You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by ma...@apache.org on 2016/06/17 16:44:19 UTC
[1/2] activemq-artemis git commit: ARTEMIS-529 support dual auth
Repository: activemq-artemis
Updated Branches:
refs/heads/master 70562ad7e -> 279780c89
ARTEMIS-529 support dual auth
A new feature whereby 2-way SSL connections can be authenticated differently
than non-SSL connections.
Project: http://git-wip-us.apache.org/repos/asf/activemq-artemis/repo
Commit: http://git-wip-us.apache.org/repos/asf/activemq-artemis/commit/7715b5ee
Tree: http://git-wip-us.apache.org/repos/asf/activemq-artemis/tree/7715b5ee
Diff: http://git-wip-us.apache.org/repos/asf/activemq-artemis/diff/7715b5ee
Branch: refs/heads/master
Commit: 7715b5ee128d2a629c2e5940247e86be91a694fc
Parents: 70562ad
Author: jbertram <jb...@apache.org>
Authored: Thu May 26 09:18:11 2016 -0500
Committer: jbertram <jb...@apache.org>
Committed: Fri Jun 17 11:07:03 2016 -0500
----------------------------------------------------------------------
.../artemis/factory/JaasSecurityHandler.java | 2 +-
.../activemq/artemis/dto/JaasSecurityDTO.java | 3 +
.../security/ActiveMQJAASSecurityManager.java | 38 ++++-
docs/user-manual/en/security.md | 49 +++++--
examples/features/standard/pom.xml | 2 +
.../ssl-enabled-dual-authentication/pom.xml | 110 ++++++++++++++
.../ssl-enabled-dual-authentication/readme.html | 75 ++++++++++
.../example/SSLDualAuthenticationExample.java | 99 +++++++++++++
.../activemq/server0/artemis-roles.properties | 17 +++
.../activemq/server0/artemis-users.properties | 17 +++
.../resources/activemq/server0/bootstrap.xml | 28 ++++
.../main/resources/activemq/server0/broker.xml | 57 ++++++++
.../activemq/server0/cert-roles.properties | 18 +++
.../activemq/server0/cert-users.properties | 18 +++
.../activemq/server0/client-side-keystore.jks | Bin 0 -> 1303 bytes
.../activemq/server0/client-side-truststore.jks | Bin 0 -> 963 bytes
.../resources/activemq/server0/login.config | 30 ++++
.../activemq/server0/server-side-keystore.jks | Bin 0 -> 2253 bytes
.../activemq/server0/server-side-truststore.jks | Bin 0 -> 1732 bytes
.../src/main/resources/jndi.properties | 21 +++
.../ssl/CoreClientOverTwoWaySSLTest.java | 6 +-
.../integration/ssl/DualAuthenticationTest.java | 142 +++++++++++++++++++
.../dual-authentication-cert-roles.properties | 18 +++
.../dual-authentication-cert-users.properties | 18 +++
.../dual-authentication-roles.properties | 18 +++
.../dual-authentication-users.properties | 18 +++
.../src/test/resources/login.config | 14 ++
27 files changed, 802 insertions(+), 16 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/7715b5ee/artemis-cli/src/main/java/org/apache/activemq/artemis/factory/JaasSecurityHandler.java
----------------------------------------------------------------------
diff --git a/artemis-cli/src/main/java/org/apache/activemq/artemis/factory/JaasSecurityHandler.java b/artemis-cli/src/main/java/org/apache/activemq/artemis/factory/JaasSecurityHandler.java
index 2f45f94..dc677e0 100644
--- a/artemis-cli/src/main/java/org/apache/activemq/artemis/factory/JaasSecurityHandler.java
+++ b/artemis-cli/src/main/java/org/apache/activemq/artemis/factory/JaasSecurityHandler.java
@@ -25,7 +25,7 @@ public class JaasSecurityHandler implements SecurityHandler {
@Override
public ActiveMQSecurityManager createSecurityManager(SecurityDTO security) throws Exception {
JaasSecurityDTO jaasSecurity = (JaasSecurityDTO) security;
- ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager(jaasSecurity.domain);
+ ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager(jaasSecurity.domain, jaasSecurity.certificateDomain);
return securityManager;
}
}
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/7715b5ee/artemis-dto/src/main/java/org/apache/activemq/artemis/dto/JaasSecurityDTO.java
----------------------------------------------------------------------
diff --git a/artemis-dto/src/main/java/org/apache/activemq/artemis/dto/JaasSecurityDTO.java b/artemis-dto/src/main/java/org/apache/activemq/artemis/dto/JaasSecurityDTO.java
index a988bff..2aa0e00 100644
--- a/artemis-dto/src/main/java/org/apache/activemq/artemis/dto/JaasSecurityDTO.java
+++ b/artemis-dto/src/main/java/org/apache/activemq/artemis/dto/JaasSecurityDTO.java
@@ -27,4 +27,7 @@ public class JaasSecurityDTO extends SecurityDTO {
@XmlAttribute(name = "domain", required = true)
public String domain;
+
+ @XmlAttribute(name = "certificate-domain", required = false)
+ public String certificateDomain;
}
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/7715b5ee/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQJAASSecurityManager.java
----------------------------------------------------------------------
diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQJAASSecurityManager.java b/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQJAASSecurityManager.java
index 6e28e91..cd380ec 100644
--- a/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQJAASSecurityManager.java
+++ b/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQJAASSecurityManager.java
@@ -50,7 +50,9 @@ public class ActiveMQJAASSecurityManager implements ActiveMQSecurityManager2 {
private static final String WILDCARD = "*";
private String configurationName;
+ private String certificateConfigurationName;
private SecurityConfiguration configuration;
+ private SecurityConfiguration certificateConfiguration;
