Package org.apache.activemq.shiro.authz
Class AuthorizationFilter
- java.lang.Object
-
- org.apache.activemq.broker.BrokerFilter
-
- org.apache.activemq.broker.MutableBrokerFilter
-
- org.apache.activemq.shiro.SecurityFilter
-
- org.apache.activemq.shiro.env.EnvironmentFilter
-
- org.apache.activemq.shiro.authz.AuthorizationFilter
-
public class AuthorizationFilter extends EnvironmentFilter
TheAuthorizationFilter
asserts that actions are allowed to execute first before they are actually executed. Such actions include creating, removing, reading from and writing to destinations. This implementation is strictly permission-based, allowing for the finest-grained security policies possible. Whenever aSubject
associated with a connection attempts to perform anAction
(such as creating a destination, or reading from a queue, etc), one or morePermission
s representing thataction
are checked. If theSubject
isPermitted
to perform theaction
, the action is allowed to execute and the broker filter chain executes uninterrupted. However, if theSubject
is not permitted to perform the action, anUnauthorizedException
will be thrown, preventing the filter chain from executing that action.ActionPermissionResolver
The attemptedAction
is guarded by one or morePermission
s as indicated by a configurableactionPermissionResolver
. TheactionPermissionResolver
indicates which permissions must be granted to the connectionSubject
in order for the action to execute. The defaultactionPermissionResolver
instance is aDestinationActionPermissionResolver
, which indicates which permissions are required to perform any action on a particular destination. Those familiar with Shiro'sWildcardPermission
syntax will find theDestinationActionPermissionResolver
'screatePermissionString
method documentation valuable for understanding how destination actions are represented as permissions.- Since:
- 5.10.0
- See Also:
ActionPermissionResolver
,DestinationActionPermissionResolver
-
-
Field Summary
-
Fields inherited from class org.apache.activemq.broker.MutableBrokerFilter
next
-
-
Constructor Summary
Constructors Constructor Description AuthorizationFilter()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description Subscription
addConsumer(ConnectionContext context, ConsumerInfo info)
Adds a consumer.Destination
addDestination(ConnectionContext context, ActiveMQDestination destination, boolean create)
Used to create a destination.void
addDestinationInfo(ConnectionContext context, DestinationInfo info)
Add and process a DestinationInfo objectvoid
addProducer(ConnectionContext context, ProducerInfo info)
Adds a producer.protected void
assertAuthorized(DestinationAction action)
protected void
assertAuthorized(DestinationAction action, String verbText)
protected String
createUnauthorizedMessage(org.apache.shiro.subject.Subject subject, DestinationAction action, String verbDisplayText)
ActionPermissionResolver
getActionPermissionResolver()
Returns theActionPermissionResolver
used to indicate which permissions are required to be granted to aSubject
to perform a particular destinationAction
, (such as creating a destination, or reading from a queue, etc).protected org.apache.shiro.subject.Subject
getSubject(ConnectionContext ctx)
Returns theSubject
associated with the specified connection using aConnectionSubjectResolver
.protected boolean
isSystemBroker(DestinationAction action)
void
removeDestination(ConnectionContext context, ActiveMQDestination destination, long timeout)
Used to destroy a destination.void
removeDestinationInfo(ConnectionContext context, DestinationInfo info)
Remove and process a DestinationInfo objectvoid
send(ProducerBrokerExchange exchange, Message message)
Send a message to the broker to using the specified destination.void
setActionPermissionResolver(ActionPermissionResolver actionPermissionResolver)
Sets theActionPermissionResolver
used to indicate which permissions are required to be granted to aSubject
to perform a particular destinationAction
, (such as creating a destination, or reading from a queue, etc).protected String
toString(org.apache.shiro.subject.Subject subject)
-
Methods inherited from class org.apache.activemq.shiro.env.EnvironmentFilter
getEnvironment, setEnvironment
-
Methods inherited from class org.apache.activemq.shiro.SecurityFilter
isEnabled, setEnabled
-
Methods inherited from class org.apache.activemq.broker.MutableBrokerFilter
getAdaptor, getNext, setNext
-
Methods inherited from class org.apache.activemq.broker.BrokerFilter
acknowledge, addBroker, addConnection, addSession, beginTransaction, brokerServiceStarted, commitTransaction, fastProducer, forgetTransaction, gc, getAdminConnectionContext, getBrokerId, getBrokerName, getBrokerSequenceId, getBrokerService, getClients, getDestinationMap, getDestinationMap, getDestinations, getDestinations, getDurableDestinations, getExecutor, getPeerBrokerInfos, getPreparedTransactions, getRoot, getScheduler, getTempDataStore, getVmConnectorURI, isExpired, isFaultTolerantConfiguration, isFull, isStopped, messageConsumed, messageDelivered, messageDiscarded, messageExpired, messagePull, networkBridgeStarted, networkBridgeStopped, nowMasterBroker, postProcessDispatch, prepareTransaction, preProcessDispatch, processConsumerControl, processDispatchNotification, reapplyInterceptor, removeBroker, removeConnection, removeConsumer, removeProducer, removeSession, removeSubscription, rollbackTransaction, sendToDeadLetterQueue, setAdminConnectionContext, slowConsumer, start, stop, virtualDestinationAdded, virtualDestinationRemoved
-
-
-
-
Method Detail
-
getActionPermissionResolver
public ActionPermissionResolver getActionPermissionResolver()
Returns theActionPermissionResolver
used to indicate which permissions are required to be granted to aSubject
to perform a particular destinationAction
, (such as creating a destination, or reading from a queue, etc). The default instance is aDestinationActionPermissionResolver
.- Returns:
- the
ActionPermissionResolver
used to indicate which permissions are required to be granted to aSubject
to perform a particular destinationAction
, (such as creating a destination, or reading from a queue, etc).
