Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ARTEMIS-1884 add plugin API for message level authorization policies
- Loading branch information
Showing
16 changed files
with
921 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
88 changes: 88 additions & 0 deletions
88
...org/apache/activemq/artemis/core/server/plugin/impl/BrokerMessageAuthorizationPlugin.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,88 @@ | ||
/* | ||
* Licensed to the Apache Software Foundation (ASF) under one or more | ||
* contributor license agreements. See the NOTICE file distributed with | ||
* this work for additional information regarding copyright ownership. | ||
* The ASF licenses this file to You under the Apache License, Version 2.0 | ||
* (the "License"); you may not use this file except in compliance with | ||
* the License. You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
||
package org.apache.activemq.artemis.core.server.plugin.impl; | ||
|
||
import javax.security.auth.Subject; | ||
|
||
import java.util.Map; | ||
import java.util.concurrent.atomic.AtomicReference; | ||
|
||
import org.apache.activemq.artemis.api.core.ActiveMQException; | ||
import org.apache.activemq.artemis.core.security.SecurityStore; | ||
import org.apache.activemq.artemis.core.server.ActiveMQServer; | ||
import org.apache.activemq.artemis.core.server.ConsumerInfo; | ||
import org.apache.activemq.artemis.core.server.MessageReference; | ||
import org.apache.activemq.artemis.core.server.ServerConsumer; | ||
import org.apache.activemq.artemis.core.server.ServerSession; | ||
import org.apache.activemq.artemis.core.server.plugin.ActiveMQServerPlugin; | ||
import org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal; | ||
import org.jboss.logging.Logger; | ||
|
||
public class BrokerMessageAuthorizationPlugin implements ActiveMQServerPlugin { | ||
|
||
private static final Logger logger = Logger.getLogger(BrokerMessageAuthorizationPlugin.class); | ||
|
||
private static final String ROLE_PROPERTY = "ROLE_PROPERTY"; | ||
private final AtomicReference<ActiveMQServer> server = new AtomicReference<>(); | ||
private String roleProperty = "requiredRole"; | ||
|
||
@Override | ||
public void init(Map<String, String> properties) { | ||
roleProperty = properties.getOrDefault(ROLE_PROPERTY, "requiredRole"); | ||
} | ||
|
||
@Override | ||
public void registered(ActiveMQServer server) { | ||
this.server.set(server); | ||
} | ||
|
||
@Override | ||
public void unregistered(ActiveMQServer server) { | ||
this.server.set(null); | ||
} | ||
|
||
@Override | ||
public boolean canAccept(ServerConsumer consumer, MessageReference reference) throws ActiveMQException { | ||
|
||
String requiredRole = reference.getMessage().getStringProperty(roleProperty); | ||
if (requiredRole == null) { | ||
return true; | ||
} | ||
|
||
Subject subject = getSubject(consumer); | ||
if (subject == null) { | ||
if (logger.isDebugEnabled()) { | ||
logger.debug("Subject not found for consumer: " + consumer.getID()); | ||
} | ||
return false; | ||
} | ||
boolean permitted = new RolePrincipal(requiredRole).implies(subject); | ||
if (!permitted && logger.isDebugEnabled()) { | ||
logger.debug("Message consumer: " + consumer.getID() + " does not have required role `" + requiredRole + "` needed to receive message: " + reference.getMessageID()); | ||
} | ||
return permitted; | ||
} | ||
|
||
private Subject getSubject(ConsumerInfo consumer) { | ||
final ActiveMQServer activeMQServer = server.get(); | ||
final SecurityStore securityStore = activeMQServer.getSecurityStore(); | ||
ServerSession session = activeMQServer.getSessionByID(consumer.getSessionName()); | ||
return securityStore.getSessionSubject(session); | ||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
134 changes: 134 additions & 0 deletions
134
examples/features/standard/broker-msg-auth-plugin/pom.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,134 @@ | ||
<?xml version='1.0'?> | ||
<!-- | ||
Licensed to the Apache Software Foundation (ASF) under one | ||
or more contributor license agreements. See the NOTICE file | ||
distributed with this work for additional information | ||
regarding copyright ownership. The ASF licenses this file | ||
to you under the Apache License, Version 2.0 (the | ||
