[ https://issues.apache.org/jira/browse/QPID-7935?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Keith Wall updated QPID-7935: ----------------------------- Fix Version/s: (was: qpid-java-broker-7.0.0) > [Java Broker] [ACL] Allow legacy ACL rule set to specify a default result of > defer > ---------------------------------------------------------------------------------- > > Key: QPID-7935 > URL: https://issues.apache.org/jira/browse/QPID-7935 > Project: Qpid > Issue Type: Improvement > Components: Java Broker > Reporter: Keith Wall > > When access control providers are installed at both the Broker and > VirtualHost, the one at the VirtualHost needs to DEFER if no decision is made > about an access decision. This gives the Broker's access control provider > the opportunity to make a decision instead. > Currently, the legacy ACL file format supports a CONFIG directive that allows > the default result of the ruleset to be configure to be {{ALLOW}} or > {{DENY}}, but not {{DEFER}}. If no CONFIG directive is specified the default > result is always {{DENY}}. > If the user is using RuleBasedVirtualHostAccessControlProvider#loadFromFile > to populate their virtualhost rule-set, the users has to additionally > remember to reset the {{defaultResult}} to {{DEFER}} otherwise the > co-operation between Broker/VirtualHost will be broken. > If the legacy ACL file format were to allow a CONFIG value of DEFER, then > this would eliminate the extra step. > The suggested changes: > # Change the legacy ACL file format to allow CONFIG to specify a default > result of DEFER. > # Improve AbstractCommonRuleBasedAccessControlProvider#extractRules to that > it writes a CONFIG directive within the default result, if it is not the > default. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org