You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by rg...@apache.org on 2016/01/12 17:21:59 UTC
svn commit: r1724277 - in /qpid/java/branches/6.0.x: ./
broker-core/src/main/java/org/apache/qpid/server/security/auth/database/
broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/
broker-core/src/main/java/org/apache/qpid/server/se...
Author: rgodfrey
Date: Tue Jan 12 16:21:59 2016
New Revision: 1724277
URL: http://svn.apache.org/viewvc?rev=1724277&view=rev
Log:
QPID-6967 : Merge to 6.0.x
Added:
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServerSource.java
- copied unchanged from r1722339, qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServerSource.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServerSourceAdapter.java
- copied unchanged from r1722339, qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServerSourceAdapter.java
Modified:
qpid/java/branches/6.0.x/ (props changed)
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/AbstractPasswordFilePrincipalDatabase.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/ScramSHA1AuthenticationManager.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/ScramSHA256AuthenticationManager.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServer.java
Propchange: qpid/java/branches/6.0.x/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Tue Jan 12 16:21:59 2016
@@ -9,5 +9,5 @@
/qpid/branches/java-broker-vhost-refactor/java:1493674-1494547
/qpid/branches/java-network-refactor/qpid/java:805429-821809
/qpid/branches/qpid-2935/qpid/java:1061302-1072333
-/qpid/java/trunk:1715445-1715447,1715586,1715940,1716086-1716087,1716127-1716128,1716141,1716153,1716155,1716194,1716204,1716209,1716227,1716277,1716357,1716368,1716370,1716374,1716432,1716444-1716445,1716455,1716461,1716474,1716489,1716497,1716515,1716555,1716602,1716606-1716610,1716619,1716636,1717269,1717299,1717401,1717446,1717449,1717626,1717691,1717735,1717780,1718744,1719047,1719051,1720664,1721151,1721198,1723064,1724257
+/qpid/java/trunk:1715445-1715447,1715586,1715940,1716086-1716087,1716127-1716128,1716141,1716153,1716155,1716194,1716204,1716209,1716227,1716277,1716357,1716368,1716370,1716374,1716432,1716444-1716445,1716455,1716461,1716474,1716489,1716497,1716515,1716555,1716602,1716606-1716610,1716619,1716636,1717269,1717299,1717401,1717446,1717449,1717626,1717691,1717735,1717780,1718744,1719047,1719051,1720664,1721151,1721198,1722339,1723064,1724257
/qpid/trunk/qpid:796646-796653
Modified: qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/AbstractPasswordFilePrincipalDatabase.java
URL: http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/AbstractPasswordFilePrincipalDatabase.java?rev=1724277&r1=1724276&r2=1724277&view=diff
==============================================================================
--- qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/AbstractPasswordFilePrincipalDatabase.java (original)
+++ qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/AbstractPasswordFilePrincipalDatabase.java Tue Jan 12 16:21:59 2016
@@ -102,8 +102,7 @@ public abstract class AbstractPasswordFi
/**
- * Looks up the password for a specified user in the password file. Note this code is <b>not</b> secure since it
- * creates strings of passwords. It should be modified to create only char arrays which get nulled out.
+ * Looks up the password for a specified user in the password file.
*
* @param name The principal name to lookup
*
Modified: qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java
URL: http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java?rev=1724277&r1=1724276&r2=1724277&view=diff
==============================================================================
--- qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java (original)
+++ qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java Tue Jan 12 16:21:59 2016
@@ -36,9 +36,13 @@ import javax.security.sasl.SaslServer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import org.apache.qpid.server.security.auth.manager.ScramSHA1AuthenticationManager;
+import org.apache.qpid.server.security.auth.manager.ScramSHA256AuthenticationManager;
import org.apache.qpid.server.security.auth.sasl.crammd5.CRAMMD5Initialiser;
import org.apache.qpid.server.security.auth.sasl.plain.PlainInitialiser;
import org.apache.qpid.server.security.auth.sasl.plain.PlainSaslServer;
+import org.apache.qpid.server.security.auth.sasl.scram.ScramSaslServer;
+import org.apache.qpid.server.security.auth.sasl.scram.ScramSaslServerSourceAdapter;
/**
* Represents a user database where the account information is stored in a simple flat file.