private String rolePrincipalClass = "org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal";
public ActiveMQJAASSecurityManager() {
@@ -60,11 +62,23 @@ public class ActiveMQJAASSecurityManager implements ActiveMQSecurityManager2 {
this.configurationName = configurationName;
}
+ public ActiveMQJAASSecurityManager(String configurationName, String certificateConfigurationName) {
+ this.configurationName = configurationName;
+ this.certificateConfigurationName = certificateConfigurationName;
+ }
+
public ActiveMQJAASSecurityManager(String configurationName, SecurityConfiguration configuration) {
this.configurationName = configurationName;
this.configuration = configuration;
}
+ public ActiveMQJAASSecurityManager(String configurationName, String certificateConfigurationName, SecurityConfiguration configuration, SecurityConfiguration certificateConfiguration) {
+ this.configurationName = configurationName;
+ this.configuration = configuration;
+ this.certificateConfigurationName = certificateConfigurationName;
+ this.certificateConfiguration = certificateConfiguration;
+ }
+
@Override
public boolean validateUser(String user, String password) {
return validateUser(user, password, null);
@@ -144,7 +158,13 @@ public class ActiveMQJAASSecurityManager implements ActiveMQSecurityManager2 {
}
private Subject getAuthenticatedSubject(final String user, final String password, final X509Certificate[] certificates) throws LoginException {
- LoginContext lc = new LoginContext(configurationName, null, new JaasCallbackHandler(user, password, certificates), configuration);
+ LoginContext lc;
+ if (certificateConfigurationName != null && certificateConfigurationName.length() > 0 && certificates != null) {
+ lc = new LoginContext(certificateConfigurationName, null, new JaasCallbackHandler(user, password, certificates), certificateConfiguration);
+ }
+ else {
+ lc = new LoginContext(configurationName, null, new JaasCallbackHandler(user, password, certificates), configuration);
+ }
lc.login();
return lc.getSubject();
}
@@ -172,6 +192,14 @@ public class ActiveMQJAASSecurityManager implements ActiveMQSecurityManager2 {
this.configuration = configuration;
}
+ public void setCertificateConfigurationName(final String certificateConfigurationName) {
+ this.certificateConfigurationName = certificateConfigurationName;
+ }
+
+ public void setCertificateConfiguration(SecurityConfiguration certificateConfiguration) {
+ this.certificateConfiguration = certificateConfiguration;
+ }
+
public SecurityConfiguration getConfiguration() {
if (configuration == null) {
configuration = new SecurityConfiguration();
@@ -180,6 +208,14 @@ public class ActiveMQJAASSecurityManager implements ActiveMQSecurityManager2 {
return configuration;
}
+ public SecurityConfiguration getCertificateConfiguration() {
+ if (certificateConfiguration == null) {
+ certificateConfiguration = new SecurityConfiguration();
+ }
+
+ return certificateConfiguration;
+ }
+
public String getRolePrincipalClass() {
return rolePrincipalClass;
}
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/7715b5ee/docs/user-manual/en/security.md
----------------------------------------------------------------------
diff --git a/docs/user-manual/en/security.md b/docs/user-manual/en/security.md
index f6e654d..a0abb3d 100644
--- a/docs/user-manual/en/security.md
+++ b/docs/user-manual/en/security.md
@@ -238,10 +238,9 @@ As mentioned, there are a few places where a translation was performed to achiev
## Secure Sockets Layer (SSL) Transport
-When messaging clients are connected to servers, or servers are
-connected to other servers (e.g. via bridges) over an untrusted network
-then Apache ActiveMQ Artemis allows that traffic to be encrypted using the Secure
-Sockets Layer (SSL) transport.
+When messaging clients are connected to servers, or servers are connected to other servers (e.g. via bridges) over an
+untrusted network then Apache ActiveMQ Artemis allows that traffic to be encrypted using the Secure Sockets Layer (SSL)
+transport.
For more information on configuring the SSL transport, please see [Configuring the Transport](configuring-transports.md).
@@ -250,12 +249,11 @@ For more information on configuring the SSL transport, please see [Configuring t
Apache ActiveMQ Artemis ships with two security manager implementations:
- The legacy, deprecated `ActiveMQSecurityManager` that reads user credentials, i.e. user names, passwords and role
-information from properties files on the classpath called `artemis-users.properties` and `artemis-roles.properties`.
-This is the default security manager.
+information from properties files on the classpath called `artemis-users.properties` and `artemis-roles.properties`.
- The flexible, pluggable `ActiveMQJAASSecurityManager` which supports any standard JAAS login module. Artemis ships
-with several login modules which will be discussed further down.
-
+with several login modules which will be discussed further down. This is the default security manager.
+
### JAAS Security Manager
When using JAAS much of the configuration depends on which login module is used. However, there are a few commonalities
@@ -278,17 +276,46 @@ The `login.config` file is a standard JAAS configuration file. You can read more
[Oracle's website](https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/LoginConfigFile.html).
