[ https://issues.apache.org/jira/browse/QPID-7935?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alex Rudyy resolved QPID-7935. ------------------------------ Resolution: Fixed The changes look good to me > [Java Broker] [ACL] Allow legacy ACL rule set to specify a default result of > defer > ---------------------------------------------------------------------------------- > > Key: QPID-7935 > URL: https://issues.apache.org/jira/browse/QPID-7935 > Project: Qpid > Issue Type: Improvement > Components: Java Broker > Reporter: Keith Wall > Assignee: Keith Wall > Fix For: qpid-java-broker-7.0.0 > > > When access control providers are installed at both the Broker and > VirtualHost, the one at the VirtualHost needs to DEFER if no decision is made > about an access decision. This gives the Broker's access control provider > the opportunity to make a decision instead. > Currently, the legacy ACL file format supports a CONFIG directive that allows > the default result of the ruleset to be configured as {{ALLOW}} or {{DENY}}, > but not {{DEFER}}. If no CONFIG directive is specified the default result is > always {{DENY}}. > If the user is using RuleBasedVirtualHostAccessControlProvider#loadFromFile > to populate their virtualhost rule-set, the users has to additionally > remember to reset the {{defaultResult}} to {{DEFER}} otherwise the > co-operation between Broker/VirtualHost will be broken. > If the legacy ACL file format were to allow a CONFIG directive specifying > DEFER, then this would eliminate the extra step. > The suggested changes: > # Change the legacy ACL file format to allow CONFIG to specify a default > result of DEFER. > # Improve AbstractCommonRuleBasedAccessControlProvider#extractRules to that > it writes a CONFIG directive within the default result, if it is not the > default. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org