)
{
- return authManager instanceof PrincipalDatabaseAuthenticationManager
- ? new PrincipalDatabaseAuthenticationManagerAdapter(brokerAdapter, (PrincipalDatabaseAuthenticationManager) authManager)
- : new SimpleAuthenticationProviderAdapter(brokerAdapter, authManager);
+ super(id, null, attributes, broker.getTaskExecutor());
+ _authManager = authManager;
+ _broker = broker;
+ _type = authManager instanceof PrincipalDatabaseAuthenticationManager? PrincipalDatabaseAuthenticationManager.class.getSimpleName() : AuthenticationManager.class.getSimpleName() ;
+ addParent(Broker.class, broker);
}
T getAuthManager()
@@ -77,7 +89,7 @@ public abstract class AuthenticationProviderAdapter<T extends AuthenticationMana
@Override
public String getName()
{
- return _authManager.getClass().getSimpleName();
+ return (String)getAttribute(AuthenticationProvider.NAME);
}
@Override
@@ -147,7 +159,7 @@ public abstract class AuthenticationProviderAdapter<T extends AuthenticationMana
{
if(TYPE.equals(name))
{
- return _authManager.getClass().getSimpleName();
+ return _type;
}
else if(CREATED.equals(name))
{
@@ -165,10 +177,6 @@ public abstract class AuthenticationProviderAdapter<T extends AuthenticationMana
{
return LifetimePolicy.PERMANENT;
}
- else if(NAME.equals(name))
- {
- return getName();
- }
else if(STATE.equals(name))
{
return State.ACTIVE; // TODO
@@ -191,44 +199,86 @@ public abstract class AuthenticationProviderAdapter<T extends AuthenticationMana
}
@Override
- public <C extends ConfiguredObject> C createChild(Class<C> childClass,
- Map<String, Object> attributes,
- ConfiguredObject... otherParents)
+ public boolean setState(State currentState, State desiredState)
+ throws IllegalStateTransitionException, AccessControlException
{
- return null;
+ if(desiredState == State.DELETED)
+ {
+ return true;
+ }
+ else if(desiredState == State.ACTIVE)
+ {
+ if (_groupAccessor == null)
+ {
+ throw new IllegalStateTransitionException("Cannot transit into ACTIVE state with null group accessor!");
+ }
+ _authManager.initialise();
+ return true;
+ }
+ else if(desiredState == State.STOPPED)
+ {
+ _authManager.close();
+ return true;
+ }
+ return false;
}
- private static class SimpleAuthenticationProviderAdapter extends AuthenticationProviderAdapter<AuthenticationManager>
+ @Override
+ public SubjectCreator getSubjectCreator()
{
+ return new SubjectCreator(_authManager, _groupAccessor);
+ }
+
+ public void setGroupAccessor(GroupPrincipalAccessor groupAccessor)
+ {
+ _groupAccessor = groupAccessor;
+ }
+
+ public static class SimpleAuthenticationProviderAdapter extends AuthenticationProviderAdapter<AuthenticationManager>
+ {
+
public SimpleAuthenticationProviderAdapter(
- BrokerAdapter brokerAdapter, AuthenticationManager authManager)
+ UUID id, Broker broker, AuthenticationManager authManager, Map<String, Object> attributes)
+ {
+ super(id, broker,authManager, attributes);
+ }
+
+ @Override
+ public <C extends ConfiguredObject> C createChild(Class<C> childClass,
+ Map<String, Object> attributes,
+ ConfiguredObject... otherParents)
{
- super(brokerAdapter,authManager);
+ throw new UnsupportedOperationException();
}
}
- private static class PrincipalDatabaseAuthenticationManagerAdapter
+ public static class PrincipalDatabaseAuthenticationManagerAdapter
extends AuthenticationProviderAdapter<PrincipalDatabaseAuthenticationManager>
implements PasswordCredentialManagingAuthenticationProvider
{
public PrincipalDatabaseAuthenticationManagerAdapter(
- BrokerAdapter brokerAdapter, PrincipalDatabaseAuthenticationManager authManager)
+ UUID id, Broker broker, PrincipalDatabaseAuthenticationManager authManager, Map<String, Object> attributes)
{
- super(brokerAdapter, authManager);
+ super(id, broker, authManager, attributes);
}
@Override
public boolean createUser(String username, String password, Map<String, String> attributes)
{
- return getPrincipalDatabase().createPrincipal(new UsernamePrincipal(username), password.toCharArray());
+ if(getSecurityManager().authoriseUserOperation(Operation.CREATE, username))
+ {
+ return getPrincipalDatabase().createPrincipal(new UsernamePrincipal(username), password.toCharArray());
+ }
+ else
+ {
+ throw new AccessControlException("Do not have permission to create new user");
+ }
}
@Override
public void deleteUser(String username) throws AccountNotFoundException
{
- if(getSecurityManager().authoriseMethod(Operation.DELETE,
- "UserManagement",
- "deleteUser"))
+ if(getSecurityManager().authoriseUserOperation(Operation.DELETE, username))
{
getPrincipalDatabase().deletePrincipal(new UsernamePrincipal(username));
@@ -239,9 +289,9 @@ public abstract class AuthenticationProviderAdapter<T extends AuthenticationMana
}
}
- private org.apache.qpid.server.security.SecurityManager getSecurityManager()
+ private SecurityManager getSecurityManager()
{
- return ApplicationRegistry.getInstance().getSecurityManager();
+ return _broker.getSecurityManager();
}
private PrincipalDatabase getPrincipalDatabase()
@@ -252,18 +302,13 @@ public abstract class AuthenticationProviderAdapter<T extends AuthenticationMana