In short, the file defines:
-- an alias for a configuration (e.g. `PropertiesLogin`)
+- an alias for an entry (e.g. `PropertiesLogin`)
-- the implementation class (e.g. `org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule`)
+- the implementation class for the login module (e.g. `org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule`)
-- a flag which indicates whether the success of the LoginModule is `required`, `requisite`, `sufficient`, or `optional`
+- a flag which indicates whether the success of the login module is `required`, `requisite`, `sufficient`, or `optional`
+(see more details on these flags in the [JavaDoc](http://docs.oracle.com/javase/8/docs/api/javax/security/auth/login/Configuration.html)
- a list of configuration options specific to the login module implementation
By default, the location and name of `login.config` is specified on the Artemis command-line which is set by
`etc/artemis.profile` on linux and `etc\artemis.profile.cmd` on Windows.
+#### Dual Authentication
+
+The JAAS Security Manager also supports another configuration parameter - `certificate-domain`. This is useful when you
+want to authenticate clients connecting with SSL connections based on their SSL certificates (e.g. using the `CertificateLoginModule`
+discussed below) but you still want to authenticate clients connecting with non-SSL connections with, e.g., username and
+password. Here's an example of what would go in `bootstrap.xml`:
+
+ <jaas-security domain="PropertiesLogin" certificate-domain="CertLogin"/>
+
+And here's the corresponding `login.config`:
+
+ PropertiesLogin {
+ org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule required
+ debug=false
+ org.apache.activemq.jaas.properties.user="artemis-users.properties"
+ org.apache.activemq.jaas.properties.role="artemis-roles.properties";
+ };
+
+ CertLogin {
+ org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule required
+ debug=true
+ org.apache.activemq.jaas.textfiledn.user="cert-users.properties"
+ org.apache.activemq.jaas.textfiledn.role="cert-roles.properties";
+ };
+
+When the broker is configured this way then any client connecting with SSL and a client certificate will be authenticated
+using `CertLogin` and any client connecting without SSL will be authenticated using `PropertiesLogin`.
+
### JAAS Login Modules
#### GuestLoginModule
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/7715b5ee/examples/features/standard/pom.xml
----------------------------------------------------------------------
diff --git a/examples/features/standard/pom.xml b/examples/features/standard/pom.xml
index 05d1b64..88a5823 100644
--- a/examples/features/standard/pom.xml
+++ b/examples/features/standard/pom.xml
@@ -86,6 +86,7 @@ under the License.
<module>send-acknowledgements</module>
<module>spring-integration</module>
<module>ssl-enabled</module>
+ <module>ssl-enabled-dual-authentication</module>
<module>static-selector</module>
<module>temp-queue</module>
<module>topic</module>
@@ -147,6 +148,7 @@ under the License.
<module>send-acknowledgements</module>
<module>spring-integration</module>
<module>ssl-enabled</module>
+ <module>ssl-enabled-dual-authentication</module>
<module>static-selector</module>
<!--this needs to be run standalone as it needs manual intervention-->
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/7715b5ee/examples/features/standard/ssl-enabled-dual-authentication/pom.xml
----------------------------------------------------------------------
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/pom.xml b/examples/features/standard/ssl-enabled-dual-authentication/pom.xml
new file mode 100644
index 0000000..a13d33a
--- /dev/null
+++ b/examples/features/standard/ssl-enabled-dual-authentication/pom.xml
@@ -0,0 +1,110 @@
+<?xml version='1.0'?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+
+ <parent>
+ <groupId>org.apache.activemq.examples.broker</groupId>
+ <artifactId>jms-examples</artifactId>
+ <version>1.3.0-SNAPSHOT</version>
+ </parent>
+
+ <artifactId>ssl-enabled-dual-authentication</artifactId>
+ <packaging>jar</packaging>
+ <name>ActiveMQ Artemis JMS SSL Enabled Dual Authentication Example</name>
+
+ <properties>
+ <activemq.basedir>${project.basedir}/../../../..</activemq.basedir>
+ </properties>
+
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.activemq</groupId>
+ <artifactId>artemis-jms-client</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ </dependencies>
+
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.activemq</groupId>
+ <artifactId>artemis-maven-plugin</artifactId>
+ <executions>
+ <execution>
+ <id>create</id>
+ <goals>
+ <goal>create</goal>
+ </goals>
+ <configuration>
+ <ignore>${noServer}</ignore>
+ </configuration>
+ </execution>
+ <execution>
+ <id>start</id>
+ <goals>
+ <goal>cli</goal>
+ </goals>
+ <configuration>
+ <ignore>${noServer}</ignore>
+ <spawn>true</spawn>
+ <testURI>tcp://localhost:61616</testURI>
+ <testUser>consumer</testUser>
+ <testPassword>activemq</testPassword>
+ <args>
+ <param>run</param>
+ </args>
+ </configuration>
+ </execution>
+ <execution>
+ <id>runClient</id>
+ <goals>
+ <goal>runClient</goal>
+ </goals>
+ <configuration>
+ <clientClass>org.apache.activemq.artemis.jms.example.SSLDualAuthenticationExample</clientClass>
+ </configuration>
+ </execution>
+ <execution>
+ <id>stop</id>
+ <goals>
+ <goal>cli</goal>
+ </goals>
+ <configuration>
+ <ignore>${noServer}</ignore>
+ <args>
+ <param>stop</param>
+ </args>
+ </configuration>
+ </execution>
+ </executions>
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.activemq.examples.broker</groupId>
+ <artifactId>ssl-enabled-dual-authentication</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ </dependencies>
+ </plugin>
+ </plugins>
+ </build>
+
+</project>
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/7715b5ee/examples/features/standard/ssl-enabled-dual-authentication/readme.html
----------------------------------------------------------------------
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/readme.html b/examples/features/standard/ssl-enabled-dual-authentication/readme.html
new file mode 100644
index 0000000..93d7c72
--- /dev/null
+++ b/examples/features/standard/ssl-enabled-dual-authentication/readme.html
@@ -0,0 +1,75 @@
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+<html>
+ <head>
+ <title>ActiveMQ Artemis JMS SSL Example</title>
+ <link rel="stylesheet" type="text/css" href="../../../common/common.css" />
+ <link rel="stylesheet" type="text/css" href="../../../common/prettify.css" />
+ <script type="text/javascript" src="../../../common/prettify.js"></script>
+ </head>
+ <body onload="prettyPrint()">
+ <h1>JMS SSL Dual Authentication Example</h1>
+
+ <pre>To run the example, simply type <b>mvn verify</b> from this directory, <br>or <b>mvn -PnoServer verify</b> if you want to start and create the server manually.</pre>
+
+ <p>This example shows you how to configure 2-way SSL along with 2 different authentications mechanisms so that SSL and non-SSL clients can send and consume messages to/from ActiveMQ Artemis.
