You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by ro...@apache.org on 2021/10/07 09:49:33 UTC
[activemq-artemis] branch main updated: ARTEMIS-3038: unwind effect
of defunct changes from ARTEMIS-1264
This is an automated email from the ASF dual-hosted git repository.
robbie pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq-artemis.git
The following commit(s) were added to refs/heads/main by this push:
new a5b5a50 ARTEMIS-3038: unwind effect of defunct changes from ARTEMIS-1264
a5b5a50 is described below
commit a5b5a504e0426daa1f2598582ea3252f8bca4cf8
Author: Robbie Gemmell <ro...@apache.org>
AuthorDate: Tue Oct 5 17:17:35 2021 +0100
ARTEMIS-3038: unwind effect of defunct changes from ARTEMIS-1264
Follows earlier test removal in a3de3d4c75ba1482706e8c42a5c9b0f9811901eb
---
.../FederationDownstreamConfiguration.java | 1 -
.../core/remoting/impl/netty/NettyConnector.java | 51 ++++-----------------
.../remoting/impl/netty/TransportConstants.java | 4 --
.../core/remoting/impl/netty/NettyAcceptor.java | 53 +++++-----------------
docs/user-manual/en/security.md | 10 ----
.../src/test/resources/login.config | 15 ------
6 files changed, 19 insertions(+), 115 deletions(-)
diff --git a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/config/federation/FederationDownstreamConfiguration.java b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/config/federation/FederationDownstreamConfiguration.java
index 17905e1..a7dd1e0 100644
--- a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/config/federation/FederationDownstreamConfiguration.java
+++ b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/config/federation/FederationDownstreamConfiguration.java
@@ -56,7 +56,6 @@ public class FederationDownstreamConfiguration extends FederationStreamConfigura
//The federated server that creates the upstream back will rely on its config from the acceptor for TLS
stripParam(params, TransportConstants.SSL_ENABLED_PROP_NAME);
stripParam(params, TransportConstants.SSL_PROVIDER);
- stripParam(params, TransportConstants.SSL_KRB5_CONFIG_PROP_NAME);
stripParam(params, TransportConstants.KEYSTORE_PATH_PROP_NAME);
stripParam(params, TransportConstants.KEYSTORE_PASSWORD_PROP_NAME);
stripParam(params, TransportConstants.KEYSTORE_PROVIDER_PROP_NAME);
diff --git a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java
index dde607f..f04b750 100644
--- a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java
+++ b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java
@@ -20,8 +20,6 @@ import javax.net.ssl.SNIHostName;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
-import javax.security.auth.Subject;
-import javax.security.auth.login.LoginContext;
import java.io.IOException;
import java.net.ConnectException;
import java.net.InetAddress;
@@ -33,7 +31,6 @@ import java.net.UnknownHostException;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
-import java.security.PrivilegedExceptionAction;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
@@ -265,8 +262,6 @@ public class NettyConnector extends AbstractConnector {
private String sniHost;
- private String kerb5Config;
-
private boolean useDefaultSslContext;
private boolean tcpNoDelay;
@@ -433,8 +428,6 @@ public class NettyConnector extends AbstractConnector {
sniHost = ConfigurationHelper.getStringProperty(TransportConstants.SNIHOST_PROP_NAME, TransportConstants.DEFAULT_SNIHOST_CONFIG, configuration);
- kerb5Config = ConfigurationHelper.getStringProperty(TransportConstants.SSL_KRB5_CONFIG_PROP_NAME, TransportConstants.DEFAULT_SSL_KRB5_CONFIG, configuration);
-
useDefaultSslContext = ConfigurationHelper.getBooleanProperty(TransportConstants.USE_DEFAULT_SSL_CONTEXT_PROP_NAME, TransportConstants.DEFAULT_USE_DEFAULT_SSL_CONTEXT, configuration);
trustManagerFactoryPlugin = ConfigurationHelper.getStringProperty(TransportConstants.TRUST_MANAGER_FACTORY_PLUGIN_PROP_NAME, TransportConstants.DEFAULT_TRUST_MANAGER_FACTORY_PLUGIN, configuration);
@@ -759,50 +752,22 @@ public class NettyConnector extends AbstractConnector {
final SSLContext context = SSLContextFactoryProvider.getSSLContextFactory()
.getSSLContext(sslContextConfig, configuration);
- Subject subject = null;
- if (kerb5Config != null) {
- LoginContext loginContext = new LoginContext(kerb5Config);
- loginContext.login();
- subject = loginContext.getSubject();
- verifyHost = true;
+ if (host != null && port != -1) {
+ return context.createSSLEngine(host, port);
+ } else {
+ return context.createSSLEngine();
}
-
- SSLEngine engine = Subject.doAs(subject, new PrivilegedExceptionAction<SSLEngine>() {
- @Override
- public SSLEngine run() {
- if (host != null && port != -1) {
- return context.createSSLEngine(host, port);
- } else {
- return context.createSSLEngine();
- }
- }
- });
