You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by jb...@apache.org on 2023/03/10 23:49:21 UTC
[activemq-artemis] branch main updated: ARTEMIS-4202 expand coverage of noCacheExceptions in LDAPLoginModule
This is an automated email from the ASF dual-hosted git repository.
jbertram pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq-artemis.git
The following commit(s) were added to refs/heads/main by this push:
new 39b0f01ca9 ARTEMIS-4202 expand coverage of noCacheExceptions in LDAPLoginModule
39b0f01ca9 is described below
commit 39b0f01ca9d5e41f1206ecc56a8ccd2802195b45
Author: Justin Bertram <jb...@apache.org>
AuthorDate: Thu Mar 9 09:09:53 2023 -0600
ARTEMIS-4202 expand coverage of noCacheExceptions in LDAPLoginModule
---
.../spi/core/security/jaas/LDAPLoginModule.java | 147 +++++++++++----------
1 file changed, 78 insertions(+), 69 deletions(-)
diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java b/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java
index f78e255743..69d9b5a437 100644
--- a/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java
+++ b/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java
@@ -174,49 +174,52 @@ public class LDAPLoginModule implements AuditLoginModule {
@Override
public boolean login() throws LoginException {
+ try {
+ if (!authenticateUser) {
+ return false;
+ }
- if (!authenticateUser) {
- return false;
- }
+ Callback[] callbacks = new Callback[2];
- Callback[] callbacks = new Callback[2];
+ callbacks[0] = new NameCallback("User name");
+ callbacks[1] = new PasswordCallback("Password", false);
+ try {
+ handler.handle(callbacks);
+ } catch (IOException | UnsupportedCallbackException e) {
+ throw (LoginException) new LoginException().initCause(e);
+ }
- callbacks[0] = new NameCallback("User name");
- callbacks[1] = new PasswordCallback("Password", false);
- try {
- handler.handle(callbacks);
- } catch (IOException | UnsupportedCallbackException e) {
- throw (LoginException) new LoginException().initCause(e);
- }
+ String password = null;
- String password = null;
+ username = ((NameCallback) callbacks[0]).getName();
+ if (username == null) {
+ return false;
+ }
- username = ((NameCallback) callbacks[0]).getName();
- if (username == null) {
- return false;
- }
+ if (((PasswordCallback) callbacks[1]).getPassword() != null) {
+ password = new String(((PasswordCallback) callbacks[1]).getPassword());
+ }
- if (((PasswordCallback) callbacks[1]).getPassword() != null) {
- password = new String(((PasswordCallback) callbacks[1]).getPassword());
- }
+ /*
+ * https://tools.ietf.org/html/rfc4513#section-6.3.1
+ *
+ * Clients that use the results from a simple Bind operation to make
+ * authorization decisions should actively detect unauthenticated Bind
+ * requests (by verifying that the supplied password is not empty) and
+ * react appropriately.
+ */
+ if (password == null || password.length() == 0) {
+ throw new FailedLoginException("Password cannot be null or empty");
+ }
- /*
- * https://tools.ietf.org/html/rfc4513#section-6.3.1
- *
- * Clients that use the results from a simple Bind operation to make
- * authorization decisions should actively detect unauthenticated Bind
- * requests (by verifying that the supplied password is not empty) and
- * react appropriately.
- */
- if (password == null || password.length() == 0) {
- throw new FailedLoginException("Password cannot be null or empty");
+ // authenticate will throw LoginException
+ // in case of failed authentication
+ authenticate(username, password);
+ userAuthenticated = true;
+ return true;
+ } catch (LoginException e) {
+ throw handleException(e);
}
-
- // authenticate will throw LoginException
- // in case of failed authentication
- authenticate(username, password);
- userAuthenticated = true;
- return true;
}
@Override
@@ -227,31 +230,43 @@ public class LDAPLoginModule implements AuditLoginModule {
@Override
public boolean commit() throws LoginException {
- boolean result = userAuthenticated;
- Set<UserPrincipal> authenticatedUsers = subject.getPrincipals(UserPrincipal.class);
- Set<Principal> principals = subject.getPrincipals();
- if (result) {
- principals.add(new UserPrincipal(username));
- }
+ try {
+ boolean result = userAuthenticated;
+ Set<UserPrincipal> authenticatedUsers = subject.getPrincipals(UserPrincipal.class);
+ Set<Principal> principals = subject.getPrincipals();
+ if (result) {
+ principals.add(new UserPrincipal(username));
+ }
- // assign roles to any other UserPrincipal
- for (UserPrincipal authenticatedUser : authenticatedUsers) {
- List<String> roles = new ArrayList<>();
- try {
- String dn = resolveDN(authenticatedUser.getName(), roles);
- resolveRolesForDN(context, dn, authenticatedUser.getName(), roles);
- } catch (NamingException e) {
- closeContext();
- FailedLoginException ex = new FailedLoginException("Error contacting LDAP");
- ex.initCause(e);
- throw ex;
+ // assign roles to any other UserPrincipal
+ for (UserPrincipal authenticatedUser : authenticatedUsers) {
+ List<String> roles = new ArrayList<>();
+ try {
+ String dn = resolveDN(authenticatedUser.getName(), roles);
+ resolveRolesForDN(context, dn, authenticatedUser.getName(), roles);
+ } catch (NamingException e) {
+ closeContext();
+ FailedLoginException ex = new FailedLoginException("Error contacting LDAP");
+ ex.initCause(e);
+ throw ex;
+ }
}
- }
- principals.addAll(groups);
+ principals.addAll(groups);
- clear();
- return result;
+ clear();
+ return result;
+ } catch (LoginException e) {
+ throw handleException(e);
+ }
+ }
+
+ private LoginException handleException(LoginException e) {
+ Throwable t = ExceptionUtil.getRootCause(e);
+ if (noCacheExceptions.contains(t.getClass().getName())) {
+ t.initCause(new NoCacheLoginException());
+ }
+ return e;
}
private void clear() {
@@ -314,8 +329,10 @@ public class LDAPLoginModule implements AuditLoginModule {
logger.debug("Create the LDAP initial context.");
try {
openContext();
- } catch (Exception e) {
- return handleException(e, "Error opening LDAP connection");
+ } catch (Exception ne) {
+ FailedLoginException ex = new FailedLoginException("Error opening LDAP connection");
+ ex.initCause(ne);
+ throw ex;
}
if (!isLoginPropertySet(ConfigKey.USER_SEARCH_MATCHING)) {
@@ -440,22 +457,14 @@ public class LDAPLoginModule implements AuditLoginModule {
}
} catch (NamingException e) {
closeContext();
- handleException(e, "Error contacting LDAP");
+ FailedLoginException ex = new FailedLoginException("Error contacting LDAP");
+ ex.initCause(e);
+ throw ex;
}
return dn;
}
- private String handleException(Exception e, String s) throws FailedLoginException {
- FailedLoginException ex = new FailedLoginException(s);
- if (noCacheExceptions.contains(ExceptionUtil.getRootCause(e).getClass().getName())) {
- ex.initCause(new NoCacheLoginException());
- } else {
- ex.initCause(e);
- }
- throw ex;
- }
-
protected void addRoles(DirContext context,
String dn,
String username,