public class AuthorizationFilter extends EnvironmentFilter
AuthorizationFilter asserts that actions are allowed to execute first before they are actually
executed. Such actions include creating, removing, reading from and writing to destinations.
This implementation is strictly permission-based, allowing for the finest-grained security policies possible.
Whenever a Subject associated with a connection attempts to perform an Action (such as creating a
destination, or reading from a queue, etc), one or more Permissions representing that action are
checked.
If the SubjectisPermitted to perform the
action, the action is allowed to execute and the broker filter chain executes uninterrupted.
However, if the Subject is not permitted to perform the action, an UnauthorizedException will be
thrown, preventing the filter chain from executing that action.
Action is guarded by one or more Permissions as indicated by a configurable
actionPermissionResolver. The
actionPermissionResolver indicates which permissions must be granted to the connection Subject in
order for the action to execute.
The default actionPermissionResolver instance is a
DestinationActionPermissionResolver, which indicates which permissions
are required to perform any action on a particular destination. Those familiar with Shiro's
WildcardPermission syntax will find the
DestinationActionPermissionResolver's
createPermissionString method
documentation valuable for understanding how destination actions are represented as permissions.ActionPermissionResolver,
DestinationActionPermissionResolvernext| Constructor and Description |
|---|
AuthorizationFilter() |
| Modifier and Type | Method and Description |
|---|---|
Subscription |
addConsumer(ConnectionContext context,
org.apache.activemq.command.ConsumerInfo info) |
Destination |
addDestination(ConnectionContext context,
org.apache.activemq.command.ActiveMQDestination destination,
boolean create) |
void |
addDestinationInfo(ConnectionContext context,
org.apache.activemq.command.DestinationInfo info) |
void |
addProducer(ConnectionContext context,
org.apache.activemq.command.ProducerInfo info) |
protected void |
assertAuthorized(DestinationAction action) |
protected void |
assertAuthorized(DestinationAction action,
String verbText) |
protected String |
createUnauthorizedMessage(org.apache.shiro.subject.Subject subject,
DestinationAction action,
String verbDisplayText) |
ActionPermissionResolver |
getActionPermissionResolver()
Returns the
ActionPermissionResolver used to indicate which permissions are required to be granted to
a Subject to perform a particular destination Action, (such as creating a
destination, or reading from a queue, etc). |
protected org.apache.shiro.subject.Subject |
getSubject(ConnectionContext ctx)
Returns the
Subject associated with the specified connection using a
ConnectionSubjectResolver. |
protected boolean |
isSystemBroker(DestinationAction action) |
void |
removeDestination(ConnectionContext context,
org.apache.activemq.command.ActiveMQDestination destination,
long timeout) |
void |
removeDestinationInfo(ConnectionContext context,
org.apache.activemq.command.DestinationInfo info) |
void |
send(ProducerBrokerExchange exchange,
org.apache.activemq.command.Message message) |
void |
setActionPermissionResolver(ActionPermissionResolver actionPermissionResolver)
Sets the
ActionPermissionResolver used to indicate which permissions are required to be granted to
a Subject to perform a particular destination Action, (such as creating a
destination, or reading from a queue, etc). |
protected String |
toString(org.apache.shiro.subject.Subject subject) |
getEnvironment, setEnvironmentisEnabled, setEnabledacknowledge, addBroker, addConnection, addSession, beginTransaction, brokerServiceStarted, commitTransaction, fastProducer, forgetTransaction, gc, getAdaptor, getAdminConnectionContext, getBrokerId, getBrokerName, getBrokerSequenceId, getBrokerService, getClients, getDestinationMap, getDestinationMap, getDestinations, getDestinations, getDurableDestinations, getExecutor, getNext, getPeerBrokerInfos, getPreparedTransactions, getRoot, getScheduler, getTempDataStore, getVmConnectorURI, isExpired, isFaultTolerantConfiguration, isFull, isStopped, messageConsumed, messageDelivered, messageDiscarded, messageExpired, messagePull, networkBridgeStarted, networkBridgeStopped, nowMasterBroker, postProcessDispatch, prepareTransaction, preProcessDispatch, processConsumerControl, processDispatchNotification, reapplyInterceptor, removeBroker, removeConnection, removeConsumer, removeProducer, removeSession, removeSubscription, rollbackTransaction, sendToDeadLetterQueue, setAdminConnectionContext, setNext, slowConsumer, start, stoppublic AuthorizationFilter()
public ActionPermissionResolver getActionPermissionResolver()
ActionPermissionResolver used to indicate which permissions are required to be granted to
a Subject to perform a particular destination Action, (such as creating a
destination, or reading from a queue, etc). The default instance is a
DestinationActionPermissionResolver.ActionPermissionResolver used to indicate which permissions are required to be granted to
a Subject to perform a particular destination Action, (such as creating a
destination, or reading from a queue, etc).public void setActionPermissionResolver(ActionPermissionResolver actionPermissionResolver)
ActionPermissionResolver used to indicate which permissions are required to be granted to
a Subject to perform a particular destination Action, (such as creating a
destination, or reading from a queue, etc). Unless overridden by this method, the default instance is a
DestinationActionPermissionResolver.actionPermissionResolver - the ActionPermissionResolver used to indicate which permissions are
required to be granted to a Subject to perform a particular destination
Action, (such as creating a destination, or reading from a queue, etc).protected org.apache.shiro.subject.Subject getSubject(ConnectionContext ctx)
Subject associated with the specified connection using a
ConnectionSubjectResolver.ctx - the connection contextSubject associated with the specified connection.protected void assertAuthorized(DestinationAction action)
protected boolean isSystemBroker(DestinationAction action)
protected void assertAuthorized(DestinationAction action, String verbText)
protected String createUnauthorizedMessage(org.apache.shiro.subject.Subject subject, DestinationAction action, String verbDisplayText)
public void addDestinationInfo(ConnectionContext context, org.apache.activemq.command.DestinationInfo info) throws Exception
addDestinationInfo in interface BrokeraddDestinationInfo in class MutableBrokerFilterExceptionpublic Destination addDestination(ConnectionContext context, org.apache.activemq.command.ActiveMQDestination destination, boolean create) throws Exception
addDestination in interface RegionaddDestination in class MutableBrokerFilterExceptionpublic void removeDestination(ConnectionContext context, org.apache.activemq.command.ActiveMQDestination destination, long timeout) throws Exception
removeDestination in interface RegionremoveDestination in class MutableBrokerFilterExceptionpublic void removeDestinationInfo(ConnectionContext context, org.apache.activemq.command.DestinationInfo info) throws Exception
removeDestinationInfo in interface BrokerremoveDestinationInfo in class MutableBrokerFilterExceptionpublic Subscription addConsumer(ConnectionContext context, org.apache.activemq.command.ConsumerInfo info) throws Exception
addConsumer in interface RegionaddConsumer in class MutableBrokerFilterExceptionpublic void addProducer(ConnectionContext context, org.apache.activemq.command.ProducerInfo info) throws Exception
addProducer in interface BrokeraddProducer in interface RegionaddProducer in class MutableBrokerFilterExceptionpublic void send(ProducerBrokerExchange exchange, org.apache.activemq.command.Message message) throws Exception
send in interface Regionsend in class MutableBrokerFilterExceptionCopyright © 2005–2016 FuseSource, Corp.. All rights reserved.