Package org.apache.activemq.shiro.authz

Class DestinationActionPermissionResolver

java.lang.Object
org.apache.activemq.shiro.authz.DestinationActionPermissionResolver
All Implemented Interfaces:
ActionPermissionResolver
public class DestinationActionPermissionResolver extends Object implements ActionPermissionResolver
A DestinationActionPermissionResolver inspects DestinationActions and returns one or more WildcardPermissions that must be granted to a Subject in order for that Subject to perform the action being taken on an ActiveMQDestination.

See the createPermissionString documentation to see what the resulting WildcardPermission instances would look like.

Since:
5.10.0
See Also:

  • Constructor Details

    • DestinationActionPermissionResolver

      public DestinationActionPermissionResolver()

  • Method Details

    • getPermissionStringPrefix

      public String getPermissionStringPrefix()
      Returns the String prefix that should be automatically prepended to a permission String before the String is converted to a WildcardPermission instance. This is convenient if you want to provide a 'scope' or 'namespace' for ActiveMQ Destinations to clearly distinguish ActiveMQ-specific permissions from any others you might assign to user accounts. The default value is null, indicating no prefix will be set by default.

      For example, the default settings might result in permissions Strings that look like this: 

       topic:TEST:create
 temp-queue:MyQueue:remove
 topic:ActiveMQ.Advisory.*:read

      However, if your application has any application-specific permissions that start with the tokens topic, temp-topic, queue, or temp-queue, you wouldn't be able to distinguish between application-specific permissions and those specific to ActiveMQ. In this case you might set the permissionStringPrefix. For example, if you set: resolver.setPermissionStringPrefix("jms");, the above permission strings would look like this: 

       jms:topic:TEST:create
 jms:temp-queue:MyQueue:remove
 jms:topic:ActiveMQ.Advisory.*:read

      Similarly, if the permissionStringPrefix was equal to activeMQ: 

       activeMQ:topic:TEST:create
 activeMQ:temp-queue:MyQueue:remove
 activeMQ:topic:ActiveMQ.Advisory.*:read
      Returns:
      any String prefix that should be automatically prepended to a permission String before the String is converted to a WildcardPermission instance. Useful for namespacing permissions.

    • setPermissionStringPrefix

      public void setPermissionStringPrefix(String permissionStringPrefix)
      Sets the String prefix that should be automatically prepended to a permission String before the String is converted to a WildcardPermission instance. This is convenient if you want to provide a 'scope' or 'namespace' for ActiveMQ Destinations to clearly distinguish ActiveMQ-specific permissions from any others you might assign to user accounts. The default value is null, indicating no prefix will be set by default.

      For example, the default settings might result in permissions Strings that look like this: 

       topic:TEST:create
 temp-queue:MyQueue:remove
 topic:ActiveMQ.Advisory.*:read

      However, if your application has any application-specific permissions that start with the tokens topic, temp-topic, queue, or temp-queue, you wouldn't be able to distinguish between application-specific permissions and those specific to ActiveMQ. In this case you might set the permissionStringPrefix. For example, if you set: resolver.setPermissionStringPrefix("jms");, the above permission strings would look like this: 

       jms:topic:TEST:create
 jms:temp-queue:MyQueue:remove
 jms:topic:ActiveMQ.Advisory.*:read

      Similarly, if the permissionStringPrefix was equal to activeMQ: 

       activeMQ:topic:TEST:create
 activeMQ:temp-queue:MyQueue:remove
 activeMQ:topic:ActiveMQ.Advisory.*:read
      Parameters:
      permissionStringPrefix - any String prefix that should be automatically prepended to a permission String before the String is converted to a WildcardPermission instance. Useful for namespacing permissions.

    • isPermissionStringCaseSensitive

      public boolean isPermissionStringCaseSensitive()
      Returns true if returned WildcardPermission instances should be considered case-sensitive, false otherwise. The default value is true, which is not the normal WildcardPermission default setting. This default was chosen to reflect ActiveMQ's case-sensitive destination names.
      Returns:
      true if returned WildcardPermission instances should be considered case-sensitive, false otherwise.

    • setPermissionStringCaseSensitive

      public void setPermissionStringCaseSensitive(boolean permissionStringCaseSensitive)
      Sets whether returned WildcardPermission instances should be considered case-sensitive. The default value is true, which is not the normal WildcardPermission default setting. This default was chosen to accurately reflect ActiveMQ's case-sensitive destination names.
      Parameters:
      permissionStringCaseSensitive - whether returned WildcardPermission instances should be considered case-sensitive.

    • getPermissions

      public Collection<org.apache.shiro.authz.Permission> getPermissions(Action action)
      Description copied from interface: ActionPermissionResolver
      Returns all Permissions that must be granted to a Subject in order for the Subject to execute the action, or an empty collection if no permissions are required.

      Most implementations will probably return a single Permission, but multiple permissions are possible, especially if the Action represents behavior attempted on a Composite Destination.

      Specified by:
      getPermissions in interface ActionPermissionResolver
      Parameters:
      action - the action attempted
      Returns:
      all Permissions that must be granted to a Subject in order for the Subject to execute the action, or an empty collection if no permissions are required.

    • getPermissions

      protected Collection<org.apache.shiro.authz.Permission> getPermissions(DestinationAction da)

    • createPermissions

      protected Collection<org.apache.shiro.authz.Permission> createPermissions(org.apache.activemq.command.ActiveMQDestination dest, String verb)

    • createPermissionString

      protected String createPermissionString(org.apache.activemq.command.ActiveMQDestination dest, String verb)
      Inspects the specified destination and verb and returns a WildcardPermission-compatible String the represents the action.

      Format

      This implementation returns WildcardPermission strings with the following format: 
       optionalPermissionStringPrefix + destinationType + ':' + destinationPhysicalName + ':' + actionVerb
      where:
      1. optionalPermissionStringPrefix is the permissionStringPrefix followed by a colon delimiter (':'). This is only present if the permissionStringPrefix has been specified and is non-null
      2. destinationType is one of the following four string tokens:
        • topic
        • temp-topic
        • queue
        • temp-queue
        based on whether the destination is a topic, temporary topic, queue, or temporary queue (respectively).
      3. destinationPhysicalName is destination.getPhysicalName()
      4. actionVerb is action.getVerb()

      Examples

      With the default settings (no permissionStringPrefix), this might produce strings that look like the following: 
       topic:TEST:create
 temp-queue:MyTempQueue:remove
 queue:ActiveMQ.Advisory.*:read
      If permissionStringPrefix was set to jms, the above examples would look like this: 
       jms:topic:TEST:create
 jms:temp-queue:MyTempQueue:remove
 jms:queue:ActiveMQ.Advisory.*:read
      Parameters:
      dest - the destination to inspect and convert to a WildcardPermission string.
      verb - the behavior taken on the destination
      Returns:
      a WildcardPermission string that represents the specified action.
      See Also:

    • createPermission

      protected org.apache.shiro.authz.Permission createPermission(String permissionString)