The {@code AuthorizationFilter} asserts that actions are allowed to execute first before they are actuallyexecuted. Such actions include creating, removing, reading from and writing to destinations.
This implementation is strictly permission-based, allowing for the finest-grained security policies possible. Whenever a {@link Subject} associated with a connection attempts to perform an {@link org.apache.activemq.shiro.authz.Action} (such as creating adestination, or reading from a queue, etc), one or more {@link Permission}s representing that {@code action} arechecked.
If the {@code Subject}{@link Subject#isPermitted(org.apache.shiro.authz.Permission) isPermitted} to perform the{@code action}, the action is allowed to execute and the broker filter chain executes uninterrupted.
However, if the {@code Subject} is not permitted to perform the action, an {@link UnauthorizedException} will bethrown, preventing the filter chain from executing that action.
ActionPermissionResolver
The attempted {@code Action} is guarded by one or more {@link Permission}s as indicated by a configurable {@link #setActionPermissionResolver(org.apache.activemq.shiro.authz.ActionPermissionResolver) actionPermissionResolver}. The {@code actionPermissionResolver} indicates which permissions must be granted to the connection {@code Subject} inorder for the action to execute.
The default {@code actionPermissionResolver} instance is a{@link org.apache.activemq.shiro.authz.DestinationActionPermissionResolver DestinationActionPermissionResolver}, which indicates which permissions are required to perform any action on a particular destination. Those familiar with Shiro's {@link org.apache.shiro.authz.permission.WildcardPermission WildcardPermission} syntax will find the{@code DestinationActionPermissionResolver}'s {@link org.apache.activemq.shiro.authz.DestinationActionPermissionResolver#createPermissionString createPermissionString} methoddocumentation valuable for understanding how destination actions are represented as permissions.
@see org.apache.activemq.shiro.authz.ActionPermissionResolver
@see org.apache.activemq.shiro.authz.DestinationActionPermissionResolver
@since 5.10.0