Package org.apache.activemq.security
Class SimpleCachedLDAPAuthorizationMap
- java.lang.Object
-
- org.apache.activemq.security.SimpleCachedLDAPAuthorizationMap
-
- All Implemented Interfaces:
AuthorizationMap
- Direct Known Subclasses:
CachedLDAPAuthorizationMap
public class SimpleCachedLDAPAuthorizationMap extends Object implements AuthorizationMap
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description protected class
SimpleCachedLDAPAuthorizationMap.CachedLDAPAuthorizationMapNamespaceChangeListener
Listener implementation for directory changes that maps change events to destination types.protected static class
SimpleCachedLDAPAuthorizationMap.DestinationType
protected static class
SimpleCachedLDAPAuthorizationMap.PermissionType
-
Field Summary
Fields Modifier and Type Field Description protected DirContext
context
protected Map<ActiveMQDestination,AuthorizationEntry>
entries
protected String
groupClass
-
Constructor Summary
Constructors Constructor Description SimpleCachedLDAPAuthorizationMap()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description void
afterPropertiesSet()
protected void
applyAcl(AuthorizationEntry entry, SimpleCachedLDAPAuthorizationMap.PermissionType permissionType, Set<Object> acls)
Applies policy to the entry given the actual principals that will be applied to the policy entry.protected void
applyACL(AuthorizationEntry entry, SearchResult result, SimpleCachedLDAPAuthorizationMap.PermissionType permissionType)
Applies the policy from the directory to the given entry within the context of the provided permission type.protected void
checkForUpdates()
Performs a check for updates from the server in the event that synchronous updates are enabled and are the refresh interval has elapsed.protected DirContext
createContext()
void
destroy()
protected ActiveMQDestination
formatDestination(LdapName dn, SimpleCachedLDAPAuthorizationMap.DestinationType destinationType)
Parses a DN into the equivalentActiveMQDestination
.protected ActiveMQDestination
formatDestination(Rdn destinationName, SimpleCachedLDAPAuthorizationMap.DestinationType destinationType)
Parses RDN values representing the destination name/pattern and destination type into the equivalentActiveMQDestination
.protected String
formatDestinationName(Rdn destinationName)
Parses the RDN representing a destination name/pattern into the standard string representation of the name/pattern.Set<Object>
getAdminACLs(ActiveMQDestination destination)
Provides synchronized access to the admin ACLs for the destinations asAuthorizationEntry
is not setup for concurrent access.String
getAdminPermissionGroupSearchFilter()
String
getAuthentication()
String
getConnectionPassword()
String
getConnectionProtocol()
String
getConnectionURL()
String
getConnectionUsername()
protected AuthorizationEntry
getEntry(DefaultAuthorizationMap map, LdapName dn, SimpleCachedLDAPAuthorizationMap.DestinationType destinationType)
Retrieves or creates theAuthorizationEntry
that corresponds to the DN indn
.protected String
getFilterForPermissionType(SimpleCachedLDAPAuthorizationMap.PermissionType permissionType)
Returns the filter string for the given permission type.String
getGroupClass()
String
getGroupNameAttribute()
String
getGroupObjectClass()
String
getPermissionGroupMemberAttribute()
protected int
getPrefixLengthForDestinationType(SimpleCachedLDAPAuthorizationMap.DestinationType destinationType)
Returns the DN prefix size based on the given destination type.String
getQueueSearchBase()
Set<Object>
getReadACLs(ActiveMQDestination destination)
Provides synchronized access to the read ACLs for the destinations asAuthorizationEntry
is not setup for concurrent access.String
getReadPermissionGroupSearchFilter()
int
getRefreshInterval()
Set<Object>
getTempDestinationAdminACLs()
Provides synchronized and defensive access to the admin ACLs for temp destinations as the super implementation returns live copies of the ACLs andAuthorizationEntry
is not setup for concurrent access.Set<Object>
getTempDestinationReadACLs()
Provides synchronized and defensive access to the read ACLs for temp destinations as the super implementation returns live copies of the ACLs andAuthorizationEntry
is not setup for concurrent access.Set<Object>
getTempDestinationWriteACLs()
Provides synchronized and defensive access to the write ACLs for temp destinations as the super implementation returns live copies of the ACLs andAuthorizationEntry
is not setup for concurrent access.String
getTempSearchBase()
String
getTopicSearchBase()
String
getUserNameAttribute()
String
getUserObjectClass()
Set<Object>
getWriteACLs(ActiveMQDestination destination)
Provides synchronized access to the write ACLs for the destinations asAuthorizationEntry
is not setup for concurrent access.String
getWritePermissionGroupSearchFilter()
protected boolean
isContextAlive()
