org.apache.activemq.shiro.authz

Class DestinationActionPermissionResolver

java.lang.Object

org.apache.activemq.shiro.authz.DestinationActionPermissionResolver

All Implemented Interfaces:

ActionPermissionResolver

public class DestinationActionPermissionResolver
extends java.lang.Object
implements ActionPermissionResolver

A DestinationActionPermissionResolver inspects DestinationActions and returns one or more WildcardPermissions that must be granted to a Subject in order for that Subject to perform the action being taken on an ActiveMQDestination.

See the createPermissionString documentation to see what the resulting WildcardPermission instances would look like.

Since:

5.10.0

See Also:

), setPermissionStringPrefix(String)

Constructor Summary

Constructors

Constructor and Description
DestinationActionPermissionResolver()

Method Summary

Methods

Modifier and Type	Method and Description
protected org.apache.shiro.authz.Permission	createPermission(java.lang.String permissionString)
protected java.util.Collection<org.apache.shiro.authz.Permission>	createPermissions(ActiveMQDestination dest, java.lang.String verb)
protected java.lang.String	createPermissionString(ActiveMQDestination dest, java.lang.String verb) Inspects the specified destination and verb and returns a WildcardPermission-compatible String the represents the action.
java.util.Collection<org.apache.shiro.authz.Permission>	getPermissions(Action action) Returns all Permissions that must be granted to a Subject in order for the Subject to execute the action, or an empty collection if no permissions are required.
protected java.util.Collection<org.apache.shiro.authz.Permission>	getPermissions(DestinationAction da)
java.lang.String	getPermissionStringPrefix() Returns the String prefix that should be automatically prepended to a permission String before the String is converted to a WildcardPermission instance.
boolean	isPermissionStringCaseSensitive() Returns true if returned WildcardPermission instances should be considered case-sensitive, false otherwise.
void	setPermissionStringCaseSensitive(boolean permissionStringCaseSensitive) Sets whether returned WildcardPermission instances should be considered case-sensitive.
void	setPermissionStringPrefix(java.lang.String permissionStringPrefix) Sets the String prefix that should be automatically prepended to a permission String before the String is converted to a WildcardPermission instance.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

DestinationActionPermissionResolver

public DestinationActionPermissionResolver()

Method Detail

getPermissionStringPrefix

public java.lang.String getPermissionStringPrefix()

Returns the String prefix that should be automatically prepended to a permission String before the String is converted to a WildcardPermission instance. This is convenient if you want to provide a 'scope' or 'namespace' for ActiveMQ Destinations to clearly distinguish ActiveMQ-specific permissions from any others you might assign to user accounts. The default value is null, indicating no prefix will be set by default.

For example, the default settings might result in permissions Strings that look like this:

 topic:TEST:create
 temp-queue:MyQueue:remove
 topic:ActiveMQ.Advisory.*:read
 

However, if your application has any application-specific permissions that start with the tokens topic, temp-topic, queue, or temp-queue, you wouldn't be able to distinguish between application-specific permissions and those specific to ActiveMQ. In this case you might set the permissionStringPrefix. For example, if you set: resolver.setPermissionStringPrefix("jms");, the above permission strings would look like this:

 jms:topic:TEST:create
 jms:temp-queue:MyQueue:remove
 jms:topic:ActiveMQ.Advisory.*:read
 

Similarly, if the permissionStringPrefix was equal to activeMQ:

 activeMQ:topic:TEST:create
 activeMQ:temp-queue:MyQueue:remove
 activeMQ:topic:ActiveMQ.Advisory.*:read
 

Returns:

any String prefix that should be automatically prepended to a permission String before the String is converted to a WildcardPermission instance. Useful for namespacing permissions.

setPermissionStringPrefix

public void setPermissionStringPrefix(java.lang.String permissionStringPrefix)

Sets the String prefix that should be automatically prepended to a permission String before the String is converted to a WildcardPermission instance. This is convenient if you want to provide a 'scope' or 'namespace' for ActiveMQ Destinations to clearly distinguish ActiveMQ-specific permissions from any others you might assign to user accounts. The default value is null, indicating no prefix will be set by default.