-
setActionPermissionResolver
public void setActionPermissionResolver(ActionPermissionResolver actionPermissionResolver)
Sets theActionPermissionResolver
used to indicate which permissions are required to be granted to aSubject
to perform a particular destinationAction
, (such as creating a destination, or reading from a queue, etc). Unless overridden by this method, the default instance is aDestinationActionPermissionResolver
.- Parameters:
actionPermissionResolver
- theActionPermissionResolver
used to indicate which permissions are required to be granted to aSubject
to perform a particular destinationAction
, (such as creating a destination, or reading from a queue, etc).
-
getSubject
protected org.apache.shiro.subject.Subject getSubject(ConnectionContext ctx)
Returns theSubject
associated with the specified connection using aConnectionSubjectResolver
.- Parameters:
ctx
- the connection context- Returns:
- the
Subject
associated with the specified connection.
-
toString
protected String toString(org.apache.shiro.subject.Subject subject)
-
assertAuthorized
protected void assertAuthorized(DestinationAction action)
-
isSystemBroker
protected boolean isSystemBroker(DestinationAction action)
-
assertAuthorized
protected void assertAuthorized(DestinationAction action, String verbText)
-
createUnauthorizedMessage
protected String createUnauthorizedMessage(org.apache.shiro.subject.Subject subject, DestinationAction action, String verbDisplayText)
-
addDestinationInfo
public void addDestinationInfo(ConnectionContext context, DestinationInfo info) throws Exception
Description copied from interface:Broker
Add and process a DestinationInfo object- Specified by:
addDestinationInfo
in interfaceBroker
- Overrides:
addDestinationInfo
in classBrokerFilter
- Throws:
Exception
-
addDestination
public Destination addDestination(ConnectionContext context, ActiveMQDestination destination, boolean create) throws Exception
Description copied from interface:Region
Used to create a destination. Usually, this method is invoked as a side-effect of sending a message to a destination that does not exist yet.- Specified by:
addDestination
in interfaceRegion
- Overrides:
addDestination
in classBrokerFilter
destination
- the destination to create.- Returns:
- TODO
- Throws:
Exception
- TODO
-
removeDestination
public void removeDestination(ConnectionContext context, ActiveMQDestination destination, long timeout) throws Exception
Description copied from interface:Region
Used to destroy a destination. This should try to quiesce use of the destination up to the timeout allotted time before removing the destination. This will remove all persistent messages associated with the destination.- Specified by:
removeDestination
in interfaceRegion
- Overrides:
removeDestination
in classBrokerFilter
- Parameters:
context
- the environment the operation is being executed under.destination
- what is being removed from the broker.timeout
- the max amount of time to wait for the destination to quiesce- Throws:
Exception
- TODO
-
removeDestinationInfo
public void removeDestinationInfo(ConnectionContext context, DestinationInfo info) throws Exception
Description copied from interface:Broker
Remove and process a DestinationInfo object- Specified by:
removeDestinationInfo
in interfaceBroker
- Overrides:
removeDestinationInfo
in classBrokerFilter
- Throws:
Exception
-
addConsumer
public Subscription addConsumer(ConnectionContext context, ConsumerInfo info) throws Exception
Description copied from interface:Region
Adds a consumer.- Specified by:
addConsumer
in interfaceRegion
- Overrides:
addConsumer
in classBrokerFilter
- Parameters:
context
- the environment the operation is being executed under.- Returns:
- TODO
- Throws:
Exception
- TODO
-
addProducer
public void addProducer(ConnectionContext context, ProducerInfo info) throws Exception
Description copied from interface:Broker
Adds a producer.- Specified by:
addProducer
in interfaceBroker
- Specified by:
addProducer
in interfaceRegion
- Overrides:
addProducer
in classBrokerFilter
- Parameters:
context
- the environment the operation is being executed under.- Throws:
Exception
- TODO
-
send
public void send(ProducerBrokerExchange exchange, Message message) throws Exception
Description copied from interface:Region
Send a message to the broker to using the specified destination. The destination specified in the message does not need to match the destination the message is sent to. This is handy in case the message is being sent to a dead letter destination.- Specified by:
send
in interfaceRegion
- Overrides:
send
in classBrokerFilter
- Parameters:
exchange
- the environment the operation is being executed under.- Throws:
Exception
- TODO
-
-