Package org.apache.activemq.shiro.authz

Class DestinationActionPermissionResolver

    • Constructor Detail

      • DestinationActionPermissionResolver

        public DestinationActionPermissionResolver()

    • Method Detail

      • getPermissionStringPrefix

        public String getPermissionStringPrefix()
        Returns the String prefix that should be automatically prepended to a permission String before the String is converted to a WildcardPermission instance. This is convenient if you want to provide a 'scope' or 'namespace' for ActiveMQ Destinations to clearly distinguish ActiveMQ-specific permissions from any others you might assign to user accounts. The default value is null, indicating no prefix will be set by default.

        For example, the default settings might result in permissions Strings that look like this: 

         topic:TEST:create
 temp-queue:MyQueue:remove
 topic:ActiveMQ.Advisory.*:read

        However, if your application has any application-specific permissions that start with the tokens topic, temp-topic, queue, or temp-queue, you wouldn't be able to distinguish between application-specific permissions and those specific to ActiveMQ. In this case you might set the permissionStringPrefix. For example, if you set: resolver.setPermissionStringPrefix("jms");, the above permission strings would look like this: 

         jms:topic:TEST:create
 jms:temp-queue:MyQueue:remove
 jms:topic:ActiveMQ.Advisory.*:read

        Similarly, if the permissionStringPrefix was equal to activeMQ: 

         activeMQ:topic:TEST:create
 activeMQ:temp-queue:MyQueue:remove
 activeMQ:topic:ActiveMQ.Advisory.*:read
        Returns:
        any String prefix that should be automatically prepended to a permission String before the String is converted to a WildcardPermission instance. Useful for namespacing permissions.

      • setPermissionStringPrefix

        public void setPermissionStringPrefix​(String permissionStringPrefix)
        Sets the String prefix that should be automatically prepended to a permission String before the String is converted to a WildcardPermission instance. This is convenient if you want to provide a 'scope' or 'namespace' for ActiveMQ Destinations to clearly distinguish ActiveMQ-specific permissions from any others you might assign to user accounts. The default value is null, indicating no prefix will be set by default.

        For example, the default settings might result in permissions Strings that look like this: 

         topic:TEST:create
 temp-queue:MyQueue:remove
 topic:ActiveMQ.Advisory.*:read

        However, if your application has any application-specific permissions that start with the tokens topic, temp-topic, queue, or temp-queue, you wouldn't be able to distinguish between application-specific permissions and those specific to ActiveMQ. In this case you might set the permissionStringPrefix. For example, if you set: resolver.setPermissionStringPrefix("jms");, the above permission strings would look like this: 

         jms:topic:TEST:create
 jms:temp-queue:MyQueue:remove
 jms:topic:ActiveMQ.Advisory.*:read

        Similarly, if the permissionStringPrefix was equal to activeMQ: 

         activeMQ:topic:TEST:create
 activeMQ:temp-queue:MyQueue:remove
 activeMQ:topic:ActiveMQ.Advisory.*:read
        Parameters:
        permissionStringPrefix - any String prefix that should be automatically prepended to a permission String before the String is converted to a WildcardPermission instance. Useful for namespacing permissions.

      • isPermissionStringCaseSensitive

        public boolean isPermissionStringCaseSensitive()
        Returns true if returned WildcardPermission instances should be considered case-sensitive, false otherwise. The default value is true, which is not the normal WildcardPermission default setting. This default was chosen to reflect ActiveMQ's case-sensitive destination names.
        Returns:
        true if returned WildcardPermission instances should be considered case-sensitive, false otherwise.

      • setPermissionStringCaseSensitive

        public void setPermissionStringCaseSensitive​(boolean permissionStringCaseSensitive)
        Sets whether returned WildcardPermission instances should be considered case-sensitive. The default value is true, which is not the normal WildcardPermission default setting. This default was chosen to accurately reflect ActiveMQ's case-sensitive destination names.
        Parameters:
        permissionStringCaseSensitive - whether returned WildcardPermission instances should be considered case-sensitive.

      • getPermissions

        public Collection<org.apache.shiro.authz.Permission> getPermissions​(Action action)
        Description copied from interface: ActionPermissionResolver
        Returns all Permissions that must be granted to a Subject in order for the Subject to execute the action, or an empty collection if no permissions are required.

        Most implementations will probably return a single Permission, but multiple permissions are possible, especially if the Action represents behavior attempted on a Composite Destination.

        Specified by:
        getPermissions in interface ActionPermissionResolver
        Parameters:
        action - the action attempted
        Returns:
        all Permissions that must be granted to a Subject in order for the Subject to execute the action, or an empty collection if no permissions are required.

      • createPermissionString

        protected String createPermissionString​(ActiveMQDestination dest,
                                        String verb)
        Inspects the specified destination and verb and returns a WildcardPermission-compatible String the represents the action.

        Format

        This implementation returns WildcardPermission strings with the following format: 
         optionalPermissionStringPrefix + destinationType + ':' + destinationPhysicalName + ':' + actionVerb
        where:
        1. optionalPermissionStringPrefix is the permissionStringPrefix followed by a colon delimiter (':'). This is only present if the permissionStringPrefix has been specified and is non-null
        2. destinationType is one of the following four string tokens:
          • topic
          • temp-topic
          • queue
          • temp-queue
          based on whether the destination is a topic, temporary topic, queue, or temporary queue (respectively).
        3. destinationPhysicalName is destination.getPhysicalName()
        4. actionVerb is action.getVerb()

        Examples

        With the default settings (no permissionStringPrefix), this might produce strings that look like the following: 
         topic:TEST:create
 temp-queue:MyTempQueue:remove
 queue:ActiveMQ.Advisory.*:read
        If permissionStringPrefix was set to jms, the above examples would look like this: 
         jms:topic:TEST:create
 jms:temp-queue:MyTempQueue:remove
 jms:queue:ActiveMQ.Advisory.*:read
        Parameters:
        dest - the destination to inspect and convert to a WildcardPermission string.
        verb - the behavior taken on the destination
        Returns:
        a WildcardPermission string that represents the specified action.
        See Also:
        getPermissionStringPrefix() for more on why you might want to set this value

      • createPermission

        protected org.apache.shiro.authz.Permission createPermission​(String permissionString)