Package org.apache.activemq.shiro.authz

Class AuthorizationFilter

java.lang.Object

org.apache.activemq.broker.BrokerFilter

org.apache.activemq.broker.MutableBrokerFilter

org.apache.activemq.shiro.SecurityFilter

org.apache.activemq.shiro.env.EnvironmentFilter

org.apache.activemq.shiro.authz.AuthorizationFilter

All Implemented Interfaces:

Broker, Region, org.apache.activemq.Service

public class AuthorizationFilter
extends EnvironmentFilter

The AuthorizationFilter asserts that actions are allowed to execute first before they are actually executed. Such actions include creating, removing, reading from and writing to destinations.

This implementation is strictly permission-based, allowing for the finest-grained security policies possible. Whenever a Subject associated with a connection attempts to perform an Action (such as creating a destination, or reading from a queue, etc), one or more Permissions representing that action are checked.

If the SubjectisPermitted to perform the action, the action is allowed to execute and the broker filter chain executes uninterrupted.

However, if the Subject is not permitted to perform the action, an UnauthorizedException will be thrown, preventing the filter chain from executing that action.

ActionPermissionResolver

The attempted Action is guarded by one or more Permissions as indicated by a configurable actionPermissionResolver. The actionPermissionResolver indicates which permissions must be granted to the connection Subject in order for the action to execute.

The default actionPermissionResolver instance is a DestinationActionPermissionResolver, which indicates which permissions are required to perform any action on a particular destination. Those familiar with Shiro's WildcardPermission syntax will find the DestinationActionPermissionResolver's createPermissionString method documentation valuable for understanding how destination actions are represented as permissions.

Since:

5.10.0

See Also:

ActionPermissionResolver, DestinationActionPermissionResolver

Field Summary

Fields inherited from class org.apache.activemq.broker.MutableBrokerFilter

next

Constructor Summary

Constructors

Constructor	Description
AuthorizationFilter()

Method Summary

Modifier and Type	Method	Description
Subscription	addConsumer(ConnectionContext context, org.apache.activemq.command.ConsumerInfo info)
Destination	addDestination(ConnectionContext context, org.apache.activemq.command.ActiveMQDestination destination, boolean create)
void	addDestinationInfo(ConnectionContext context, org.apache.activemq.command.DestinationInfo info)
void	addProducer(ConnectionContext context, org.apache.activemq.command.ProducerInfo info)
protected void	assertAuthorized(DestinationAction action)
protected void	assertAuthorized(DestinationAction action, String verbText)
protected String	createUnauthorizedMessage(org.apache.shiro.subject.Subject subject, DestinationAction action, String verbDisplayText)
ActionPermissionResolver	getActionPermissionResolver()	Returns the ActionPermissionResolver used to indicate which permissions are required to be granted to a Subject to perform a particular destination Action, (such as creating a destination, or reading from a queue, etc).
protected org.apache.shiro.subject.Subject	getSubject(ConnectionContext ctx)	Returns the Subject associated with the specified connection using a ConnectionSubjectResolver.
protected boolean	isSystemBroker(DestinationAction action)
void	removeDestination(ConnectionContext context, org.apache.activemq.command.ActiveMQDestination destination, long timeout)
void	removeDestinationInfo(ConnectionContext context, org.apache.activemq.command.DestinationInfo info)
void	send(ProducerBrokerExchange exchange, org.apache.activemq.command.Message message)
void	setActionPermissionResolver(ActionPermissionResolver actionPermissionResolver)	Sets the ActionPermissionResolver used to indicate which permissions are required to be granted to a Subject to perform a particular destination Action, (such as creating a destination, or reading from a queue, etc).
protected String	toString(org.apache.shiro.subject.Subject subject)