"License"); you may not use this file except in compliance | ||
with the License. You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, | ||
software distributed under the License is distributed on an | ||
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
KIND, either express or implied. See the License for the | ||
specific language governing permissions and limitations | ||
under the License. | ||
--> | ||
|
||
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> | ||
<modelVersion>4.0.0</modelVersion> | ||
|
||
<parent> | ||
<groupId>org.apache.activemq.examples.broker</groupId> | ||
<artifactId>jms-examples</artifactId> | ||
<version>2.17.0-SNAPSHOT</version> | ||
</parent> | ||
|
||
<artifactId>broker-msg-auth-plugin</artifactId> | ||
<packaging>jar</packaging> | ||
<name>ActiveMQ Artemis Broker Auth Plugin Example</name> | ||
|
||
<properties> | ||
<activemq.basedir>${project.basedir}/../../../..</activemq.basedir> | ||
</properties> | ||
|
||
<dependencies> | ||
<dependency> | ||
<groupId>org.apache.activemq</groupId> | ||
<artifactId>artemis-jms-client-all</artifactId> | ||
<version>${project.version}</version> | ||
</dependency> | ||
<dependency> | ||
<groupId>org.apache.activemq</groupId> | ||
<artifactId>artemis-server</artifactId> | ||
<version>${project.version}</version> | ||
</dependency> | ||
<dependency> | ||
<groupId>org.apache.activemq</groupId> | ||
<artifactId>artemis-amqp-protocol</artifactId> | ||
<version>${project.version}</version> | ||
</dependency> | ||
<dependency> | ||
<groupId>org.apache.qpid</groupId> | ||
<artifactId>qpid-jms-client</artifactId> | ||
<version>${qpid.jms.version}</version> | ||
</dependency> | ||
<dependency> | ||
<groupId>org.apache.activemq</groupId> | ||
<artifactId>artemis-jms-client-all</artifactId> | ||
<version>${project.version}</version> | ||
</dependency> | ||
</dependencies> | ||
|
||
<build> | ||
<plugins> | ||
<plugin> | ||
<groupId>org.apache.activemq</groupId> | ||
<artifactId>artemis-maven-plugin</artifactId> | ||
<executions> | ||
<execution> | ||
<id>create</id> | ||
<phase>verify</phase> | ||
<configuration> | ||
<!-- The broker plugin will install this library on the server's classpath --> | ||
<libList><arg>org.apache.activemq.examples.broker:broker-msg-auth-plugin:${project.version}</arg></libList> | ||
<ignore>${noServer}</ignore> | ||
</configuration> | ||
<goals> | ||
<goal>create</goal> | ||
</goals> | ||
</execution> | ||
<execution> | ||
<id>start</id> | ||
<goals> | ||
<goal>cli</goal> | ||
</goals> | ||
<configuration> | ||
<spawn>true</spawn> | ||
<ignore>${noServer}</ignore> | ||
<testURI>tcp://localhost:61616</testURI> | ||
<args> | ||
<param>run</param> | ||
</args> | ||
</configuration> | ||
</execution> | ||
<execution> | ||
<id>runClient</id> | ||
<goals> | ||
<goal>runClient</goal> | ||
</goals> | ||
<configuration> | ||
<clientClass>org.apache.activemq.artemis.jms.example.BrokerAuthPluginExample</clientClass> | ||
</configuration> | ||
</execution> | ||
<execution> | ||
<id>stop</id> | ||
<goals> | ||
<goal>cli</goal> | ||
</goals> | ||
<configuration> | ||
<ignore>${noServer}</ignore> | ||
<args> | ||
<param>stop</param> | ||
</args> | ||
</configuration> | ||
</execution> | ||
</executions> | ||
<dependencies> | ||
<dependency> | ||
<groupId>org.apache.activemq.examples.broker</groupId> | ||
<artifactId>broker-msg-auth-plugin</artifactId> | ||
<version>${project.version}</version> | ||
</dependency> | ||
</dependencies> | ||
</plugin> | ||
<plugin> | ||
<groupId>org.apache.maven.plugins</groupId> | ||
<artifactId>maven-clean-plugin</artifactId> | ||
</plugin> | ||
</plugins> | ||
</build> | ||
</project> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
# Broker Plugin Example | ||
|
||
To run the example, simply type **mvn verify** from this directory, or **mvn -PnoServer verify** if you want to start and create the broker manually. | ||
|
||
This example shows how a message plugin can be used to filter message sent to a consumer depending on that consumers roles. Credentials for a user are by default invalidated every 10 seconds so this plugin may cause excessive authentication if used without configuring the security-invalidation-interval limit appropriately. |
Oops, something went wrong.