@@ -53,18 +57,40 @@ public class PlainPasswordFilePrincipalD
private final Logger _logger = LoggerFactory.getLogger(PlainPasswordFilePrincipalDatabase.class);
private final Map<String, CallbackHandler> _callbackHandlerMap = new HashMap<String, CallbackHandler>();
private final List<String> _mechanisms = Collections.unmodifiableList(Arrays.asList(PlainSaslServer.MECHANISM,
- CRAMMD5Initialiser.MECHANISM));
+ CRAMMD5Initialiser.MECHANISM,
+ ScramSHA1AuthenticationManager.MECHANISM,
+ ScramSHA256AuthenticationManager.MECHANISM));
+ private final ScramSaslServerSourceAdapter _scramSha1Adapter;
+ private final ScramSaslServerSourceAdapter _scramSha256Adapter;
+
public PlainPasswordFilePrincipalDatabase()
{
PlainInitialiser plainInitialiser = new PlainInitialiser();
plainInitialiser.initialise(this);
_callbackHandlerMap.put(PlainSaslServer.MECHANISM, plainInitialiser.getCallbackHandler());
+ _callbackHandlerMap.put(ScramSHA1AuthenticationManager.MECHANISM, plainInitialiser.getCallbackHandler());
+ _callbackHandlerMap.put(ScramSHA256AuthenticationManager.MECHANISM, plainInitialiser.getCallbackHandler());
+
CRAMMD5Initialiser crammd5Initialiser = new CRAMMD5Initialiser();
crammd5Initialiser.initialise(this);
_callbackHandlerMap.put(CRAMMD5Initialiser.MECHANISM, crammd5Initialiser.getCallbackHandler());
+ ScramSaslServerSourceAdapter.PasswordSource passwordSource =
+ new ScramSaslServerSourceAdapter.PasswordSource()
+ {
+ @Override
+ public char[] getPassword(final String username)
+ {
+ return lookupPassword(username);
+ }
+ };
+
+ _scramSha1Adapter = new ScramSaslServerSourceAdapter(4096, "HmacSHA1", passwordSource);
+ _scramSha256Adapter = new ScramSaslServerSourceAdapter(4096, "HmacSHA256", passwordSource);
+
+
}
@@ -120,7 +146,7 @@ public class PlainPasswordFilePrincipalD
@Override
public SaslServer createSaslServer(String mechanism, String localFQDN, Principal externalPrincipal) throws SaslException
{
- CallbackHandler callbackHandler = _callbackHandlerMap.get(mechanism);
+ final CallbackHandler callbackHandler = _callbackHandlerMap.get(mechanism);
if(callbackHandler == null)
{
throw new SaslException("Unsupported mechanism: " + mechanism);
@@ -135,7 +161,16 @@ public class PlainPasswordFilePrincipalD
{
return new PlainSaslServer(callbackHandler);
}
+ else if(ScramSHA1AuthenticationManager.MECHANISM.equals(mechanism))
+ {
+ return new ScramSaslServer(_scramSha1Adapter, mechanism, "HmacSHA1", "SHA-1");
+ }
+ else if(ScramSHA256AuthenticationManager.MECHANISM.equals(mechanism))
+ {
+ return new ScramSaslServer(_scramSha256Adapter, mechanism, "HmacSHA256", "SHA-256");
+ }
throw new SaslException("Unsupported mechanism: " + mechanism);
}
+
}
Modified: qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java
URL: http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java?rev=1724277&r1=1724276&r2=1724277&view=diff
==============================================================================
--- qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java (original)
+++ qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java Tue Jan 12 16:21:59 2016
@@ -41,10 +41,11 @@ import org.apache.qpid.server.security.a
import org.apache.qpid.server.security.auth.UsernamePrincipal;
import org.apache.qpid.server.security.auth.sasl.plain.PlainAdapterSaslServer;
import org.apache.qpid.server.security.auth.sasl.scram.ScramSaslServer;
+import org.apache.qpid.server.security.auth.sasl.scram.ScramSaslServerSource;
public abstract class AbstractScramAuthenticationManager<X extends AbstractScramAuthenticationManager<X>>
extends ConfigModelPasswordManagingAuthenticationProvider<X>
- implements PasswordCredentialManagingAuthenticationProvider<X>
+ implements PasswordCredentialManagingAuthenticationProvider<X>, ScramSaslServerSource
{
public static final String PLAIN = "PLAIN";
@@ -213,4 +214,46 @@ public abstract class AbstractScramAuthe
throw new IllegalArgumentException("User names are restricted to characters in the ASCII charset");
}
}
+
+ @Override
+ public SaltAndSaltedPassword getSaltAndSaltedPassword(final String username)
+ {
+ final byte[] salt = getSalt(username);
+ byte[] tmpPassword = null;
+ SaslException tmpException = null;
+
+ try
+ {
+ tmpPassword = getSaltedPassword(username);
+ }
+ catch (SaslException e)
+ {
+ tmpException = e;
+ }
+
+ final byte[] saltedPassword = tmpPassword;
+ final SaslException exception = tmpException;
+