+ The non-SSL authentication mechanism simply uses username and password. The SSL authentication mechanism uses the client's certificate.</p>
+
+ <p>To configure 2-way SSL you need to configure the acceptor as follows:</p>
+
+ <p>
+ <pre class="prettyprint">
+ <code>
+ <!-- Acceptor -->
+
+ <acceptor name="netty-ssl-acceptor">tcp://localhost:5500?sslEnabled=true;needClientAuth=true;keyStorePath=${data.dir}/../etc/server-side-keystore.jks;keyStorePassword=secureexample;trustStorePath=${data.dir}/../etc/server-side-truststore.jks;trustStorePassword=secureexample</acceptor>
+ </code>
+ </pre>
+ </p>
+
+ <p>In the server-side URL, the server-side-keystore.jks is the key store file holding the server's certificate. The server-side-truststore.jks is the file holding the certificates which the server trusts. Notice also the "sslEnabled" and "needClientAuth" parameters which enable SSL and require clients to present their own certificate respectively. Here's the URL the client uses to connect over SSL:</p>
+
+ <p>
+ <pre class="prettyprint">
+ <code>
+ tcp://localhost:5500?sslEnabled=true&trustStorePath=activemq/server0/client-side-truststore.jks&trustStorePassword=secureexample&keyStorePath=activemq/server0/client-side-keystore.jks&keyStorePassword=secureexample
+ </code>
+ </pre>
+ </p>
+
+ <p>In the client-side URL, the client-side-keystore.jks is the key store file holding the client's certificate. The client-side-truststore.jks is the file holding the certificates which the client trusts. The "sslEnabled" parameter is present here as well just as it is on the server.</p>
+
+ <p>The various keystore files are generated using the following commands:</p>
+
+ <p>
+ <pre class="prettyprint">
+ <code>
+keytool -genkey -keystore server-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
+keytool -export -keystore server-side-keystore.jks -file server-side-cert.cer -storepass secureexample
+keytool -import -keystore client-side-truststore.jks -file server-side-cert.cer -storepass secureexample -keypass secureexample -noprompt
+keytool -genkey -keystore client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
+keytool -export -keystore client-side-keystore.jks -file client-side-cert.cer -storepass secureexample
+keytool -import -keystore server-side-truststore.jks -file client-side-cert.cer -storepass secureexample -keypass secureexample -noprompt
+ </code>
+ </pre>
+ </p>
+
+ </body>
+</html>
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/7715b5ee/examples/features/standard/ssl-enabled-dual-authentication/src/main/java/org/apache/activemq/artemis/jms/example/SSLDualAuthenticationExample.java
----------------------------------------------------------------------
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/java/org/apache/activemq/artemis/jms/example/SSLDualAuthenticationExample.java b/examples/features/standard/ssl-enabled-dual-authentication/src/main/java/org/apache/activemq/artemis/jms/example/SSLDualAuthenticationExample.java
new file mode 100644
index 0000000..a3c928e
--- /dev/null
+++ b/examples/features/standard/ssl-enabled-dual-authentication/src/main/java/org/apache/activemq/artemis/jms/example/SSLDualAuthenticationExample.java
@@ -0,0 +1,99 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.artemis.jms.example;
+
+import javax.jms.Connection;
+import javax.jms.ConnectionFactory;
+import javax.jms.MessageConsumer;
+import javax.jms.MessageProducer;
+import javax.jms.Queue;
+import javax.jms.Session;
+import javax.jms.TextMessage;
+import javax.naming.InitialContext;
+
+/**
+ * A simple JMS Queue example that uses dual broker authentication mechanisms for SSL and non-SSL connections.
+ */
+public class SSLDualAuthenticationExample {
+
+ public static void main(final String[] args) throws Exception {
+ Connection producerConnection = null;
+ Connection consumerConnection = null;
+ InitialContext initialContext = null;
+ try {
+ // Step 1. Create an initial context to perform the JNDI lookup.