boolean
isLegacyGroupMapping()
boolean
isRefreshDisabled()
void
namingExceptionThrown(NamingExceptionEvent namingExceptionEvent)
Handler for exception events from the registry.void
objectAdded(NamingEvent namingEvent, SimpleCachedLDAPAuthorizationMap.DestinationType destinationType, SimpleCachedLDAPAuthorizationMap.PermissionType permissionType)
Handler for new policy entries in the directory.void
objectChanged(NamingEvent namingEvent, SimpleCachedLDAPAuthorizationMap.DestinationType destinationType, SimpleCachedLDAPAuthorizationMap.PermissionType permissionType)
Handler for changed policy entries in the directory.void
objectRemoved(NamingEvent namingEvent, SimpleCachedLDAPAuthorizationMap.DestinationType destinationType, SimpleCachedLDAPAuthorizationMap.PermissionType permissionType)
Handler for removed policy entries in the directory.void
objectRenamed(NamingEvent namingEvent, SimpleCachedLDAPAuthorizationMap.DestinationType destinationType, SimpleCachedLDAPAuthorizationMap.PermissionType permissionType)
Handler for renamed policy entries in the directory.protected DirContext
open()
Returns the existing open context or creates a new one and registers listeners for push notifications if such an update style is enabled.protected void
processQueryResults(DefaultAuthorizationMap map, NamingEnumeration<SearchResult> results, SimpleCachedLDAPAuthorizationMap.DestinationType destinationType, SimpleCachedLDAPAuthorizationMap.PermissionType permissionType)
Processes results from a directory query in the context of a given destination type and permission type.protected void
query()
Queries the directory and initializes the policy based on the data in the directory.void
setAdminPermissionGroupSearchFilter(String adminPermissionGroupSearchFilter)
void
setAuthentication(String authentication)
void
setConnectionPassword(String connectionPassword)
void
setConnectionProtocol(String connectionProtocol)
void
setConnectionURL(String connectionURL)
void
setConnectionUsername(String connectionUsername)
void
setGroupClass(String groupClass)
void
setGroupNameAttribute(String groupNameAttribute)
void
setGroupObjectClass(String groupObjectClass)
void
setLegacyGroupMapping(boolean legacyGroupMapping)
void
setPermissionGroupMemberAttribute(String permissionGroupMemberAttribute)
void
setQueueSearchBase(String queueSearchBase)
void
setReadPermissionGroupSearchFilter(String readPermissionGroupSearchFilter)
void
setRefreshDisabled(boolean refreshDisabled)
void
setRefreshInterval(int refreshInterval)
void
setTempSearchBase(String tempSearchBase)
void
setTopicSearchBase(String topicSearchBase)
void
setUserNameAttribute(String userNameAttribute)
void
setUserObjectClass(String userObjectClass)
void
setWritePermissionGroupSearchFilter(String writePermissionGroupSearchFilter)
protected <T> Set<T>
transcribeSet(Set<T> source)
Transcribes an existing set into a new set.protected void
updated()
Marks the time at which the authorization state was last refreshed.
-
-
-
Field Detail
-
groupClass
protected String groupClass
-
context
protected DirContext context
-
entries
protected Map<ActiveMQDestination,AuthorizationEntry> entries
-
-
Method Detail
-
createContext
protected DirContext createContext() throws NamingException
- Throws:
NamingException
-
isContextAlive
protected boolean isContextAlive()
-
open
protected DirContext open() throws NamingException
Returns the existing open context or creates a new one and registers listeners for push notifications if such an update style is enabled. This implementation should not be invoked concurrently.- Returns:
- the current context
- Throws:
NamingException
- if there is an error setting things up
-
query
protected void query() throws Exception
Queries the directory and initializes the policy based on the data in the directory. This implementation should not be invoked concurrently.- Throws:
Exception
- if there is an unrecoverable error processing the directory contents
-
processQueryResults
protected void processQueryResults(DefaultAuthorizationMap map, NamingEnumeration<SearchResult> results, SimpleCachedLDAPAuthorizationMap.DestinationType destinationType, SimpleCachedLDAPAuthorizationMap.PermissionType permissionType) throws Exception
Processes results from a directory query in the context of a given destination type and permission type. This implementation should not be invoked concurrently.- Parameters:
results
- the results to processdestinationType
- the type of the destination for which the directory results applypermissionType
- the type of the permission for which the directory results apply- Throws:
Exception
- if there is an error processing the results
-
updated
protected void updated()
Marks the time at which the authorization state was last refreshed. Relevant for synchronous policy updates. This implementation should not be invoked concurrently.