Methods inherited from class org.apache.activemq.shiro.env.EnvironmentFilter

getEnvironment, setEnvironment

Methods inherited from class org.apache.activemq.shiro.SecurityFilter

isEnabled, setEnabled

Methods inherited from class org.apache.activemq.broker.MutableBrokerFilter

getAdaptor, getNext, setNext

Methods inherited from class org.apache.activemq.broker.BrokerFilter

acknowledge, addBroker, addConnection, addSession, beginTransaction, brokerServiceStarted, commitTransaction, fastProducer, forgetTransaction, gc, getAdminConnectionContext, getBrokerId, getBrokerName, getBrokerSequenceId, getBrokerService, getClients, getDestinationMap, getDestinationMap, getDestinations, getDestinations, getDurableDestinations, getExecutor, getPeerBrokerInfos, getPreparedTransactions, getRoot, getScheduler, getTempDataStore, getVmConnectorURI, isExpired, isFaultTolerantConfiguration, isFull, isStopped, messageConsumed, messageDelivered, messageDiscarded, messageDispatched, messageExpired, messagePull, networkBridgeStarted, networkBridgeStopped, nowMasterBroker, postProcessDispatch, prepareTransaction, preProcessDispatch, processConsumerControl, processDispatchNotification, reapplyInterceptor, removeBroker, removeConnection, removeConsumer, removeProducer, removeSession, removeSubscription, rollbackTransaction, sendToDeadLetterQueue, setAdminConnectionContext, slowConsumer, start, stop, virtualDestinationAdded, virtualDestinationRemoved

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

AuthorizationFilter

public AuthorizationFilter()

Method Detail

getActionPermissionResolver

public ActionPermissionResolver getActionPermissionResolver()

Returns the ActionPermissionResolver used to indicate which permissions are required to be granted to a Subject to perform a particular destination Action, (such as creating a destination, or reading from a queue, etc). The default instance is a DestinationActionPermissionResolver.

Returns:

the ActionPermissionResolver used to indicate which permissions are required to be granted to a Subject to perform a particular destination Action, (such as creating a destination, or reading from a queue, etc).

setActionPermissionResolver

public void setActionPermissionResolver(ActionPermissionResolver actionPermissionResolver)

Sets the ActionPermissionResolver used to indicate which permissions are required to be granted to a Subject to perform a particular destination Action, (such as creating a destination, or reading from a queue, etc). Unless overridden by this method, the default instance is a DestinationActionPermissionResolver.

Parameters:

actionPermissionResolver - the ActionPermissionResolver used to indicate which permissions are required to be granted to a Subject to perform a particular destination Action, (such as creating a destination, or reading from a queue, etc).

getSubject

protected org.apache.shiro.subject.Subject getSubject(ConnectionContext ctx)

Returns the Subject associated with the specified connection using a ConnectionSubjectResolver.

Parameters:

ctx - the connection context

Returns:

the Subject associated with the specified connection.

toString

protected String toString(org.apache.shiro.subject.Subject subject)

assertAuthorized

protected void assertAuthorized(DestinationAction action)

isSystemBroker

protected boolean isSystemBroker(DestinationAction action)

assertAuthorized

protected void assertAuthorized(DestinationAction action,
                                String verbText)

createUnauthorizedMessage

protected String createUnauthorizedMessage(org.apache.shiro.subject.Subject subject,
                                           DestinationAction action,
                                           String verbDisplayText)

addDestinationInfo

public void addDestinationInfo(ConnectionContext context,
                               org.apache.activemq.command.DestinationInfo info)
                        throws Exception

Specified by:

addDestinationInfo in interface Broker

Overrides:

addDestinationInfo in class BrokerFilter

Throws:

Exception

addDestination

public Destination addDestination(ConnectionContext context,
                                  org.apache.activemq.command.ActiveMQDestination destination,
                                  boolean create)
                           throws Exception

Specified by:

addDestination in interface Region

Overrides:

addDestination in class BrokerFilter

Throws:

Exception

removeDestination

public void removeDestination(ConnectionContext context,
                              org.apache.activemq.command.ActiveMQDestination destination,
                              long timeout)
                       throws Exception

Specified by:

removeDestination in interface Region

Overrides:

removeDestination in class BrokerFilter

Throws:

Exception

removeDestinationInfo

public void removeDestinationInfo(ConnectionContext context,
                                  org.apache.activemq.command.DestinationInfo info)
                           throws Exception

Specified by:

removeDestinationInfo in interface Broker

Overrides:

removeDestinationInfo in class BrokerFilter

Throws:

Exception

addConsumer

public Subscription addConsumer(ConnectionContext context,
                                org.apache.activemq.command.ConsumerInfo info)
                         throws Exception

Specified by:

addConsumer in interface Region

Overrides:

addConsumer in class BrokerFilter

Throws:

Exception

addProducer

public void addProducer(ConnectionContext context,
                        org.apache.activemq.command.ProducerInfo info)
                 throws Exception

Specified by:

addProducer in interface Broker

Specified by:

addProducer in interface Region

Overrides:

addProducer in class BrokerFilter

Throws:

Exception

send

public void send(ProducerBrokerExchange exchange,
                 org.apache.activemq.command.Message message)
          throws Exception

Specified by:

send in interface Region

Overrides:

send in class BrokerFilter

Throws:

Exception