Package org.apache.activemq.shiro.authz

Class AuthorizationFilter

  • All Implemented Interfaces:
    Broker, Region, Service
    public class AuthorizationFilter
extends EnvironmentFilter
    The AuthorizationFilter asserts that actions are allowed to execute first before they are actually executed. Such actions include creating, removing, reading from and writing to destinations.

    This implementation is strictly permission-based, allowing for the finest-grained security policies possible. Whenever a Subject associated with a connection attempts to perform an Action (such as creating a destination, or reading from a queue, etc), one or more Permissions representing that action are checked.

    If the SubjectisPermitted to perform the action, the action is allowed to execute and the broker filter chain executes uninterrupted.

    However, if the Subject is not permitted to perform the action, an UnauthorizedException will be thrown, preventing the filter chain from executing that action.

    ActionPermissionResolver

    The attempted Action is guarded by one or more Permissions as indicated by a configurable actionPermissionResolver. The actionPermissionResolver indicates which permissions must be granted to the connection Subject in order for the action to execute.

    The default actionPermissionResolver instance is a DestinationActionPermissionResolver, which indicates which permissions are required to perform any action on a particular destination. Those familiar with Shiro's WildcardPermission syntax will find the DestinationActionPermissionResolver's createPermissionString method documentation valuable for understanding how destination actions are represented as permissions.

    Since:
    5.10.0
    See Also:
    ActionPermissionResolver, DestinationActionPermissionResolver

    • Constructor Detail

      • AuthorizationFilter

        public AuthorizationFilter()

    • Method Detail

      • getActionPermissionResolver

        public ActionPermissionResolver getActionPermissionResolver()
        Returns the ActionPermissionResolver used to indicate which permissions are required to be granted to a Subject to perform a particular destination Action, (such as creating a destination, or reading from a queue, etc). The default instance is a DestinationActionPermissionResolver.
        Returns:
        the ActionPermissionResolver used to indicate which permissions are required to be granted to a Subject to perform a particular destination Action, (such as creating a destination, or reading from a queue, etc).

      • setActionPermissionResolver

        public void setActionPermissionResolver​(ActionPermissionResolver actionPermissionResolver)
        Sets the ActionPermissionResolver used to indicate which permissions are required to be granted to a Subject to perform a particular destination Action, (such as creating a destination, or reading from a queue, etc). Unless overridden by this method, the default instance is a DestinationActionPermissionResolver.
        Parameters:
        actionPermissionResolver - the ActionPermissionResolver used to indicate which permissions are required to be granted to a Subject to perform a particular destination Action, (such as creating a destination, or reading from a queue, etc).

      • getSubject

        protected org.apache.shiro.subject.Subject getSubject​(ConnectionContext ctx)
        Returns the Subject associated with the specified connection using a ConnectionSubjectResolver.
        Parameters:
        ctx - the connection context
        Returns:
        the Subject associated with the specified connection.

      • toString

        protected String toString​(org.apache.shiro.subject.Subject subject)

      • createUnauthorizedMessage

        protected String createUnauthorizedMessage​(org.apache.shiro.subject.Subject subject,
                                           DestinationAction action,
                                           String verbDisplayText)

      • removeDestination

        public void removeDestination​(ConnectionContext context,
                              ActiveMQDestination destination,
                              long timeout)
                       throws Exception
        Description copied from interface: Region
        Used to destroy a destination. This should try to quiesce use of the destination up to the timeout allotted time before removing the destination. This will remove all persistent messages associated with the destination.
        Specified by:
        removeDestination in interface Region
        Overrides:
        removeDestination in class BrokerFilter
        Parameters:
        context - the environment the operation is being executed under.
        destination - what is being removed from the broker.
        timeout - the max amount of time to wait for the destination to quiesce
        Throws:
        Exception - TODO

      • send

        public void send​(ProducerBrokerExchange exchange,
                 Message message)
          throws Exception
        Description copied from interface: Region
        Send a message to the broker to using the specified destination. The destination specified in the message does not need to match the destination the message is sent to. This is handy in case the message is being sent to a dead letter destination.
        Specified by:
        send in interface Region
        Overrides:
        send in class BrokerFilter
        Parameters:
        exchange - the environment the operation is being executed under.
        Throws:
        Exception - TODO