public class AuthorizationFilter extends EnvironmentFilter
AuthorizationFilter
asserts that actions are allowed to execute first before they are actually
executed. Such actions include creating, removing, reading from and writing to destinations.
This implementation is strictly permission-based, allowing for the finest-grained security policies possible.
Whenever a Subject
associated with a connection attempts to perform an Action
(such as creating a
destination, or reading from a queue, etc), one or more Permission
s representing that action
are
checked.
If the Subject
isPermitted
to perform the
action
, the action is allowed to execute and the broker filter chain executes uninterrupted.
However, if the Subject
is not permitted to perform the action, an UnauthorizedException
will be
thrown, preventing the filter chain from executing that action.
Action
is guarded by one or more Permission
s as indicated by a configurable
actionPermissionResolver
. The
actionPermissionResolver
indicates which permissions must be granted to the connection Subject
in
order for the action to execute.
The default actionPermissionResolver
instance is a
DestinationActionPermissionResolver
, which indicates which permissions
are required to perform any action on a particular destination. Those familiar with Shiro's
WildcardPermission
syntax will find the
DestinationActionPermissionResolver
's
createPermissionString
method
documentation valuable for understanding how destination actions are represented as permissions.ActionPermissionResolver
,
DestinationActionPermissionResolver
next
Constructor and Description |
---|
AuthorizationFilter() |
Modifier and Type | Method and Description |
---|---|
Subscription |
addConsumer(ConnectionContext context,
ConsumerInfo info)
Adds a consumer.
|
Destination |
addDestination(ConnectionContext context,
ActiveMQDestination destination,
boolean create)
Used to create a destination.
|
void |
addDestinationInfo(ConnectionContext context,
DestinationInfo info)
Add and process a DestinationInfo object
|
void |
addProducer(ConnectionContext context,
ProducerInfo info)
Adds a producer.
|
protected void |
assertAuthorized(DestinationAction action) |
protected void |
assertAuthorized(DestinationAction action,
String verbText) |
protected String |
createUnauthorizedMessage(org.apache.shiro.subject.Subject subject,
DestinationAction action,
String verbDisplayText) |
ActionPermissionResolver |
getActionPermissionResolver()
Returns the
ActionPermissionResolver used to indicate which permissions are required to be granted to
a Subject to perform a particular destination Action , (such as creating a
destination, or reading from a queue, etc). |
protected org.apache.shiro.subject.Subject |
getSubject(ConnectionContext ctx)
Returns the
Subject associated with the specified connection using a
ConnectionSubjectResolver . |
protected boolean |
isSystemBroker(DestinationAction action) |
void |
removeDestination(ConnectionContext context,
ActiveMQDestination destination,
long timeout)
Used to destroy a destination.
|
void |
removeDestinationInfo(ConnectionContext context,
DestinationInfo info)
Remove and process a DestinationInfo object
|
void |
send(ProducerBrokerExchange exchange,
Message message)
Send a message to the broker to using the specified destination.