-
getEntry
protected AuthorizationEntry getEntry(DefaultAuthorizationMap map, LdapName dn, SimpleCachedLDAPAuthorizationMap.DestinationType destinationType)
Retrieves or creates theAuthorizationEntry
that corresponds to the DN indn
. This implementation should not be invoked concurrently.- Parameters:
map
- the DefaultAuthorizationMap to operate on.dn
- the DN representing the policy entry in the directorydestinationType
- the type of the destination to get/create the entry for- Returns:
- the corresponding authorization entry for the DN
- Throws:
IllegalArgumentException
- if destination type is not one ofSimpleCachedLDAPAuthorizationMap.DestinationType.QUEUE
,SimpleCachedLDAPAuthorizationMap.DestinationType.TOPIC
,SimpleCachedLDAPAuthorizationMap.DestinationType.TEMP
or if the policy entry DN is malformed
-
applyACL
protected void applyACL(AuthorizationEntry entry, SearchResult result, SimpleCachedLDAPAuthorizationMap.PermissionType permissionType) throws NamingException
Applies the policy from the directory to the given entry within the context of the provided permission type.- Parameters:
entry
- the policy entry to apply the policy toresult
- the results from the directory to apply to the policy entrypermissionType
- the permission type of the data in the directory- Throws:
NamingException
- if there is an error applying the ACL
-
applyAcl
protected void applyAcl(AuthorizationEntry entry, SimpleCachedLDAPAuthorizationMap.PermissionType permissionType, Set<Object> acls)
Applies policy to the entry given the actual principals that will be applied to the policy entry.- Parameters:
entry
- the policy entry to which the policy should be appliedpermissionType
- the type of the permission that the policy will be applied toacls
- the principals that represent the actual policy
-
formatDestination
protected ActiveMQDestination formatDestination(LdapName dn, SimpleCachedLDAPAuthorizationMap.DestinationType destinationType)
Parses a DN into the equivalentActiveMQDestination
. The default implementation expects a format of cn=,ou= ,.... or ou= ,.... for permission and destination entries, respectively. For example cn=admin,ou=$,ou=...
orou=$,ou=...
.- Parameters:
dn
- the DN to parsedestinationType
- the type of the destination that we are parsing- Returns:
- the destination that the DN represents
- Throws:
IllegalArgumentException
- ifdestinationType
isSimpleCachedLDAPAuthorizationMap.DestinationType.TEMP
or if the format ofdn
is incorrect for for a topic or queue- See Also:
formatDestination(Rdn, DestinationType)
-
formatDestination
protected ActiveMQDestination formatDestination(Rdn destinationName, SimpleCachedLDAPAuthorizationMap.DestinationType destinationType)
Parses RDN values representing the destination name/pattern and destination type into the equivalentActiveMQDestination
.- Parameters:
destinationName
- the RDN representing the name or pattern for the destinationdestinationType
- the type of the destination- Returns:
- the destination that the RDN represent
- Throws:
IllegalArgumentException
- ifdestinationType
is not one ofSimpleCachedLDAPAuthorizationMap.DestinationType.TOPIC
orSimpleCachedLDAPAuthorizationMap.DestinationType.QUEUE
.- See Also:
formatDestinationName(Rdn)
,formatDestination(LdapName, DestinationType)
-
formatDestinationName
protected String formatDestinationName(Rdn destinationName)
Parses the RDN representing a destination name/pattern into the standard string representation of the name/pattern. This implementation does not care about the type of the RDN such that the RDN could be a CN or OU.- Parameters:
destinationName
- the RDN representing the name or pattern for the destination- See Also:
#formatDestination(Rdn, Rdn)
-
transcribeSet
protected <T> Set<T> transcribeSet(Set<T> source)
Transcribes an existing set into a new set. Used to make defensive copies for concurrent access.- Parameters:
source
- the source set ornull
- Returns:
- a new set containing the same elements as
source
ornull
ifsource
isnull
-
getFilterForPermissionType
