You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by lq...@apache.org on 2016/05/31 09:34:33 UTC
svn commit: r1746259 - in /qpid/java/trunk/broker-plugins:
amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/
management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/
Author: lquack
Date: Tue May 31 09:34:33 2016
New Revision: 1746259
URL: http://svn.apache.org/viewvc?rev=1746259&view=rev
Log:
WIP-unification
Modified:
qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/AMQPConnection_1_0.java
qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/SaslServerProvider.java
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/AbstractServlet.java
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.java
Modified: qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/AMQPConnection_1_0.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/AMQPConnection_1_0.java?rev=1746259&r1=1746258&r2=1746259&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/AMQPConnection_1_0.java (original)
+++ qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/AMQPConnection_1_0.java Tue May 31 09:34:33 2016
@@ -40,6 +40,7 @@ import java.util.concurrent.ConcurrentLi
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.atomic.AtomicReference;
+import javax.security.auth.Subject;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
@@ -95,7 +96,8 @@ import org.apache.qpid.server.protocol.v
import org.apache.qpid.server.protocol.v1_0.type.transport.Transfer;
import org.apache.qpid.server.security.SubjectCreator;
import org.apache.qpid.server.security.auth.AuthenticatedPrincipal;
-import org.apache.qpid.server.security.auth.UsernamePrincipal;
+import org.apache.qpid.server.security.auth.AuthenticationResult;
+import org.apache.qpid.server.security.auth.SubjectAuthenticationResult;
import org.apache.qpid.server.security.auth.manager.AnonymousAuthenticationManager;
import org.apache.qpid.server.security.auth.manager.ExternalAuthenticationManagerImpl;
import org.apache.qpid.server.store.StoreException;
@@ -179,7 +181,7 @@ public class AMQPConnection_1_0 extends
private long _connectionId;
private Container _container;
- private Principal _user;
+ private Subject _subject;
private int _channelMax = DEFAULT_CHANNEL_MAX;
@@ -396,40 +398,7 @@ public class AMQPConnection_1_0 extends
assertState(FrameReceivingState.SASL_RESPONSE_ONLY);
- try
- {
-
- // Process response from the client
- byte[] challenge = _saslServer.evaluateResponse(response != null ? response : new byte[0]);
-
- if (_saslServer.isComplete())
- {
- SaslOutcome outcome = new SaslOutcome();
-
- outcome.setCode(SaslCode.OK);
- send(new SASLFrame(outcome), null);
- _saslComplete = true;
- _user = _saslServerProvider.getAuthenticatedPrincipal(_saslServer);
- _frameReceivingState = FrameReceivingState.AMQP_HEADER;
- }
- else
- {
- SaslChallenge challengeBody = new SaslChallenge();
- challengeBody.setChallenge(new Binary(challenge));
- send(new SASLFrame(challengeBody), null);
-
- }
- }
- catch (SaslException e)
- {
- SaslOutcome outcome = new SaslOutcome();
-
- outcome.setCode(SaslCode.AUTH);
- send(new SASLFrame(outcome), null);
- _saslComplete = true;
- closeSaslWithFailure();
-
- }
+ processClientSASLResponse(response);
}
public AMQPDescribedTypeRegistry getDescribedTypeRegistry()
@@ -789,10 +758,10 @@ public class AMQPConnection_1_0 extends
}
else
{
- final Principal user = _user;
- if (user != null)
+ final Subject subject = _subject;
+ if (subject != null)
{
- setUserPrincipal(user);
+ setSubject(subject);
}
if (AuthenticatedPrincipal.getOptionalAuthenticatedPrincipalFromSubject(getSubject()) == null)
{
@@ -921,11 +890,6 @@ public class AMQPConnection_1_0 extends
_remoteAddress = remoteAddress;
}
- public Principal getUser()
- {
- return _user;
- }
-
public void setProperties(final Map<Symbol, Object> properties)
{
_properties = properties;
@@ -947,41 +911,49 @@ public class AMQPConnection_1_0 extends
try
{
_saslServer = _saslServerProvider.getSaslServer(mechanism, "localhost");
+ processClientSASLResponse(response);
+ }
+ catch (SaslException e)
+ {
+ SaslOutcome outcome = new SaslOutcome();
- // Process response from the client