|
void |
setActionPermissionResolver(ActionPermissionResolver actionPermissionResolver)
Sets the
ActionPermissionResolver used to indicate which permissions are required to be granted to
a Subject to perform a particular destination Action , (such as creating a
destination, or reading from a queue, etc). |
protected String |
toString(org.apache.shiro.subject.Subject subject) |
getEnvironment, setEnvironment
isEnabled, setEnabled
getAdaptor, getNext, setNext
acknowledge, addBroker, addConnection, addSession, beginTransaction, brokerServiceStarted, commitTransaction, fastProducer, forgetTransaction, gc, getAdminConnectionContext, getBrokerId, getBrokerName, getBrokerSequenceId, getBrokerService, getClients, getDestinationMap, getDestinationMap, getDestinations, getDestinations, getDurableDestinations, getExecutor, getPeerBrokerInfos, getPreparedTransactions, getRoot, getScheduler, getTempDataStore, getVmConnectorURI, isExpired, isFaultTolerantConfiguration, isFull, isStopped, messageConsumed, messageDelivered, messageDiscarded, messageExpired, messagePull, networkBridgeStarted, networkBridgeStopped, nowMasterBroker, postProcessDispatch, prepareTransaction, preProcessDispatch, processConsumerControl, processDispatchNotification, reapplyInterceptor, removeBroker, removeConnection, removeConsumer, removeProducer, removeSession, removeSubscription, rollbackTransaction, sendToDeadLetterQueue, setAdminConnectionContext, slowConsumer, start, stop, virtualDestinationAdded, virtualDestinationRemoved
public AuthorizationFilter()
public ActionPermissionResolver getActionPermissionResolver()
ActionPermissionResolver
used to indicate which permissions are required to be granted to
a Subject
to perform a particular destination Action
, (such as creating a
destination, or reading from a queue, etc). The default instance is a
DestinationActionPermissionResolver
.ActionPermissionResolver
used to indicate which permissions are required to be granted to
a Subject
to perform a particular destination Action
, (such as creating a
destination, or reading from a queue, etc).public void setActionPermissionResolver(ActionPermissionResolver actionPermissionResolver)
ActionPermissionResolver
used to indicate which permissions are required to be granted to
a Subject
to perform a particular destination Action
, (such as creating a
destination, or reading from a queue, etc). Unless overridden by this method, the default instance is a
DestinationActionPermissionResolver
.actionPermissionResolver
- the ActionPermissionResolver
used to indicate which permissions are
required to be granted to a Subject
to perform a particular destination
Action
, (such as creating a destination, or reading from a queue, etc).protected org.apache.shiro.subject.Subject getSubject(ConnectionContext ctx)
Subject
associated with the specified connection using a
ConnectionSubjectResolver
.ctx
- the connection contextSubject
associated with the specified connection.protected void assertAuthorized(DestinationAction action)
protected boolean isSystemBroker(DestinationAction action)
protected void assertAuthorized(DestinationAction action, String verbText)
protected String createUnauthorizedMessage(org.apache.shiro.subject.Subject subject, DestinationAction action, String verbDisplayText)
public void addDestinationInfo(ConnectionContext context, DestinationInfo info) throws Exception
Broker
addDestinationInfo
in interface Broker
addDestinationInfo
in class BrokerFilter
Exception
public Destination addDestination(ConnectionContext context, ActiveMQDestination destination, boolean create) throws Exception
Region
addDestination
in interface Region
addDestination
in class BrokerFilter
destination
- the destination to create.Exception
- TODOpublic void removeDestination(ConnectionContext context, ActiveMQDestination destination, long timeout) throws Exception
Region
removeDestination
in interface Region
removeDestination
in class BrokerFilter
context
- the environment the operation is being executed under.destination
- what is being removed from the broker.timeout
- the max amount of time to wait for the destination to quiesceException
- TODOpublic void removeDestinationInfo(ConnectionContext context, DestinationInfo info) throws Exception
Broker
removeDestinationInfo
in interface Broker
removeDestinationInfo
in class BrokerFilter
Exception
public Subscription addConsumer(ConnectionContext context, ConsumerInfo info) throws Exception
Region
addConsumer
in interface Region
addConsumer
in class BrokerFilter
context
- the environment the operation is being executed under.Exception
- TODOpublic void addProducer(ConnectionContext context, ProducerInfo info) throws Exception
Broker
addProducer
in interface Broker
addProducer
in interface Region
addProducer
in class BrokerFilter
context
- the environment the operation is being executed under.Exception
- TODOpublic void send(ProducerBrokerExchange exchange, Message message) throws Exception
Region
send
in interface Region
send
in class BrokerFilter
exchange
- the environment the operation is being executed under.Exception
- TODOCopyright © 2005–2019 The Apache Software Foundation. All rights reserved.