protected String getFilterForPermissionType(SimpleCachedLDAPAuthorizationMap.PermissionType permissionType)
Returns the filter string for the given permission type.- Throws:
IllegalArgumentException
- ifpermissionType
is not supported- See Also:
setAdminPermissionGroupSearchFilter(String)
,setReadPermissionGroupSearchFilter(String)
,setWritePermissionGroupSearchFilter(String)
-
getPrefixLengthForDestinationType
protected int getPrefixLengthForDestinationType(SimpleCachedLDAPAuthorizationMap.DestinationType destinationType)
Returns the DN prefix size based on the given destination type.- Throws:
IllegalArgumentException
- ifdestinationType
is not supported- See Also:
setQueueSearchBase(String)
,setTopicSearchBase(String)
,setTempSearchBase(String)
-
checkForUpdates
protected void checkForUpdates()
Performs a check for updates from the server in the event that synchronous updates are enabled and are the refresh interval has elapsed.
-
getTempDestinationAdminACLs
public Set<Object> getTempDestinationAdminACLs()
Provides synchronized and defensive access to the admin ACLs for temp destinations as the super implementation returns live copies of the ACLs andAuthorizationEntry
is not setup for concurrent access.- Specified by:
getTempDestinationAdminACLs
in interfaceAuthorizationMap
-
getTempDestinationReadACLs
public Set<Object> getTempDestinationReadACLs()
Provides synchronized and defensive access to the read ACLs for temp destinations as the super implementation returns live copies of the ACLs andAuthorizationEntry
is not setup for concurrent access.- Specified by:
getTempDestinationReadACLs
in interfaceAuthorizationMap
-
getTempDestinationWriteACLs
public Set<Object> getTempDestinationWriteACLs()
Provides synchronized and defensive access to the write ACLs for temp destinations as the super implementation returns live copies of the ACLs andAuthorizationEntry
is not setup for concurrent access.- Specified by:
getTempDestinationWriteACLs
in interfaceAuthorizationMap
-
getAdminACLs
public Set<Object> getAdminACLs(ActiveMQDestination destination)
Provides synchronized access to the admin ACLs for the destinations asAuthorizationEntry
is not setup for concurrent access.- Specified by:
getAdminACLs
in interfaceAuthorizationMap
-
getReadACLs
public Set<Object> getReadACLs(ActiveMQDestination destination)
Provides synchronized access to the read ACLs for the destinations asAuthorizationEntry
is not setup for concurrent access.- Specified by:
getReadACLs
in interfaceAuthorizationMap
-
getWriteACLs
public Set<Object> getWriteACLs(ActiveMQDestination destination)
Provides synchronized access to the write ACLs for the destinations asAuthorizationEntry
is not setup for concurrent access.- Specified by:
getWriteACLs
in interfaceAuthorizationMap
-
objectAdded
public void objectAdded(NamingEvent namingEvent, SimpleCachedLDAPAuthorizationMap.DestinationType destinationType, SimpleCachedLDAPAuthorizationMap.PermissionType permissionType)
Handler for new policy entries in the directory.- Parameters:
namingEvent
- the new entry event that occurreddestinationType
- the type of the destination to which the event appliespermissionType
- the permission type to which the event applies
-
objectRemoved
public void objectRemoved(NamingEvent namingEvent, SimpleCachedLDAPAuthorizationMap.DestinationType destinationType, SimpleCachedLDAPAuthorizationMap.PermissionType permissionType)
Handler for removed policy entries in the directory.- Parameters:
namingEvent
- the removed entry event that occurreddestinationType
- the type of the destination to which the event appliespermissionType
- the permission type to which the event applies
-
objectRenamed
public void objectRenamed(NamingEvent namingEvent, SimpleCachedLDAPAuthorizationMap.DestinationType destinationType, SimpleCachedLDAPAuthorizationMap.PermissionType permissionType)
