Unwanted caching of authorization results

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Unwanted caching of authorization results

Vince Cole
This post was updated on .
It would appear that org.apache.activemq.security.AuthorizationBroker uses
SecurityContext in some way to cache the results of authorization.

This means if I have a dynamic map (i.e. the permissions could change from
one 'send' request to the next, for any destination) the dynamic nature is
lost due to caching.

Can the caching be disabled or circumvented in any way? I would like the
AuthorizationBroker (or my equivalent of it) to check the map EVERY time.

Thanks
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Unwanted caching of authorization results

Vince Cole
This post was updated on .
Sorry, forgot to say:
I am using ActiveMQ 5.14.0 and developing my own plugins.
Trying to write a plugin to deliver same functionality as AuthorizationMap, but as a proper plugin (i.e. using BrokerFilter, etc) so it can read a few bean properties from activemq.xml on startup.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Unwanted caching of authorization results

Vince Cole
OK, so I am answering my own question here (instead of just deleting it all) in case it might be of help to  someone...

I have solved it by doing the following:
* decorate the class SecurityContext
* in the decorator, override method getAuthorizedWriteDests
* in that method, always return an empty map
* ensure that map remains empty (in spite of AuthorizationBroker.send invoking map.put) by overriding that instance of the map's put method (to make it do nothing)
* extend AuthorizationBroker
* in the subclass, override method checkSecurityContext
* in that method, instead of returning the SecurityContext, return an instance of the decorator

Feels a bit hacky o_O
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Unwanted caching of authorization results

Tim Bain
Thanks for giving this guidance for anyone who wants to do this in the
future.

If you'd like to have a less hacky (i.e. config file based) way to do this
in a future version of ActiveMQ, please submit an enhancement request in
JIRA. If you do, please copy and paste the workaround you just described so
that anyone on a version before the enhancement is implemented knows how to
use the hacky approach.

Tim

On Apr 7, 2017 3:28 AM, "Vince Cole" <[hidden email]> wrote:

OK, so I am answering my own question here (instead of just deleting it all)
in case it might be of help to  someone...

I have solved it by doing the following:
* decorate the class SecurityContext
* in the decorator, override method getAuthorizedWriteDests
* in that method, always return an empty map
* ensure that map remains empty (in spite of AuthorizationBroker.send
invoking map.put) by overriding that instance of the map's put method (to
make it do nothing)
* extend AuthorizationBroker
* in the subclass, override method checkSecurityContext
* in that method, instead of returning the SecurityContext, return an
instance of the decorator

Feels a bit hacky o_O



--
View this message in context: http://activemq.2283324.n4.
nabble.com/Unwanted-caching-of-authorization-results-tp4724676p4724707.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Loading...