+ initialContext = new InitialContext();
+
+ // Step 2. Perfom a lookup on the queue
+ Queue queue = (Queue) initialContext.lookup("queue/exampleQueue");
+
+ // Step 3. Perform a lookup on the producer's SSL Connection Factory
+ ConnectionFactory producerConnectionFactory = (ConnectionFactory) initialContext.lookup("SslConnectionFactory");
+
+ // Step 4. Perform a lookup on the consumer's Connection Factory
+ ConnectionFactory consumerConnectionFactory = (ConnectionFactory) initialContext.lookup("ConnectionFactory");
+
+ // Step 5.Create a JMS Connection for the producer
+ producerConnection = producerConnectionFactory.createConnection();
+
+ // Step 6.Create a JMS Connection for the consumer
+ consumerConnection = consumerConnectionFactory.createConnection("consumer", "activemq");
+
+ // Step 7. Create a JMS Session for the producer
+ Session producerSession = producerConnection.createSession(false, Session.AUTO_ACKNOWLEDGE);
+
+ // Step 8. Create a JMS Session for the consumer
+ Session consumerSession = consumerConnection.createSession(false, Session.AUTO_ACKNOWLEDGE);
+
+ // Step 9. Create a JMS Message Producer
+ MessageProducer producer = producerSession.createProducer(queue);
+
+ // Step 10. Create a Text Message
+ TextMessage message = producerSession.createTextMessage("This is a text message");
+
+ System.out.println("Sent message: " + message.getText());
+
+ // Step 11. Send the Message
+ producer.send(message);
+
+ // Step 12. Create a JMS Message Consumer
+ MessageConsumer messageConsumer = consumerSession.createConsumer(queue);
+
+ // Step 13. Start the Connection
+ consumerConnection.start();
+
+ // Step 14. Receive the message
+ TextMessage messageReceived = (TextMessage) messageConsumer.receive(5000);
+
+ System.out.println("Received message: " + messageReceived.getText());
+
+ initialContext.close();
+ }
+ finally {
+ // Step 15. Be sure to close our JMS resources!
+ if (initialContext != null) {
+ initialContext.close();
+ }
+ if (producerConnection != null) {
+ producerConnection.close();
+ }
+ if (consumerConnection != null) {
+ consumerConnection.close();
+ }
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/7715b5ee/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/artemis-roles.properties
----------------------------------------------------------------------
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/artemis-roles.properties b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/artemis-roles.properties
new file mode 100644
index 0000000..643dfc3
--- /dev/null
+++ b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/artemis-roles.properties
@@ -0,0 +1,17 @@
+## ---------------------------------------------------------------------------
+## Licensed to the Apache Software Foundation (ASF) under one or more
+## contributor license agreements. See the NOTICE file distributed with
+## this work for additional information regarding copyright ownership.
+## The ASF licenses this file to You under the Apache License, Version 2.0
+## (the "License"); you may not use this file except in compliance with
+## the License. You may obtain a copy of the License at
+##
+## http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+## ---------------------------------------------------------------------------
+consumers=consumer
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/7715b5ee/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/artemis-users.properties
----------------------------------------------------------------------
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/artemis-users.properties b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/artemis-users.properties
new file mode 100644
index 0000000..1c68f50
--- /dev/null
+++ b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/artemis-users.properties
@@ -0,0 +1,17 @@
+## ---------------------------------------------------------------------------
+## Licensed to the Apache Software Foundation (ASF) under one or more
+## contributor license agreements. See the NOTICE file distributed with
+## this work for additional information regarding copyright ownership.
+## The ASF licenses this file to You under the Apache License, Version 2.0
+## (the "License"); you may not use this file except in compliance with
+## the License. You may obtain a copy of the License at
+##
+## http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+## ---------------------------------------------------------------------------
+consumer=activemq
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/7715b5ee/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/bootstrap.xml
----------------------------------------------------------------------
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/bootstrap.xml b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/bootstrap.xml
new file mode 100644
index 0000000..2d753e7
--- /dev/null
+++ b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/bootstrap.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one or more
+ ~ contributor license agreements. See the NOTICE file distributed with
+ ~ this work for additional information regarding copyright ownership.
+ ~ The ASF licenses this file to You under the Apache License, Version 2.0
+ ~ (the "License"); you may not use this file except in compliance with
+ ~ the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+
+<broker xmlns="http://activemq.org/schema">
+
+ <jaas-security domain="activemq" certificate-domain="activemq-cert"/>
+
+ <server configuration="file:${artemis.instance}/etc/broker.xml"/>
+
+
+
+</broker>
+
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/7715b5ee/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/broker.xml
----------------------------------------------------------------------
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/broker.xml b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/broker.xml
new file mode 100644
index 0000000..14fa849
--- /dev/null
+++ b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/broker.xml
@@ -0,0 +1,57 @@
+<?xml version='1.0'?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+<configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns="urn:activemq"
+ xsi:schemaLocation="urn:activemq /schema/artemis-server.xsd">
+
+ <jms xmlns="urn:activemq:jms">
+ <!--the queue used by the example-->
+ <queue name="exampleQueue"/>
+ </jms>
+
+ <core xmlns="urn:activemq:core">
+
+ <bindings-directory>./data/messaging/bindings</bindings-directory>
+
+ <journal-directory>./data/messaging/journal</journal-directory>
+
+ <large-messages-directory>./data/messaging/largemessages</large-messages-directory>
+
+ <paging-directory>./data/messaging/paging</paging-directory>
+
+ <!-- Acceptors -->
+ <acceptors>
+ <acceptor name="netty-acceptor">tcp://localhost:61616</acceptor>
+ <acceptor name="netty-ssl-acceptor">tcp://localhost:5500?sslEnabled=true;needClientAuth=true;keyStorePath=${data.dir}/../etc/server-side-keystore.jks;keyStorePassword=secureexample;trustStorePath=${data.dir}/../etc/server-side-truststore.jks;trustStorePassword=secureexample</acceptor>
+ </acceptors>
+
+ <!-- Other config -->
+
+ <security-settings>
+ <!--security for example queue-->
+ <security-setting match="jms.queue.exampleQueue">
+ <permission type="consume" roles="consumers"/>
+ <permission type="send" roles="producers"/>
+ </security-setting>
+ </security-settings>
+
+ </core>
+</configuration>
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/7715b5ee/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/cert-roles.properties
----------------------------------------------------------------------
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/cert-roles.properties b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/cert-roles.properties
new file mode 100644
index 0000000..f52fa21
--- /dev/null
+++ b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/cert-roles.properties
@@ -0,0 +1,18 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+producers=producer
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/7715b5ee/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/cert-users.properties
----------------------------------------------------------------------
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/cert-users.properties b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/cert-users.properties
