SASL

[Kai <so...@gmail.com>]

Hi,

I was trying to find some examples or documentation regarding how to use
SASL in Proton but did not find anything so far. Can you point me into the
right direction? In particular I am interested in determining the identity
of a client that has been authenticated as part of a TLS handshake (if
that's possible) ...

Regards,
Kai

Re: SASL

[Robbie Gemmell <ro...@gmail.com>]

Hi Kai,

As Gordon noted, proton can be used in different ways. In the case
where it is used purely as an AMQP protocol engine with e.g TLS being
provided by the external IO being used with it, getting the Principal
would currently fall to that code rather than proton. That is how
proton-j currently sees most of its usage (or at least, the usage I'm
actually familiar with).

The SASL/TLS related API's in proton-c have seen major rework since
earlier releases, but the equivalents in proton-j have not and now
differ substantially. I dont see an equivalent of the APIs Gordon
referenced below, however as above its likely those may not apply in
the particular usage context anyway when it comes to proton-j.

I don't think there is much in the way of examples in this area I'm
afraid other than the code of components using it (e.g the ActiveMQ
brokers, or the Qpid JMS client).

Robbie

On 29 February 2016 at 17:11, Kai <so...@gmail.com> wrote:
> Thanks for your replies, Gordon. I didn't explicitly mention that I was
> interested in accessing the Principal from Java but you seem to have
> guessed that already :-) However, the question is still open, right?
>
> Kai
>
> On Mon, Feb 29, 2016 at 6:04 PM Gordon Sim <gs...@redhat.com> wrote:
>
>> On 29/02/16 14:56, Gordon Sim wrote:
>> > On 28/02/16 15:59, Kai wrote:
>> >> I was trying to find some examples or documentation regarding how to use
>> >> SASL in Proton but did not find anything so far. Can you point me into
>> >> the
>> >> right direction? In particular I am interested in determining the
>> >> identity
>> >> of a client that has been authenticated as part of a TLS handshake (if
>> >> that's possible) ...
>> >
>> > In the c api, pn_ssl_get_remote_subject() gets you the subject field of
>> > the certificate. In python that is exposed as a remote_subject property
>> > on the ssl object associated with the transport.
>> >
>> > I'm not sure if/how the java api's offer the behaviour, anyone else able
>> > to comment on that?
>>
>> One thing to add/point out here is that proton can be used in different
>> ways. One use is simply as a protocol engine, with bytes pumped in and
>> out by an external io component. In that usage model, you would use
>> java's built in support for SSL (as part of the io).
>>

Re: SASL

[Kai <so...@gmail.com>]

Thanks for your replies, Gordon. I didn't explicitly mention that I was
interested in accessing the Principal from Java but you seem to have
guessed that already :-) However, the question is still open, right?

Kai

On Mon, Feb 29, 2016 at 6:04 PM Gordon Sim <gs...@redhat.com> wrote:

> On 29/02/16 14:56, Gordon Sim wrote:
> > On 28/02/16 15:59, Kai wrote:
> >> I was trying to find some examples or documentation regarding how to use
> >> SASL in Proton but did not find anything so far. Can you point me into
> >> the
> >> right direction? In particular I am interested in determining the
> >> identity
> >> of a client that has been authenticated as part of a TLS handshake (if
> >> that's possible) ...
> >
> > In the c api, pn_ssl_get_remote_subject() gets you the subject field of
> > the certificate. In python that is exposed as a remote_subject property
> > on the ssl object associated with the transport.
> >
> > I'm not sure if/how the java api's offer the behaviour, anyone else able
> > to comment on that?
>
> One thing to add/point out here is that proton can be used in different
> ways. One use is simply as a protocol engine, with bytes pumped in and
> out by an external io component. In that usage model, you would use
> java's built in support for SSL (as part of the io).
>

Re: SASL

[Gordon Sim <gs...@redhat.com>]

On 29/02/16 14:56, Gordon Sim wrote:
> On 28/02/16 15:59, Kai wrote:
>> I was trying to find some examples or documentation regarding how to use
>> SASL in Proton but did not find anything so far. Can you point me into
>> the
>> right direction? In particular I am interested in determining the
>> identity
>> of a client that has been authenticated as part of a TLS handshake (if
>> that's possible) ...
>
> In the c api, pn_ssl_get_remote_subject() gets you the subject field of
> the certificate. In python that is exposed as a remote_subject property
> on the ssl object associated with the transport.
>
> I'm not sure if/how the java api's offer the behaviour, anyone else able
> to comment on that?

One thing to add/point out here is that proton can be used in different 
ways. One use is simply as a protocol engine, with bytes pumped in and 
out by an external io component. In that usage model, you would use 
java's built in support for SSL (as part of the io).

Re: SASL

[Gordon Sim <gs...@redhat.com>]

On 28/02/16 15:59, Kai wrote:
> I was trying to find some examples or documentation regarding how to use
> SASL in Proton but did not find anything so far. Can you point me into the
> right direction? In particular I am interested in determining the identity
> of a client that has been authenticated as part of a TLS handshake (if
> that's possible) ...

In the c api, pn_ssl_get_remote_subject() gets you the subject field of 
the certificate. In python that is exposed as a remote_subject property 
on the ssl object associated with the transport.

I'm not sure if/how the java api's offer the behaviour, anyone else able 
to comment on that?