You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Justin Bertram (Jira)" <ji...@apache.org> on 2021/02/08 19:18:00 UTC
[jira] [Assigned] (ARTEMIS-2952) Extending
ActiveMQXAConnectionFactory is limited by readOnly being private
[ https://issues.apache.org/jira/browse/ARTEMIS-2952?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Justin Bertram reassigned ARTEMIS-2952:
---------------------------------------
Assignee: Justin Bertram
> Extending ActiveMQXAConnectionFactory is limited by readOnly being private
> --------------------------------------------------------------------------
>
> Key: ARTEMIS-2952
> URL: https://issues.apache.org/jira/browse/ARTEMIS-2952
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Affects Versions: 2.15.0
> Reporter: Luís Alves
> Assignee: Justin Bertram
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> To be able to implement OpenID Connect authN on Artemis I had to extend ActiveMQXAConnectionFactory to override the method:
> {code:java}
> protected synchronized ActiveMQConnection createConnectionInternal(final String username,
> final String password,
> final boolean isXA,
> final int type) throws JMSException
> {code}
> This allows me to send and access token instead of the user:password pair. In my implementation I leave username empty (like a flag) to tell the server that I wanna use a token that is on the password field.
> This currently works fine but I had to do some reflection to modify the readOnly as it's private.
> Can this flag be protected as well?
> A possible alternative is to provide a way to pass the user and password using a Supplier, so I can define a method that gets a new access token if the current is expired. The token expiration also will cause some disconnections, as the server will detect the token expired and disconnect the client. I don't think there's any way I can update the connection credentials while the connection is established, correct?
> For reference here is the current code I'm using:
> {code:java}
> public class OAuth2ActiveMQXAConnectionFactory extends ActiveMQXAConnectionFactory {
> private static final Logger logger = LoggerFactory.getLogger(OAuth2ActiveMQXAConnectionFactory.class);
> private AtomicReference<String> accessTokenRef = new AtomicReference<>(null);
> private transient OIDCProviderMetadata providerMetadata;
> public OAuth2ActiveMQXAConnectionFactory() {
> }
> public OAuth2ActiveMQXAConnectionFactory(boolean ha, TransportConfiguration[] initialConnectors, String issuerURI) {
> super(ha, initialConnectors);
> if (!StringUtils.isEmpty(issuerURI)) {
> try {
> URL providerConfigurationURL = new URL(issuerURI + "/.well-known/openid-configuration");
> InputStream stream = providerConfigurationURL.openStream();
> // Read all data from URL
> String providerInfo = null;
> try (java.util.Scanner s = new java.util.Scanner(stream)) {
> providerInfo = s.useDelimiter("\\A").hasNext() ? s.next() : "";
> }
> this.providerMetadata = OIDCProviderMetadata.parse(providerInfo);
> } catch (IOException | ParseException e) {
> throw new IllegalStateException("Cannot configure OIDC Provider Metadata.", e);
> }
> }
> }
> @Override
> @SuppressWarnings({"squid:S2095"}) //ClientSessionFactory - Resources should be closed
> protected synchronized ActiveMQConnection createConnectionInternal(final String username,
> final String password,
> final boolean isXA,
> final int type) throws JMSException {
> setSuperReadOnly();
> ClientSessionFactory factory;
> try {
> // we can't do a try with resource ad the factory cannot be closed
> // or it will close the ActiveMQConnection.
> factory = getServerLocator().createSessionFactory();
> } catch (Exception e) {
> JMSException jmse = new JMSException("Failed to create session factory");
> jmse.initCause(e);
> jmse.setLinkedException(e);
> throw jmse;
> }
> ActiveMQConnection connection = null;
> String accessToken;
> String user;
> if (nonNull(providerMetadata)) {
> accessToken = accessTokenRef.updateAndGet(
> previousToken -> getOrRefreshToken(previousToken, username, password));
> user = "";
> } else {
> //use normal authentication instead of token
> accessToken = password;
> user = username;
> }
> if (type == ActiveMQConnection.TYPE_GENERIC_CONNECTION ||
> type == ActiveMQConnection.TYPE_QUEUE_CONNECTION ||
> type == ActiveMQConnection.TYPE_TOPIC_CONNECTION) {
> connection = new ActiveMQXAConnection(this, user, accessToken, type, getClientID(),
> getDupsOKBatchSize(), getTransactionBatchSize(), isCacheDestinations(), false, factory);
> }
> if (connection == null) {
> throw new JMSException("Failed to create connection: invalid type " + type);
> }
> connection.setReference(this);
> try {
> connection.authorize(!isEnableSharedClientID());
> } catch (JMSException e) {
> try {
> connection.close();
> } catch (JMSException me) {
> logger.debug("Failed to close connection", me);
> }
> throw e;
> }
> return connection;
> }
> private void setSuperReadOnly() {
> //XXX: workaround to avoid re-writing the whole connection factory code. (readOnly = true;)
> try {
> Field readOnly = ActiveMQConnectionFactory.class.getDeclaredField("readOnly");
> readOnly.setAccessible(true);
> readOnly.set(this, true);
> } catch (NoSuchFieldException | IllegalAccessException e) {
> logger.info("failed to set read only to true");
> }
> }
> private String getOrRefreshToken(String previousToken, String username, String password) {
> if (previousToken == null) {
> return authenticateUserWithClientCredentialsGrant(username, password);
> }
> SignedJWT signedJWT;
> try {
> signedJWT = SignedJWT.parse(previousToken);
> Date exp = signedJWT.getJWTClaimsSet().getExpirationTime();
> Instant now = Instant.now().minus(2, ChronoUnit.SECONDS);
> if (exp.before(Date.from(now))) {
> //token is already expires let's refresh
> return authenticateUserWithClientCredentialsGrant(username, password);
> }
> } catch (java.text.ParseException e) {
> throw new IllegalStateException("Cannot fail parsing the token.", e);
> }
> return previousToken;
> }
> private String authenticateUserWithClientCredentialsGrant(String user, String password) {
> AccessToken accessToken = null;
> try {
> // Construct the client credentials grant
> final AuthorizationGrant clientGrant = new ClientCredentialsGrant();
> // The credentials to authenticate the client at the token endpoint
> final ClientID clientID = new ClientID(user);
> final Secret clientSecret = new Secret(password);
> final ClientAuthentication clientAuth = new ClientSecretBasic(clientID, clientSecret);
> // The request scope for the token (may be optional)
> final Scope scope = new Scope("openid", "roles");
> // Make the token request
> final TokenRequest request = new TokenRequest(providerMetadata.getTokenEndpointURI(), clientAuth, clientGrant, scope);
> final TokenResponse response = TokenResponse.parse(request.toHTTPRequest().send());
> if (!response.indicatesSuccess()) {
> // We got an error response...
> final TokenErrorResponse errorResponse = response.toErrorResponse();
> logger.debug("Error response object {}", errorResponse.getErrorObject());
> return null;
> }
> final AccessTokenResponse successResponse = response.toSuccessResponse();
> //do we need refresh token? we have the client credentials
> accessToken = successResponse.getTokens().getAccessToken();
> } catch (ParseException | IOException e) {
> throw new IllegalStateException("Failed to do the client credentials grant.", e);
> }
> return accessToken.getValue();
> }
> }
> {code}
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)