Handler for renamed policy entries in the directory. This handler deals with the renaming of destination entries as well as permission entries. If the permission type is not null, it is assumed that we are dealing with the renaming of a permission entry. Otherwise, it is assumed that we are dealing with the renaming of a destination entry.- Parameters:
namingEvent
- the renaming entry event that occurreddestinationType
- the type of the destination to which the event appliespermissionType
- the permission type to which the event applies
-
objectChanged
public void objectChanged(NamingEvent namingEvent, SimpleCachedLDAPAuthorizationMap.DestinationType destinationType, SimpleCachedLDAPAuthorizationMap.PermissionType permissionType)
Handler for changed policy entries in the directory.- Parameters:
namingEvent
- the changed entry event that occurreddestinationType
- the type of the destination to which the event appliespermissionType
- the permission type to which the event applies
-
namingExceptionThrown
public void namingExceptionThrown(NamingExceptionEvent namingExceptionEvent)
Handler for exception events from the registry.- Parameters:
namingExceptionEvent
- the exception event
-
getConnectionURL
public String getConnectionURL()
-
setConnectionURL
public void setConnectionURL(String connectionURL)
-
getConnectionUsername
public String getConnectionUsername()
-
setConnectionUsername
public void setConnectionUsername(String connectionUsername)
-
getConnectionPassword
public String getConnectionPassword()
-
setConnectionPassword
public void setConnectionPassword(String connectionPassword)
-
getConnectionProtocol
public String getConnectionProtocol()
-
setConnectionProtocol
public void setConnectionProtocol(String connectionProtocol)
-
getAuthentication
public String getAuthentication()
-
setAuthentication
public void setAuthentication(String authentication)
-
getQueueSearchBase
public String getQueueSearchBase()
-
setQueueSearchBase
public void setQueueSearchBase(String queueSearchBase)
-
getTopicSearchBase
public String getTopicSearchBase()
-
setTopicSearchBase
public void setTopicSearchBase(String topicSearchBase)
-
getTempSearchBase
public String getTempSearchBase()
-
setTempSearchBase
public void setTempSearchBase(String tempSearchBase)
-
getPermissionGroupMemberAttribute
public String getPermissionGroupMemberAttribute()
-
setPermissionGroupMemberAttribute
public void setPermissionGroupMemberAttribute(String permissionGroupMemberAttribute)
-
getAdminPermissionGroupSearchFilter
public String getAdminPermissionGroupSearchFilter()
-
setAdminPermissionGroupSearchFilter
public void setAdminPermissionGroupSearchFilter(String adminPermissionGroupSearchFilter)
-
getReadPermissionGroupSearchFilter
public String getReadPermissionGroupSearchFilter()
-
setReadPermissionGroupSearchFilter
public void setReadPermissionGroupSearchFilter(String readPermissionGroupSearchFilter)
-
getWritePermissionGroupSearchFilter
public String getWritePermissionGroupSearchFilter()
-
setWritePermissionGroupSearchFilter
public void setWritePermissionGroupSearchFilter(String writePermissionGroupSearchFilter)
-
isLegacyGroupMapping
public boolean isLegacyGroupMapping()
-
setLegacyGroupMapping
public void setLegacyGroupMapping(boolean legacyGroupMapping)
-
getGroupObjectClass
public String getGroupObjectClass()
-
setGroupObjectClass
public void setGroupObjectClass(String groupObjectClass)
-
getUserObjectClass
public String getUserObjectClass()
-
setUserObjectClass
public void setUserObjectClass(String userObjectClass)
-
getGroupNameAttribute
public String getGroupNameAttribute()
-
setGroupNameAttribute
public void setGroupNameAttribute(String groupNameAttribute)
-
getUserNameAttribute
public String getUserNameAttribute()
-
setUserNameAttribute
public void setUserNameAttribute(String userNameAttribute)
-
isRefreshDisabled
public boolean isRefreshDisabled()
-
setRefreshDisabled
public void setRefreshDisabled(boolean refreshDisabled)
-
getRefreshInterval
public int getRefreshInterval()
-
setRefreshInterval
public void setRefreshInterval(int refreshInterval)
-
getGroupClass
public String getGroupClass()
-
setGroupClass
public void setGroupClass(String groupClass)
-
-