- byte[] challenge = _saslServer.evaluateResponse(response != null ? response : new byte[0]);
+ outcome.setCode(SaslCode.AUTH);
+ send(new SASLFrame(outcome), null);
+ _saslComplete = true;
- if (_saslServer.isComplete())
- {
- SaslOutcome outcome = new SaslOutcome();
+ closeSaslWithFailure();
- outcome.setCode(SaslCode.OK);
- send(new SASLFrame(outcome), null);
- _saslComplete = true;
- _user = _saslServerProvider.getAuthenticatedPrincipal(_saslServer);
+ }
+ }
- _frameReceivingState = FrameReceivingState.AMQP_HEADER;
+ private void processClientSASLResponse(final byte[] response)
+ {
+ SubjectAuthenticationResult authenticationResult = _subjectCreator.authenticate(_saslServer, response != null ? response : new byte[0]);
- }
- else
- {
- SaslChallenge challengeBody = new SaslChallenge();
- challengeBody.setChallenge(new Binary(challenge));
- send(new SASLFrame(challengeBody), null);
+ if (authenticationResult.getStatus() == AuthenticationResult.AuthenticationStatus.SUCCESS)
+ {
+ SaslOutcome outcome = new SaslOutcome();
+ outcome.setCode(SaslCode.OK);
+ send(new SASLFrame(outcome), null);
+ _saslComplete = true;
+ _subject = authenticationResult.getSubject();
+ _frameReceivingState = FrameReceivingState.AMQP_HEADER;
- _frameReceivingState = FrameReceivingState.SASL_RESPONSE_ONLY;
- }
}
- catch (SaslException e)
+ else if (authenticationResult.getStatus() == AuthenticationResult.AuthenticationStatus.CONTINUE)
+ {
+ SaslChallenge challengeBody = new SaslChallenge();
+ challengeBody.setChallenge(new Binary(authenticationResult.getChallenge()));
+ send(new SASLFrame(challengeBody), null);
+ _frameReceivingState = FrameReceivingState.SASL_RESPONSE_ONLY;
+ }
+ else
{
SaslOutcome outcome = new SaslOutcome();
-
outcome.setCode(SaslCode.AUTH);
send(new SASLFrame(outcome), null);
_saslComplete = true;
-
closeSaslWithFailure();
-
}
}
@@ -1142,12 +1114,6 @@ public class AMQPConnection_1_0 extends
{
return subjectCreator.createSaslServer(mechanism, fqdn, network.getPeerPrincipal());
}
-
- @Override
- public Principal getAuthenticatedPrincipal(SaslServer server)
- {
- return new AuthenticatedPrincipal(new UsernamePrincipal(server.getAuthorizationID()));
- }
};
}
Modified: qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/SaslServerProvider.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/SaslServerProvider.java?rev=1746259&r1=1746258&r2=1746259&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/SaslServerProvider.java (original)
+++ qpid/java/trunk/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/SaslServerProvider.java Tue May 31 09:34:33 2016
@@ -20,12 +20,10 @@
package org.apache.qpid.server.protocol.v1_0;
-import java.security.Principal;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
public interface SaslServerProvider
{
SaslServer getSaslServer(String mechanism, String fqdn) throws SaslException;
- Principal getAuthenticatedPrincipal(SaslServer server);
}
Modified: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/AbstractServlet.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/AbstractServlet.java?rev=1746259&r1=1746258&r2=1746259&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/AbstractServlet.java (original)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/AbstractServlet.java Tue May 31 09:34:33 2016
@@ -264,7 +264,14 @@ public abstract class AbstractServlet ex
protected void sendJsonResponse(Object object, HttpServletRequest request, HttpServletResponse response) throws IOException
{
- sendJsonResponse(object, request, response, HttpServletResponse.SC_OK, true);
+ sendJsonResponse(object, request, response, HttpServletResponse.SC_OK);
+ }
+
+ protected void sendJsonResponse(Object object,
+ HttpServletRequest request,
+ HttpServletResponse response, int status) throws IOException
+ {
+ sendJsonResponse(object, request, response, status, true);
}
protected final void sendJsonResponse(Object object, HttpServletRequest request, HttpServletResponse response, int responseCode, boolean sendCachingHeaders) throws IOException
