diff options
| author | Aidan Skinner <aidan@apache.org> | 2009-03-16 16:32:50 +0000 |
|---|---|---|
| committer | Aidan Skinner <aidan@apache.org> | 2009-03-16 16:32:50 +0000 |
| commit | e579e5791a20d45eb99e671f0d4ebfa188377859 (patch) | |
| tree | 0e265a3899077ff7bb4663a5f46efaca5b9e72fe /qpid/java/broker | |
| parent | 6a449af0316b2a73a8c48901bf86e2daa3b27230 (diff) | |
| download | qpid-python-e579e5791a20d45eb99e671f0d4ebfa188377859.tar.gz | |
QPID-1736: Timeout DNS lookups if they take more than 30 seconds.
git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@754934 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'qpid/java/broker')
| -rw-r--r-- | qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/network/FirewallPlugin.java | 63 |
1 files changed, 60 insertions, 3 deletions
diff --git a/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/network/FirewallPlugin.java b/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/network/FirewallPlugin.java index 39397966f0..85026121ab 100644 --- a/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/network/FirewallPlugin.java +++ b/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/network/FirewallPlugin.java @@ -25,6 +25,7 @@ import java.net.InetSocketAddress; import java.net.SocketAddress; import java.util.Iterator; import java.util.List; +import java.util.concurrent.atomic.AtomicBoolean; import java.util.regex.Pattern; import org.apache.commons.configuration.CompositeConfiguration; @@ -42,6 +43,8 @@ import org.apache.qpid.util.NetMatcher; public class FirewallPlugin extends AbstractACLPlugin { + public class FirewallPluginException extends Exception {} + public static final ACLPluginFactory FACTORY = new ACLPluginFactory() { public boolean supportsTag(String name) @@ -60,6 +63,7 @@ public class FirewallPlugin extends AbstractACLPlugin public class FirewallRule { + private static final long DNS_TIMEOUT = 30000; private AuthzResult _access; private NetMatcher _network; private Pattern[] _hostnamePatterns; @@ -97,11 +101,15 @@ public class FirewallPlugin extends AbstractACLPlugin return networkStrings; } - public boolean match(InetAddress remote) + public boolean match(InetAddress remote) throws FirewallPluginException { if (_hostnamePatterns != null) { - String hostname = remote.getCanonicalHostName(); + String hostname = getHostname(remote); + if (hostname == null) + { + throw new FirewallPluginException(); + } for (Pattern pattern : _hostnamePatterns) { if (pattern.matcher(hostname).matches()) @@ -117,6 +125,48 @@ public class FirewallPlugin extends AbstractACLPlugin } } + /** + * @param remote the InetAddress to look up + * @return the hostname, null if not found or takes longer than 30s to find + */ + private String getHostname(final InetAddress remote) + { + final String[] hostname = new String[]{null}; + final AtomicBoolean done = new AtomicBoolean(false); + // Spawn thread + Thread thread = new Thread(new Runnable() + { + public void run() + { + hostname[0] = remote.getCanonicalHostName(); + done.getAndSet(true); + synchronized (done) + { + done.notifyAll(); + } + } + }); + + thread.run(); + long endTime = System.currentTimeMillis() + DNS_TIMEOUT; + + while (System.currentTimeMillis() < endTime && !done.get()) + { + try + { + synchronized (done) + { + done.wait(endTime - System.currentTimeMillis()); + } + } + catch (InterruptedException e) + { + // Check the time and if necessary sleep for a bit longer + } + } + return hostname[0]; + } + public AuthzResult getAccess() { return _access; @@ -146,7 +196,14 @@ public class FirewallPlugin extends AbstractACLPlugin boolean match = false; for (FirewallRule rule : _rules) { - match = rule.match(addr); + try + { + match = rule.match(addr); + } + catch (FirewallPluginException e) + { + return AuthzResult.DENIED; + } if (match) { return rule.getAccess(); |