new file mode 100644
index 0000000..06874dc
--- /dev/null
+++ b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/cert-users.properties
@@ -0,0 +1,18 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+producer=CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, ST=AMQ, C=AMQ
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/7715b5ee/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/client-side-keystore.jks
----------------------------------------------------------------------
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/client-side-keystore.jks b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/client-side-keystore.jks
new file mode 100644
index 0000000..cb65a44
Binary files /dev/null and b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/client-side-keystore.jks differ
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/7715b5ee/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/client-side-truststore.jks
----------------------------------------------------------------------
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/client-side-truststore.jks b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/client-side-truststore.jks
new file mode 100644
index 0000000..7eb1d56
Binary files /dev/null and b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/client-side-truststore.jks differ
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/7715b5ee/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/login.config
----------------------------------------------------------------------
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/login.config b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/login.config
new file mode 100644
index 0000000..9bd479d
--- /dev/null
+++ b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/login.config
@@ -0,0 +1,30 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+activemq {
+ org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule required
+ debug=false
+ org.apache.activemq.jaas.properties.user="artemis-users.properties"
+ org.apache.activemq.jaas.properties.role="artemis-roles.properties";
+};
+
+activemq-cert {
+ org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule required
+ debug=true
+ org.apache.activemq.jaas.textfiledn.user="cert-users.properties"
+ org.apache.activemq.jaas.textfiledn.role="cert-roles.properties";
+};
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/7715b5ee/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/server-side-keystore.jks
----------------------------------------------------------------------
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/server-side-keystore.jks b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/server-side-keystore.jks
new file mode 100644
index 0000000..6089c6e
Binary files /dev/null and b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/server-side-keystore.jks differ
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/7715b5ee/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/server-side-truststore.jks
----------------------------------------------------------------------
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/server-side-truststore.jks b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/server-side-truststore.jks
new file mode 100644
index 0000000..0b7e224
Binary files /dev/null and b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/server-side-truststore.jks differ
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/7715b5ee/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/jndi.properties
----------------------------------------------------------------------
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/jndi.properties b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/jndi.properties
new file mode 100644
index 0000000..12fbef6
--- /dev/null
+++ b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/jndi.properties
@@ -0,0 +1,21 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+java.naming.factory.initial=org.apache.activemq.artemis.jndi.ActiveMQInitialContextFactory
+connectionFactory.SslConnectionFactory=tcp://localhost:5500?sslEnabled=true&trustStorePath=activemq/server0/client-side-truststore.jks&trustStorePassword=secureexample&keyStorePath=activemq/server0/client-side-keystore.jks&keyStorePassword=secureexample
+connectionFactory.ConnectionFactory=tcp://localhost:61616
+queue.queue/exampleQueue=exampleQueue
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/7715b5ee/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWaySSLTest.java
----------------------------------------------------------------------
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWaySSLTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWaySSLTest.java
index 1ced54f..0d553ad 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWaySSLTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWaySSLTest.java
@@ -70,15 +70,15 @@ public class CoreClientOverTwoWaySSLTest extends ActiveMQTestBase {
public static final SimpleString QUEUE = new SimpleString("QueueOverSSL");
/**
- * These artifacts are required for testing 2-way SSL in addition to the artifacts for 1-way SSL
+ * These artifacts are required for testing 2-way SSL in addition to the artifacts for 1-way SSL from {@link CoreClientOverOneWaySSLTest}
*
* Commands to create the JKS artifacts:
- * keytool -genkey -keystore client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ"
+ * keytool -genkey -keystore client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
* keytool -export -keystore client-side-keystore.jks -file activemq-jks.cer -storepass secureexample
* keytool -import -keystore server-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
*
* Commands to create the JCEKS artifacts:
- * keytool -genkey -keystore client-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ"
+ * keytool -genkey -keystore client-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
* keytool -export -keystore client-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample
* keytool -import -keystore server-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt
*/
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/7715b5ee/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/DualAuthenticationTest.java
----------------------------------------------------------------------
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/DualAuthenticationTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/DualAuthenticationTest.java
new file mode 100644
index 0000000..d3c6767
--- /dev/null
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/DualAuthenticationTest.java
@@ -0,0 +1,142 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.artemis.tests.integration.ssl;
+
+import java.lang.management.ManagementFactory;
+import java.net.URL;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.activemq.artemis.api.core.Message;
+import org.apache.activemq.artemis.api.core.SimpleString;
+import org.apache.activemq.artemis.api.core.TransportConfiguration;
+import org.apache.activemq.artemis.api.core.client.ActiveMQClient;
+import org.apache.activemq.artemis.api.core.client.ClientConsumer;
+import org.apache.activemq.artemis.api.core.client.ClientMessage;
+import org.apache.activemq.artemis.api.core.client.ClientProducer;
+import org.apache.activemq.artemis.api.core.client.ClientSession;
+import org.apache.activemq.artemis.api.core.client.ClientSessionFactory;
+import org.apache.activemq.artemis.api.core.client.ServerLocator;
+import org.apache.activemq.artemis.core.config.impl.ConfigurationImpl;
+import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants;
+import org.apache.activemq.artemis.core.security.Role;
+import org.apache.activemq.artemis.core.server.ActiveMQServer;
+import org.apache.activemq.artemis.core.server.ActiveMQServers;
+import org.apache.activemq.artemis.core.settings.HierarchicalRepository;
+import org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager;
+import org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager;
+import org.apache.activemq.artemis.tests.integration.security.SecurityTest;
+import org.apache.activemq.artemis.tests.util.ActiveMQTestBase;
+import org.apache.activemq.artemis.utils.RandomUtil;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+
+/**
+ * See {@link CoreClientOverTwoWaySSLTest} for details about the keystores required for this test.