@Override
public void setPassword(String username, String password) throws AccountNotFoundException
{
- getPrincipalDatabase().updatePassword(new UsernamePrincipal(username), password.toCharArray());
- }
-
- public void reload() throws IOException
- {
- if(getSecurityManager().authoriseMethod(Operation.UPDATE, "UserManagement", "reload"))
+ if(getSecurityManager().authoriseUserOperation(Operation.UPDATE, username))
{
- getPrincipalDatabase().reload();
+ getPrincipalDatabase().updatePassword(new UsernamePrincipal(username), password.toCharArray());
}
else
{
- throw new AccessControlException("Do not have permission to reload principal database");
+ throw new AccessControlException("Do not have permission to set password");
}
}
@@ -274,34 +319,41 @@ public abstract class AuthenticationProviderAdapter<T extends AuthenticationMana
Map<String, Map<String,String>> users = new HashMap<String, Map<String, String>>();
for(Principal principal : getPrincipalDatabase().getUsers())
{
- users.put(principal.getName(), Collections.EMPTY_MAP);
+ users.put(principal.getName(), Collections.<String, String>emptyMap());
}
return users;
}
+ public void reload() throws IOException
+ {
+ getPrincipalDatabase().reload();
+ }
+
@Override
- public <C extends ConfiguredObject> C createChild(Class<C> childClass,
+ public <C extends ConfiguredObject> C addChild(Class<C> childClass,
Map<String, Object> attributes,
ConfiguredObject... otherParents)
{
if(childClass == User.class)
{
- Principal p = new UsernamePrincipal((String) attributes.get("name"));
- if(getSecurityManager().authoriseMethod(Operation.UPDATE, "UserManagement", "createUser"))
+ String username = (String) attributes.get("name");
+ String password = (String) attributes.get("password");
+ Principal p = new UsernamePrincipal(username);
+
+ if(createUser(username, password,null))
{
- if(getPrincipalDatabase().createPrincipal(p, ((String)attributes.get("password")).toCharArray()))
- {
- return (C) new PrincipalAdapter(p);
- }
+ @SuppressWarnings("unchecked")
+ C pricipalAdapter = (C) new PrincipalAdapter(p, getTaskExecutor());
+ return pricipalAdapter;
}
else
{
- throw new AccessControlException("Do not have permission to create a new user");
+ //TODO? Silly interface on the PrincipalDatabase at fault
+ throw new RuntimeException("Failed to create user");
}
-
}
- return super.createChild(childClass, attributes, otherParents);
+ return super.addChild(childClass, attributes, otherParents);
}
@Override
@@ -313,9 +365,11 @@ public abstract class AuthenticationProviderAdapter<T extends AuthenticationMana
Collection<User> principals = new ArrayList<User>(users.size());
for(Principal user : users)
{
- principals.add(new PrincipalAdapter(user));
+ principals.add(new PrincipalAdapter(user, getTaskExecutor()));
}
- return (Collection<C>) Collections.unmodifiableCollection(principals);
+ @SuppressWarnings("unchecked")
+ Collection<C> unmodifiablePrincipals = (Collection<C>) Collections.unmodifiableCollection(principals);
+ return unmodifiablePrincipals;
}
else
{
@@ -328,20 +382,14 @@ public abstract class AuthenticationProviderAdapter<T extends AuthenticationMana
private final Principal _user;
- public PrincipalAdapter(Principal user)
+ public PrincipalAdapter(Principal user, TaskExecutor taskExecutor)
{
- super(UUIDGenerator.generateUserUUID(PrincipalDatabaseAuthenticationManagerAdapter.this.getName(), user.getName()));
+ super(UUIDGenerator.generateUserUUID(PrincipalDatabaseAuthenticationManagerAdapter.this.getName(), user.getName()), taskExecutor);
_user = user;
}
@Override
- public String getPassword()
- {
- return null;
- }
-
- @Override
public void setPassword(String password)
{
try
@@ -445,6 +493,10 @@ public abstract class AuthenticationProviderAdapter<T extends AuthenticationMana
{
return getId();
}
+ else if(PASSWORD.equals(name))
+ {
+ return null; // for security reasons we don't expose the password
+ }
else if(NAME.equals(name))
{
return getName();
@@ -453,20 +505,19 @@ public abstract class AuthenticationProviderAdapter<T extends AuthenticationMana
}
@Override
- public Object setAttribute(String name, Object expected, Object desired)
+ public boolean changeAttribute(String name, Object expected, Object desired)
throws IllegalStateException, AccessControlException, IllegalArgumentException
{
if(name.equals(PASSWORD))
{
setPassword((String)desired);
+ return true;
}
- return super.setAttribute(name,
- expected,
- desired);
+ return super.changeAttribute(name, expected, desired);
}
@Override
- public State setDesiredState(State currentState, State desiredState)
+ protected boolean setState(State currentState, State desiredState)
throws IllegalStateTransitionException, AccessControlException
{
if(desiredState == State.DELETED)
@@ -479,9 +530,9 @@ public abstract class AuthenticationProviderAdapter<T extends AuthenticationMana
{
LOGGER.warn("Failed to delete user " + _user, e);
}
- return State.DELETED;
+ return true;
}
- return super.setDesiredState(currentState, desiredState);
+ return false;
}
}
}
View Lorry Controller Status