+ return new SaltAndSaltedPassword()
+ {
+ @Override
+ public byte[] getSalt()
+ {
+ return salt;
+ }
+
+ @Override
+ public byte[] getSaltedPassword() throws SaslException
+ {
+ if(exception == null)
+ {
+ return saltedPassword;
+ }
+ else
+ {
+ throw exception;
+ }
+ }
+ };
+ }
}
Modified: qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/ScramSHA1AuthenticationManager.java
URL: http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/ScramSHA1AuthenticationManager.java?rev=1724277&r1=1724276&r2=1724277&view=diff
==============================================================================
--- qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/ScramSHA1AuthenticationManager.java (original)
+++ qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/ScramSHA1AuthenticationManager.java Tue Jan 12 16:21:59 2016
@@ -34,8 +34,7 @@ public class ScramSHA1AuthenticationMana
public static final String PROVIDER_TYPE = "SCRAM-SHA-1";
private static final String HMAC_NAME = "HmacSHA1";
- static final Charset ASCII = Charset.forName("ASCII");
- private static final String MECHANISM = "SCRAM-SHA-1";
+ public static final String MECHANISM = "SCRAM-SHA-1";
private static final String DIGEST_NAME = "SHA-1";
Modified: qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/ScramSHA256AuthenticationManager.java
URL: http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/ScramSHA256AuthenticationManager.java?rev=1724277&r1=1724276&r2=1724277&view=diff
==============================================================================
--- qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/ScramSHA256AuthenticationManager.java (original)
+++ qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/ScramSHA256AuthenticationManager.java Tue Jan 12 16:21:59 2016
@@ -34,8 +34,7 @@ public class ScramSHA256AuthenticationMa
public static final String PROVIDER_TYPE = "SCRAM-SHA-256";
private static final String HMAC_NAME = "HmacSHA256";
- static final Charset ASCII = Charset.forName("ASCII");
- private static final String MECHANISM = "SCRAM-SHA-256";
+ public static final String MECHANISM = "SCRAM-SHA-256";
private static final String DIGEST_NAME = "SHA-256";
Modified: qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServer.java
URL: http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServer.java?rev=1724277&r1=1724276&r2=1724277&view=diff
==============================================================================
--- qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServer.java (original)
+++ qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServer.java Tue Jan 12 16:21:59 2016
@@ -44,7 +44,7 @@ public class ScramSaslServer implements
private static final Charset ASCII = Charset.forName("ASCII");
- private final AbstractScramAuthenticationManager _authManager;
+ private final ScramSaslServerSource _authManager;
private State _state = State.INITIAL;
private String _nonce;
private String _username;
@@ -52,8 +52,9 @@ public class ScramSaslServer implements
private String _serverFirstMessage;
private String _clientFirstMessageBare;
private byte[] _serverSignature;
+ private ScramSaslServerSource.SaltAndSaltedPassword _saltAndPassword;
- public ScramSaslServer(final AbstractScramAuthenticationManager authenticationManager,
+ public ScramSaslServer(final ScramSaslServerSource authenticationManager,
final String mechanism,
final String hmacName,
final String digestName)
@@ -130,8 +131,8 @@ public class ScramSaslServer implements
_nonce = parts[3].substring(2) + UUID.randomUUID().toString();
int count = _authManager.getIterationCount();
- byte[] saltBytes = _authManager.getSalt(_username);
- _serverFirstMessage = "r="+_nonce+",s="+ DatatypeConverter.printBase64Binary(saltBytes)+",i=" + count;
+ _saltAndPassword = _authManager.getSaltAndSaltedPassword(_username);
+ _serverFirstMessage = "r="+_nonce+",s="+ DatatypeConverter.printBase64Binary(_saltAndPassword.getSalt())+",i=" + count;
return _serverFirstMessage.getBytes(ASCII);
}
@@ -187,7 +188,7 @@ public class ScramSaslServer implements
String authMessage = _clientFirstMessageBare + "," + _serverFirstMessage + "," + clientFinalMessageWithoutProof;
- byte[] saltedPassword = _authManager.getSaltedPassword(_username);
+ byte[] saltedPassword = _saltAndPassword.getSaltedPassword();
byte[] clientKey = computeHmac(saltedPassword, "Client Key");
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org