+ */
+public class DualAuthenticationTest extends ActiveMQTestBase {
+
+ public static final SimpleString QUEUE = new SimpleString("QueueOverSSL");
+
+ static {
+ String path = System.getProperty("java.security.auth.login.config");
+ if (path == null) {
+ URL resource = SecurityTest.class.getClassLoader().getResource("login.config");
+ if (resource != null) {
+ path = resource.getFile();
+ System.setProperty("java.security.auth.login.config", path);
+ }
+ }
+ }
+
+ private String SERVER_SIDE_KEYSTORE = "server-side-keystore.jks";
+ private String SERVER_SIDE_TRUSTSTORE = "server-side-truststore.jks";
+ private String CLIENT_SIDE_TRUSTSTORE = "client-side-truststore.jks";
+ private String CLIENT_SIDE_KEYSTORE = "client-side-keystore.jks";
+ private final String PASSWORD = "secureexample";
+
+ private ActiveMQServer server;
+
+ private TransportConfiguration tc;
+
+ @Test
+ public void testDualAuthentication() throws Exception {
+ String text = RandomUtil.randomString();
+
+ tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
+ tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, CLIENT_SIDE_KEYSTORE);
+ tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, PASSWORD);
+ tc.getParams().put(TransportConstants.PORT_PROP_NAME, "61617");
+
+ ServerLocator producerLocator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
+ ClientSessionFactory producerSessionFactory = createSessionFactory(producerLocator);
+ ClientSession producerSession = producerSessionFactory.createSession(false, true, true);
+ producerSession.createQueue(DualAuthenticationTest.QUEUE, DualAuthenticationTest.QUEUE, false);
+ ClientProducer producer = producerSession.createProducer(DualAuthenticationTest.QUEUE);
+
+ ClientMessage message = createTextMessage(producerSession, text);
+ producer.send(message);
+
+ ServerLocator consumerLocator = addServerLocator(ActiveMQClient.createServerLocator("tcp://localhost:61616"));
+ ClientSessionFactory consumerSessionFactory = createSessionFactory(consumerLocator);
+ ClientSession consumerSession = consumerSessionFactory.createSession("consumer", "consumerPassword", false, true, true, consumerLocator.isPreAcknowledge(), consumerLocator.getAckBatchSize());
+ ClientConsumer consumer = consumerSession.createConsumer(DualAuthenticationTest.QUEUE);
+ consumerSession.start();
+
+ Message m = consumer.receive(1000);
+ Assert.assertNotNull(m);
+ Assert.assertEquals(text, m.getBodyBuffer().readString());
+ }
+
+ @Override
+ @Before
+ public void setUp() throws Exception {
+ super.setUp();
+ Map<String, Object> params = new HashMap<>();
+ params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
+ params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, SERVER_SIDE_KEYSTORE);
+ params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, PASSWORD);
+ params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, SERVER_SIDE_TRUSTSTORE);
+ params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
+ params.put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true);
+ params.put(TransportConstants.PORT_PROP_NAME, "61617");
+ ConfigurationImpl config = createBasicConfig();
+ config.addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params));
+ config.addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY));
+ config.setSecurityEnabled(true);
+
+ ActiveMQSecurityManager securityManager = new ActiveMQJAASSecurityManager("DualAuthenticationPropertiesLogin", "DualAuthenticationCertLogin");
+ server = addServer(ActiveMQServers.newActiveMQServer(config, ManagementFactory.getPlatformMBeanServer(), securityManager, false));
+
+ HierarchicalRepository<Set<Role>> securityRepository = server.getSecurityRepository();
+ Role sendRole = new Role("producers", true, false, true, false, true, false, false);
+ Role receiveRole = new Role("consumers", false, true, false, false, false, false, false);
+ Set<Role> roles = new HashSet<>();
+ roles.add(sendRole);
+ roles.add(receiveRole);
+ securityRepository.addMatch(DualAuthenticationTest.QUEUE.toString(), roles);
+
+ server.start();
+ waitForServerToStart(server);
+ tc = new TransportConfiguration(NETTY_CONNECTOR_FACTORY);
+ }
+}
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/7715b5ee/tests/integration-tests/src/test/resources/dual-authentication-cert-roles.properties
----------------------------------------------------------------------
diff --git a/tests/integration-tests/src/test/resources/dual-authentication-cert-roles.properties b/tests/integration-tests/src/test/resources/dual-authentication-cert-roles.properties
new file mode 100644
index 0000000..f52fa21
--- /dev/null
+++ b/tests/integration-tests/src/test/resources/dual-authentication-cert-roles.properties
@@ -0,0 +1,18 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+producers=producer
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/7715b5ee/tests/integration-tests/src/test/resources/dual-authentication-cert-users.properties
----------------------------------------------------------------------
diff --git a/tests/integration-tests/src/test/resources/dual-authentication-cert-users.properties b/tests/integration-tests/src/test/resources/dual-authentication-cert-users.properties
