org.apache.activemq.shiro.authz

Class AuthorizationFilter

java.lang.Object

org.apache.activemq.broker.BrokerFilter

org.apache.activemq.broker.MutableBrokerFilter

org.apache.activemq.shiro.SecurityFilter

org.apache.activemq.shiro.env.EnvironmentFilter

org.apache.activemq.shiro.authz.AuthorizationFilter

All Implemented Interfaces:

Broker, Region, Service

public class AuthorizationFilter
extends EnvironmentFilter

The AuthorizationFilter asserts that actions are allowed to execute first before they are actually executed. Such actions include creating, removing, reading from and writing to destinations.

This implementation is strictly permission-based, allowing for the finest-grained security policies possible. Whenever a Subject associated with a connection attempts to perform an Action (such as creating a destination, or reading from a queue, etc), one or more Permissions representing that action are checked.

If the SubjectisPermitted to perform the action, the action is allowed to execute and the broker filter chain executes uninterrupted.

However, if the Subject is not permitted to perform the action, an UnauthorizedException will be thrown, preventing the filter chain from executing that action.

ActionPermissionResolver

The attempted Action is guarded by one or more Permissions as indicated by a configurable actionPermissionResolver. The actionPermissionResolver indicates which permissions must be granted to the connection Subject in order for the action to execute.

The default actionPermissionResolver instance is a DestinationActionPermissionResolver, which indicates which permissions are required to perform any action on a particular destination. Those familiar with Shiro's WildcardPermission syntax will find the DestinationActionPermissionResolver's createPermissionString method documentation valuable for understanding how destination actions are represented as permissions.

Since:

5.10.0

See Also:

ActionPermissionResolver, DestinationActionPermissionResolver

Field Summary

Fields inherited from class org.apache.activemq.broker.MutableBrokerFilter

next

Constructor Summary

Constructors

Constructor and Description
AuthorizationFilter()

Method Summary

Modifier and Type	Method and Description
Subscription	addConsumer(ConnectionContext context, ConsumerInfo info) Adds a consumer.
Destination	addDestination(ConnectionContext context, ActiveMQDestination destination, boolean create) Used to create a destination.
void	addDestinationInfo(ConnectionContext context, DestinationInfo info) Add and process a DestinationInfo object
void	addProducer(ConnectionContext context, ProducerInfo info) Adds a producer.
protected void	assertAuthorized(DestinationAction action)
protected void	assertAuthorized(DestinationAction action, String verbText)
protected String	createUnauthorizedMessage(org.apache.shiro.subject.Subject subject, DestinationAction action, String verbDisplayText)
ActionPermissionResolver	getActionPermissionResolver() Returns the ActionPermissionResolver used to indicate which permissions are required to be granted to a Subject to perform a particular destination Action, (such as creating a destination, or reading from a queue, etc).
protected org.apache.shiro.subject.Subject	getSubject(ConnectionContext ctx) Returns the Subject associated with the specified connection using a ConnectionSubjectResolver.
protected boolean	isSystemBroker(DestinationAction action)
void	removeDestination(ConnectionContext context, ActiveMQDestination destination, long timeout) Used to destroy a destination.
void	removeDestinationInfo(ConnectionContext context, DestinationInfo info) Remove and process a DestinationInfo object
void	send(ProducerBrokerExchange exchange, Message message) Send a message to the broker to using the specified destination.
void	setActionPermissionResolver(ActionPermissionResolver actionPermissionResolver) Sets the ActionPermissionResolver used to indicate which permissions are required to be granted to a Subject to perform a particular destination Action, (such as creating a destination, or reading from a queue, etc).
protected String	toString(org.apache.shiro.subject.Subject subject)

Methods inherited from class org.apache.activemq.shiro.env.EnvironmentFilter

getEnvironment, setEnvironment

Methods inherited from class org.apache.activemq.shiro.SecurityFilter

isEnabled, setEnabled

Methods inherited from class org.apache.activemq.broker.MutableBrokerFilter

getAdaptor, getNext, setNext

Methods inherited from class org.apache.activemq.broker.BrokerFilter

acknowledge, addBroker, addConnection, addSession, beginTransaction, brokerServiceStarted, commitTransaction, fastProducer, forgetTransaction, gc, getAdminConnectionContext, getBrokerId, getBrokerName, getBrokerSequenceId, getBrokerService, getClients, getDestinationMap, getDestinationMap, getDestinations, getDestinations, getDurableDestinations, getExecutor, getPeerBrokerInfos, getPreparedTransactions, getRoot, getScheduler, getTempDataStore, getVmConnectorURI, isExpired, isFaultTolerantConfiguration, isFull, isStopped, messageConsumed, messageDelivered, messageDiscarded, messageExpired, messagePull, networkBridgeStarted, networkBridgeStopped, nowMasterBroker, postProcessDispatch, prepareTransaction, preProcessDispatch, processConsumerControl, processDispatchNotification, reapplyInterceptor, removeBroker, removeConnection, removeConsumer, removeProducer, removeSession, removeSubscription, rollbackTransaction, sendToDeadLetterQueue, setAdminConnectionContext, slowConsumer, start, stop, virtualDestinationAdded, virtualDestinationRemoved

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

AuthorizationFilter

public AuthorizationFilter()

Method Detail

getActionPermissionResolver

public ActionPermissionResolver getActionPermissionResolver()

Returns the ActionPermissionResolver used to indicate which permissions are required to be granted to a Subject to perform a particular destination Action, (such as creating a destination, or reading from a queue, etc). The default instance is a DestinationActionPermissionResolver.

