public class AuthorizationFilter extends EnvironmentFilter
AuthorizationFilter
asserts that actions are allowed to execute first before they are actually
executed. Such actions include creating, removing, reading from and writing to destinations.
This implementation is strictly permission-based, allowing for the finest-grained security policies possible.
Whenever a Subject
associated with a connection attempts to perform an Action
(such as creating a
destination, or reading from a queue, etc), one or more Permission
s representing that action
are
checked.
If the Subject
isPermitted
to perform the
action
, the action is allowed to execute and the broker filter chain executes uninterrupted.
However, if the Subject
is not permitted to perform the action, an UnauthorizedException
will be
thrown, preventing the filter chain from executing that action.
Action
is guarded by one or more Permission
s as indicated by a configurable
actionPermissionResolver
. The
actionPermissionResolver
indicates which permissions must be granted to the connection Subject
in
order for the action to execute.
The default actionPermissionResolver
instance is a
DestinationActionPermissionResolver
, which indicates which permissions
are required to perform any action on a particular destination. Those familiar with Shiro's
WildcardPermission
syntax will find the
DestinationActionPermissionResolver
's
createPermissionString
method
documentation valuable for understanding how destination actions are represented as permissions.ActionPermissionResolver
,
DestinationActionPermissionResolver
next
Constructor and Description |
---|
AuthorizationFilter() |
Modifier and Type | Method and Description |
---|---|
Subscription |
addConsumer(ConnectionContext context,
org.apache.activemq.command.ConsumerInfo info) |
Destination |
addDestination(ConnectionContext context,
org.apache.activemq.command.ActiveMQDestination destination,
boolean create) |
void |
addDestinationInfo(ConnectionContext context,
org.apache.activemq.command.DestinationInfo info) |
void |
addProducer(ConnectionContext context,
org.apache.activemq.command.ProducerInfo info) |
protected void |
assertAuthorized(DestinationAction action) |
protected void |
assertAuthorized(DestinationAction action,
String verbText) |
protected String |
createUnauthorizedMessage(org.apache.shiro.subject.Subject subject,
DestinationAction action,
String verbDisplayText) |
ActionPermissionResolver |
getActionPermissionResolver()
Returns the
ActionPermissionResolver used to indicate which permissions are required to be granted to
a Subject to perform a particular destination Action , (such as creating a
destination, or reading from a queue, etc). |
protected org.apache.shiro.subject.Subject |
getSubject(ConnectionContext ctx)
Returns the
Subject associated with the specified connection using a
ConnectionSubjectResolver . |
protected boolean |
isSystemBroker(DestinationAction action) |
void |
removeDestination(ConnectionContext context,
org.apache.activemq.command.ActiveMQDestination destination,
long timeout) |
void |
removeDestinationInfo(ConnectionContext context,
org.apache.activemq.command.DestinationInfo info) |
void |
send(ProducerBrokerExchange exchange,
org.apache.activemq.command.Message message) |
void |
setActionPermissionResolver(ActionPermissionResolver actionPermissionResolver)
Sets the
ActionPermissionResolver used to indicate which permissions are required to be granted to
a Subject to perform a particular destination Action , (such as creating a
destination, or reading from a queue, etc). |
protected String |
toString(org.apache.shiro.subject.Subject subject) |
getEnvironment, setEnvironment
isEnabled, setEnabled
acknowledge, addBroker, addConnection, addSession, beginTransaction, brokerServiceStarted, commitTransaction, fastProducer, forgetTransaction, gc, getAdaptor, getAdminConnectionContext, getBrokerId, getBrokerName, getBrokerSequenceId, getBrokerService, getClients, getDestinationMap, getDestinationMap, getDestinations, getDestinations, getDurableDestinations, getExecutor, getNext, getPeerBrokerInfos, getPreparedTransactions, getRoot, getScheduler, getTempDataStore, getVmConnectorURI, isExpired, isFaultTolerantConfiguration, isFull, isStopped, messageConsumed, messageDelivered, messageDiscarded, messageExpired, messagePull, networkBridgeStarted, networkBridgeStopped, nowMasterBroker, postProcessDispatch, prepareTransaction, preProcessDispatch, processConsumerControl, processDispatchNotification, reapplyInterceptor, removeBroker, removeConnection, removeConsumer, removeProducer, removeSession, removeSubscription, rollbackTransaction, sendToDeadLetterQueue, setAdminConnectionContext, setNext, slowConsumer, start, stop
public AuthorizationFilter()
public ActionPermissionResolver getActionPermissionResolver()
ActionPermissionResolver
used to indicate which permissions are required to be granted to
a Subject
to perform a particular destination Action
, (such as creating a
destination, or reading from a queue, etc). The default instance is a
DestinationActionPermissionResolver
.ActionPermissionResolver
used to indicate which permissions are required to be granted to
a Subject
to perform a particular destination Action
, (such as creating a
destination, or reading from a queue, etc).public void setActionPermissionResolver(ActionPermissionResolver actionPermissionResolver)
ActionPermissionResolver
used to indicate which permissions are required to be granted to
a Subject
to perform a particular destination Action
, (such as creating a
destination, or reading from a queue, etc). Unless overridden by this method, the default instance is a
DestinationActionPermissionResolver
.actionPermissionResolver
- the ActionPermissionResolver
used to indicate which permissions are
required to be granted to a Subject
to perform a particular destination
Action
, (such as creating a destination, or reading from a queue, etc).protected org.apache.shiro.subject.Subject getSubject(ConnectionContext ctx)
Subject
associated with the specified connection using a
ConnectionSubjectResolver
.ctx
- the connection contextSubject
associated with the specified connection.protected void assertAuthorized(DestinationAction action)
protected boolean isSystemBroker(DestinationAction action)
protected void assertAuthorized(DestinationAction action, String verbText)
protected String createUnauthorizedMessage(org.apache.shiro.subject.Subject subject, DestinationAction action, String verbDisplayText)
public void addDestinationInfo(ConnectionContext context, org.apache.activemq.command.DestinationInfo info) throws Exception
addDestinationInfo
in interface Broker
addDestinationInfo
in class MutableBrokerFilter
Exception
public Destination addDestination(ConnectionContext context, org.apache.activemq.command.ActiveMQDestination destination, boolean create) throws Exception
addDestination
in interface Region
addDestination
in class MutableBrokerFilter
Exception
public void removeDestination(ConnectionContext context, org.apache.activemq.command.ActiveMQDestination destination, long timeout) throws Exception
removeDestination
in interface Region
removeDestination
in class MutableBrokerFilter
Exception
public void removeDestinationInfo(ConnectionContext context, org.apache.activemq.command.DestinationInfo info) throws Exception
removeDestinationInfo
in interface Broker
removeDestinationInfo
in class MutableBrokerFilter
Exception
public Subscription addConsumer(ConnectionContext context, org.apache.activemq.command.ConsumerInfo info) throws Exception
addConsumer
in interface Region
addConsumer
in class MutableBrokerFilter
Exception
public void addProducer(ConnectionContext context, org.apache.activemq.command.ProducerInfo info) throws Exception
addProducer
in interface Broker
addProducer
in interface Region
addProducer
in class MutableBrokerFilter
Exception
public void send(ProducerBrokerExchange exchange, org.apache.activemq.command.Message message) throws Exception
send
in interface Region
send
in class MutableBrokerFilter
Exception
Copyright © 2005–2016 FuseSource, Corp.. All rights reserved.