new file mode 100644
index 0000000..06874dc
--- /dev/null
+++ b/tests/integration-tests/src/test/resources/dual-authentication-cert-users.properties
@@ -0,0 +1,18 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+producer=CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, ST=AMQ, C=AMQ
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/7715b5ee/tests/integration-tests/src/test/resources/dual-authentication-roles.properties
----------------------------------------------------------------------
diff --git a/tests/integration-tests/src/test/resources/dual-authentication-roles.properties b/tests/integration-tests/src/test/resources/dual-authentication-roles.properties
new file mode 100644
index 0000000..9c93173
--- /dev/null
+++ b/tests/integration-tests/src/test/resources/dual-authentication-roles.properties
@@ -0,0 +1,18 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+consumers=consumer
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/7715b5ee/tests/integration-tests/src/test/resources/dual-authentication-users.properties
----------------------------------------------------------------------
diff --git a/tests/integration-tests/src/test/resources/dual-authentication-users.properties b/tests/integration-tests/src/test/resources/dual-authentication-users.properties
new file mode 100644
index 0000000..7b61983
--- /dev/null
+++ b/tests/integration-tests/src/test/resources/dual-authentication-users.properties
@@ -0,0 +1,18 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+consumer=consumerPassword
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/7715b5ee/tests/integration-tests/src/test/resources/login.config
----------------------------------------------------------------------
diff --git a/tests/integration-tests/src/test/resources/login.config b/tests/integration-tests/src/test/resources/login.config
index 7c160c5..6bc3498 100644
--- a/tests/integration-tests/src/test/resources/login.config
+++ b/tests/integration-tests/src/test/resources/login.config
@@ -123,3 +123,17 @@ CertLogin {
org.apache.activemq.jaas.textfiledn.user="cert-users.properties"
org.apache.activemq.jaas.textfiledn.role="cert-roles.properties";
};
+
+DualAuthenticationCertLogin {
+ org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule required
+ debug=true
+ org.apache.activemq.jaas.textfiledn.user="dual-authentication-cert-users.properties"
+ org.apache.activemq.jaas.textfiledn.role="dual-authentication-cert-roles.properties";
+};
+
+DualAuthenticationPropertiesLogin {
+ org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule required
+ debug=true
+ org.apache.activemq.jaas.properties.user="dual-authentication-users.properties"
+ org.apache.activemq.jaas.properties.role="dual-authentication-roles.properties";
+};
[2/2] activemq-artemis git commit: This closes #585
Posted by ma...@apache.org.
This closes #585
Project: http://git-wip-us.apache.org/repos/asf/activemq-artemis/repo
Commit: http://git-wip-us.apache.org/repos/asf/activemq-artemis/commit/279780c8
Tree: http://git-wip-us.apache.org/repos/asf/activemq-artemis/tree/279780c8
Diff: http://git-wip-us.apache.org/repos/asf/activemq-artemis/diff/279780c8
Branch: refs/heads/master
Commit: 279780c89d22ca046425ccc53aec24927f089af5
Parents: 70562ad 7715b5e
Author: Martyn Taylor <mt...@redhat.com>
Authored: Fri Jun 17 17:43:29 2016 +0100
Committer: Martyn Taylor <mt...@redhat.com>
Committed: Fri Jun 17 17:43:29 2016 +0100
----------------------------------------------------------------------
.../artemis/factory/JaasSecurityHandler.java | 2 +-
.../activemq/artemis/dto/JaasSecurityDTO.java | 3 +
.../security/ActiveMQJAASSecurityManager.java | 38 ++++-
docs/user-manual/en/security.md | 49 +++++--
examples/features/standard/pom.xml | 2 +
.../ssl-enabled-dual-authentication/pom.xml | 110 ++++++++++++++
.../ssl-enabled-dual-authentication/readme.html | 75 ++++++++++
.../example/SSLDualAuthenticationExample.java | 99 +++++++++++++
.../activemq/server0/artemis-roles.properties | 17 +++
.../activemq/server0/artemis-users.properties | 17 +++
.../resources/activemq/server0/bootstrap.xml | 28 ++++
.../main/resources/activemq/server0/broker.xml | 57 ++++++++
.../activemq/server0/cert-roles.properties | 18 +++
.../activemq/server0/cert-users.properties | 18 +++
.../activemq/server0/client-side-keystore.jks | Bin 0 -> 1303 bytes
.../activemq/server0/client-side-truststore.jks | Bin 0 -> 963 bytes
.../resources/activemq/server0/login.config | 30 ++++
.../activemq/server0/server-side-keystore.jks | Bin 0 -> 2253 bytes
.../activemq/server0/server-side-truststore.jks | Bin 0 -> 1732 bytes
.../src/main/resources/jndi.properties | 21 +++
.../ssl/CoreClientOverTwoWaySSLTest.java | 6 +-
.../integration/ssl/DualAuthenticationTest.java | 142 +++++++++++++++++++
.../dual-authentication-cert-roles.properties | 18 +++
.../dual-authentication-cert-users.properties | 18 +++
.../dual-authentication-roles.properties | 18 +++
.../dual-authentication-users.properties | 18 +++
.../src/test/resources/login.config | 14 ++
27 files changed, 802 insertions(+), 16 deletions(-)
----------------------------------------------------------------------