For example, the default settings might result in permissions Strings that look like this:

 topic:TEST:create
 temp-queue:MyQueue:remove
 topic:ActiveMQ.Advisory.*:read
 

However, if your application has any application-specific permissions that start with the tokens topic, temp-topic, queue, or temp-queue, you wouldn't be able to distinguish between application-specific permissions and those specific to ActiveMQ. In this case you might set the permissionStringPrefix. For example, if you set: resolver.setPermissionStringPrefix("jms");, the above permission strings would look like this:

 jms:topic:TEST:create
 jms:temp-queue:MyQueue:remove
 jms:topic:ActiveMQ.Advisory.*:read
 

Similarly, if the permissionStringPrefix was equal to activeMQ:

 activeMQ:topic:TEST:create
 activeMQ:temp-queue:MyQueue:remove
 activeMQ:topic:ActiveMQ.Advisory.*:read
 

Parameters:

permissionStringPrefix - any String prefix that should be automatically prepended to a permission String before the String is converted to a WildcardPermission instance. Useful for namespacing permissions.

isPermissionStringCaseSensitive

public boolean isPermissionStringCaseSensitive()

Returns true if returned WildcardPermission instances should be considered case-sensitive, false otherwise. The default value is true, which is not the normal WildcardPermission default setting. This default was chosen to reflect ActiveMQ's case-sensitive destination names.

Returns:

true if returned WildcardPermission instances should be considered case-sensitive, false otherwise.

setPermissionStringCaseSensitive

public void setPermissionStringCaseSensitive(boolean permissionStringCaseSensitive)

Sets whether returned WildcardPermission instances should be considered case-sensitive. The default value is true, which is not the normal WildcardPermission default setting. This default was chosen to accurately reflect ActiveMQ's case-sensitive destination names.

Parameters:

permissionStringCaseSensitive - whether returned WildcardPermission instances should be considered case-sensitive.

getPermissions

public java.util.Collection<org.apache.shiro.authz.Permission> getPermissions(Action action)

Description copied from interface: ActionPermissionResolver

Returns all Permissions that must be granted to a Subject in order for the Subject to execute the action, or an empty collection if no permissions are required.

Most implementations will probably return a single Permission, but multiple permissions are possible, especially if the Action represents behavior attempted on a Composite Destination.

Specified by:

getPermissions in interface ActionPermissionResolver

Parameters:

action - the action attempted

Returns:

all Permissions that must be granted to a Subject in order for the Subject to execute the action, or an empty collection if no permissions are required.

getPermissions

protected java.util.Collection<org.apache.shiro.authz.Permission> getPermissions(DestinationAction da)

createPermissions

protected java.util.Collection<org.apache.shiro.authz.Permission> createPermissions(ActiveMQDestination dest,
                                                                        java.lang.String verb)

createPermissionString

protected java.lang.String createPermissionString(ActiveMQDestination dest,
                                      java.lang.String verb)

Inspects the specified destination and verb and returns a WildcardPermission-compatible String the represents the action.

Format

This implementation returns WildcardPermission strings with the following format:

 optionalPermissionStringPrefix + destinationType + ':' + destinationPhysicalName + ':' + actionVerb
 

where:

1. optionalPermissionStringPrefix is the permissionStringPrefix followed by a colon delimiter (':'). This is only present if the permissionStringPrefix has been specified and is non-null
2. destinationType is one of the following four string tokens:
   • topic
   • temp-topic
   • queue
   • temp-queue
   based on whether the destination is a topic, temporary topic, queue, or temporary queue (respectively).
3. destinationPhysicalName is destination.getPhysicalName()
4. actionVerb is action.getVerb()

Examples

With the default settings (no permissionStringPrefix), this might produce strings that look like the following:

 topic:TEST:create
 temp-queue:MyTempQueue:remove
 queue:ActiveMQ.Advisory.*:read
 

If permissionStringPrefix was set to jms, the above examples would look like this:

 jms:topic:TEST:create
 jms:temp-queue:MyTempQueue:remove
 jms:queue:ActiveMQ.Advisory.*:read
 

Parameters:

dest - the destination to inspect and convert to a WildcardPermission string.

verb - the behavior taken on the destination

Returns:

a WildcardPermission string that represents the specified action.

See Also:

getPermissionStringPrefix() for more on why you might want to set this value

createPermission

protected org.apache.shiro.authz.Permission createPermission(java.lang.String permissionString)