Returns:

the ActionPermissionResolver used to indicate which permissions are required to be granted to a Subject to perform a particular destination Action, (such as creating a destination, or reading from a queue, etc).

setActionPermissionResolver

public void setActionPermissionResolver(ActionPermissionResolver actionPermissionResolver)

Sets the ActionPermissionResolver used to indicate which permissions are required to be granted to a Subject to perform a particular destination Action, (such as creating a destination, or reading from a queue, etc). Unless overridden by this method, the default instance is a DestinationActionPermissionResolver.

Parameters:

actionPermissionResolver - the ActionPermissionResolver used to indicate which permissions are required to be granted to a Subject to perform a particular destination Action, (such as creating a destination, or reading from a queue, etc).

getSubject

protected org.apache.shiro.subject.Subject getSubject(ConnectionContext ctx)

Returns the Subject associated with the specified connection using a ConnectionSubjectResolver.

Parameters:

ctx - the connection context

Returns:

the Subject associated with the specified connection.

toString

protected String toString(org.apache.shiro.subject.Subject subject)

assertAuthorized

protected void assertAuthorized(DestinationAction action)

isSystemBroker

protected boolean isSystemBroker(DestinationAction action)

assertAuthorized

protected void assertAuthorized(DestinationAction action,
                                String verbText)

createUnauthorizedMessage

protected String createUnauthorizedMessage(org.apache.shiro.subject.Subject subject,
                                           DestinationAction action,
                                           String verbDisplayText)

addDestinationInfo

public void addDestinationInfo(ConnectionContext context,
                               DestinationInfo info)
                        throws Exception

Description copied from interface: Broker

Add and process a DestinationInfo object

Specified by:

addDestinationInfo in interface Broker

Overrides:

addDestinationInfo in class BrokerFilter

Throws:

Exception

addDestination

public Destination addDestination(ConnectionContext context,
                                  ActiveMQDestination destination,
                                  boolean create)
                           throws Exception

Description copied from interface: Region

Used to create a destination. Usually, this method is invoked as a side-effect of sending a message to a destination that does not exist yet.

Specified by:

addDestination in interface Region

Overrides:

addDestination in class BrokerFilter

destination - the destination to create.

Returns:

TODO

Throws:

Exception - TODO

removeDestination

public void removeDestination(ConnectionContext context,
                              ActiveMQDestination destination,
                              long timeout)
                       throws Exception

Description copied from interface: Region

Used to destroy a destination. This should try to quiesce use of the destination up to the timeout allotted time before removing the destination. This will remove all persistent messages associated with the destination.

Specified by:

removeDestination in interface Region

Overrides:

removeDestination in class BrokerFilter

Parameters:

context - the environment the operation is being executed under.

destination - what is being removed from the broker.

timeout - the max amount of time to wait for the destination to quiesce

Throws:

Exception - TODO

removeDestinationInfo

public void removeDestinationInfo(ConnectionContext context,
                                  DestinationInfo info)
                           throws Exception

Description copied from interface: Broker

Remove and process a DestinationInfo object

Specified by:

removeDestinationInfo in interface Broker

Overrides:

removeDestinationInfo in class BrokerFilter

Throws:

Exception

addConsumer

public Subscription addConsumer(ConnectionContext context,
                                ConsumerInfo info)
                         throws Exception

Description copied from interface: Region

Adds a consumer.

Specified by:

addConsumer in interface Region

Overrides:

addConsumer in class BrokerFilter

Parameters:

context - the environment the operation is being executed under.

Returns:

TODO

Throws:

Exception - TODO

addProducer

public void addProducer(ConnectionContext context,
                        ProducerInfo info)
                 throws Exception

Description copied from interface: Broker

Adds a producer.

Specified by:

addProducer in interface Broker

Specified by:

addProducer in interface Region

Overrides:

addProducer in class BrokerFilter

Parameters:

context - the environment the operation is being executed under.

Throws:

Exception - TODO

send

public void send(ProducerBrokerExchange exchange,
                 Message message)
          throws Exception

Description copied from interface: Region

Send a message to the broker to using the specified destination. The destination specified in the message does not need to match the destination the message is sent to. This is handy in case the message is being sent to a dead letter destination.

Specified by:

send in interface Region

Overrides:

send in class BrokerFilter

Parameters:

exchange - the environment the operation is being executed under.

Throws:

Exception - TODO