Modified: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.java?rev=1746259&r1=1746258&r2=1746259&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.java (original)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.java Tue May 31 09:34:33 2016
@@ -23,6 +23,8 @@ package org.apache.qpid.server.managemen
import java.io.IOException;
import java.security.Principal;
import java.security.SecureRandom;
+import java.util.Collections;
+import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
@@ -46,6 +48,8 @@ import org.apache.qpid.server.management
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.security.SubjectCreator;
import org.apache.qpid.server.security.auth.AuthenticatedPrincipal;
+import org.apache.qpid.server.security.auth.AuthenticationResult;
+import org.apache.qpid.server.security.auth.SubjectAuthenticationResult;
import org.apache.qpid.server.util.ConnectionScopedRuntimeException;
public class SaslServlet extends AbstractServlet
@@ -210,34 +214,26 @@ public class SaslServlet extends Abstrac
final HttpServletResponse response,
final HttpSession session, final String saslResponse, final SaslServer saslServer, SubjectCreator subjectCreator) throws IOException
{
- final String id;
- byte[] challenge;
- try
- {
- challenge = saslServer.evaluateResponse(saslResponse == null
- ? new byte[0]
- : DatatypeConverter.parseBase64Binary(saslResponse));
- }
- catch(SaslException e)
+ byte[] saslResponseBytes = saslResponse == null
+ ? new byte[0]
+ : DatatypeConverter.parseBase64Binary(saslResponse);
+ SubjectAuthenticationResult authenticationResult = subjectCreator.authenticate(saslServer, saslResponseBytes);
+
+ if (authenticationResult.getStatus() == AuthenticationResult.AuthenticationStatus.ERROR)
{
session.removeAttribute(HttpManagementUtil.getRequestSpecificAttributeName(ATTR_ID, request));
session.removeAttribute(HttpManagementUtil.getRequestSpecificAttributeName(ATTR_SASL_SERVER, request));
session.removeAttribute(HttpManagementUtil.getRequestSpecificAttributeName(ATTR_EXPIRY, request));
- response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
-
+ sendJsonResponse(Collections.emptyMap(), request, response, HttpServletResponse.SC_UNAUTHORIZED);
return;
}
+ byte[] challenge = authenticationResult.getChallenge();
+ Map<String, Object> outputObject = new LinkedHashMap<>();
+
if(saslServer.isComplete())
{
- Subject originalSubject = subjectCreator.createSubjectWithGroups(new AuthenticatedPrincipal(saslServer.getAuthorizationID()));
- Subject subject = new Subject(false,
- originalSubject.getPrincipals(),
- originalSubject.getPublicCredentials(),
- originalSubject.getPrivateCredentials());
- subject.getPrincipals().add(new ServletConnectionPrincipal(request));
- subject.setReadOnly();
-
+ Subject subject = authenticationResult.getSubject();
Broker broker = getBroker();
try
{
@@ -255,30 +251,21 @@ public class SaslServlet extends Abstrac
session.removeAttribute(HttpManagementUtil.getRequestSpecificAttributeName(ATTR_EXPIRY, request));
if(challenge != null && challenge.length != 0)
{
- Map<String, Object> outputObject = new LinkedHashMap<String, Object>();
outputObject.put("challenge", DatatypeConverter.printBase64Binary(challenge));
-
- sendJsonResponse(outputObject, request, response);
}
-
- response.setStatus(HttpServletResponse.SC_OK);
}
else
{
Random rand = getRandom(request);
- id = String.valueOf(rand.nextLong());
+ String id = String.valueOf(rand.nextLong());
session.setAttribute(HttpManagementUtil.getRequestSpecificAttributeName(ATTR_ID, request), id);
session.setAttribute(HttpManagementUtil.getRequestSpecificAttributeName(ATTR_SASL_SERVER, request), saslServer);
session.setAttribute(HttpManagementUtil.getRequestSpecificAttributeName(ATTR_EXPIRY, request), System.currentTimeMillis() + SASL_EXCHANGE_EXPIRY);
- response.setStatus(HttpServletResponse.SC_OK);
-
- Map<String, Object> outputObject = new LinkedHashMap<String, Object>();
outputObject.put("id", id);
outputObject.put("challenge", DatatypeConverter.printBase64Binary(challenge));
-
- sendJsonResponse(outputObject, request, response);
}
+ sendJsonResponse(outputObject, request, response);
}
private SubjectCreator getSubjectCreator(HttpServletRequest request)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org