|
Page Edited :
qpid :
Java authorization plugins
Java authorization plugins has been edited by Aidan Skinner (Feb 05, 2009). Content:It would be useful to provide pluggable authorization mechanisms. A SecurityManager interface would collect all the available plugins from OSGi and present a singelton interface to frame handlers and JMX methods. Methods such as boolean allowAccess(Session session, VirtualHost host) or boolean allowBind(Session session, Exchange exch, String routingkey, Queue queue) would be called and return true or false depending on if the action was allowed. Each plugin would be processed until one returned false, at which point access would be denied. If all plugins allowed access, true would be returned. This would allow arbitrary and custom authorization mechanisms to be plugged into the broker, potentially including things like access restricted by IP Address or looking up information in LDAP. Or capriciously allowing or denying access based on a PRNG. At broker startup each child tag in the <broker><security> section of the server configuration would be parsed and the plugins queried if they supported it. If they did, then they would be added to the list of global plugins. When a virtualhost is instantiated the <security> section of the virtualhost's configuration would be parsed, the relevant plugins would be passed in that configuration section and added to a per-virtualhost list of plugins in the security manager. When evaluating the plugins, the virtualhost specific plugins would be evaluated first, then the global list of plugins. To preserve backwards compatability, the SimpleXml plugin will be added by the virtualhost if it encounters a <security_access_list> element outside of the <security> section of a virtualhosts configuration. |
Unsubscribe or edit your notifications preferences