- return engine;
}
private SSLEngine loadOpenSslEngine(final ByteBufAllocator alloc, final SSLContextConfig sslContextConfig) throws Exception {
final SslContext context = OpenSSLContextFactoryProvider.getOpenSSLContextFactory()
.getClientSslContext(sslContextConfig, configuration);
- Subject subject = null;
- if (kerb5Config != null) {
- LoginContext loginContext = new LoginContext(kerb5Config);
- loginContext.login();
- subject = loginContext.getSubject();
- verifyHost = true;
+ if (host != null && port != -1) {
+ return context.newEngine(alloc, host, port);
+ } else {
+ return context.newEngine(alloc);
}
-
- SSLEngine engine = Subject.doAs(subject, new PrivilegedExceptionAction<SSLEngine>() {
- @Override
- public SSLEngine run() {
- if (host != null && port != -1) {
- return context.newEngine(alloc, host, port);
- } else {
- return context.newEngine(alloc);
- }
- }
- });
- return engine;
}
@Override
diff --git a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/TransportConstants.java b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/TransportConstants.java
index 37a4e80..43bc67b 100644
--- a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/TransportConstants.java
+++ b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/TransportConstants.java
@@ -33,8 +33,6 @@ public class TransportConstants {
public static final String SSL_ENABLED_PROP_NAME = "sslEnabled";
- public static final String SSL_KRB5_CONFIG_PROP_NAME = "sslKrb5Config";
-
public static final String HTTP_ENABLED_PROP_NAME = "httpEnabled";
public static final String HTTP_CLIENT_IDLE_PROP_NAME = "httpClientIdleTime";
@@ -196,8 +194,6 @@ public class TransportConstants {
public static final boolean DEFAULT_SSL_ENABLED = false;
- public static final String DEFAULT_SSL_KRB5_CONFIG = null;
-
public static final String DEFAULT_SNIHOST_CONFIG = null;
public static final boolean DEFAULT_USE_GLOBAL_WORKER_POOL = true;
diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java b/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java
index eca729a..b9d692b 100644
--- a/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java
+++ b/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java
@@ -21,13 +21,10 @@ import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.SSLParameters;
-import javax.security.auth.Subject;
-import javax.security.auth.login.LoginContext;
import java.net.InetSocketAddress;
import java.net.SocketAddress;
import java.security.AccessController;
import java.security.PrivilegedAction;
-import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
@@ -189,8 +186,6 @@ public class NettyAcceptor extends AbstractAcceptor {
private final String trustManagerFactoryPlugin;
- private final String kerb5Config;
-
private String sniHost;
private final boolean tcpNoDelay;
@@ -269,8 +264,6 @@ public class NettyAcceptor extends AbstractAcceptor {
sslEnabled = ConfigurationHelper.getBooleanProperty(TransportConstants.SSL_ENABLED_PROP_NAME, TransportConstants.DEFAULT_SSL_ENABLED, configuration);
- kerb5Config = ConfigurationHelper.getStringProperty(TransportConstants.SSL_KRB5_CONFIG_PROP_NAME, TransportConstants.DEFAULT_SSL_KRB5_CONFIG, configuration);
-
remotingThreads = ConfigurationHelper.getIntProperty(TransportConstants.NIO_REMOTING_THREADS_PROPNAME, -1, configuration);
remotingThreads = ConfigurationHelper.getIntProperty(TransportConstants.REMOTING_THREADS_PROPNAME, remotingThreads, configuration);
@@ -674,55 +667,31 @@ public class NettyAcceptor extends AbstractAcceptor {
private SSLEngine loadJdkSslEngine(String peerHost, int peerPort) throws Exception {
final SSLContext context = (SSLContext) providerAgnosticSslContext;
- Subject subject = null;
- if (kerb5Config != null) {
- LoginContext loginContext = new LoginContext(kerb5Config);
- loginContext.login();
- subject = loginContext.getSubject();
- }
- SSLEngine engine = Subject.doAs(subject, new PrivilegedExceptionAction<SSLEngine>() {
- @Override
- public SSLEngine run() {
- if (peerHost != null && peerPort != 0) {
- return context.createSSLEngine(peerHost, peerPort);
- } else {
- return context.createSSLEngine();
- }
- }
- });
- return engine;
+ if (peerHost != null && peerPort != 0) {
+ return context.createSSLEngine(peerHost, peerPort);
+ } else {
+ return context.createSSLEngine();
+ }
}
private void checkSSLConfiguration() throws IllegalArgumentException {
if (configuration.containsKey(TransportConstants.SSL_CONTEXT_PROP_NAME)) {
return;
}
- if (kerb5Config == null && keyStorePath == null && TransportConstants.DEFAULT_KEYSTORE_PROVIDER.equals(keyStoreProvider)) {
+ if (keyStorePath == null && TransportConstants.DEFAULT_KEYSTORE_PROVIDER.equals(keyStoreProvider)) {
throw new IllegalArgumentException("If \"" + TransportConstants.SSL_ENABLED_PROP_NAME + "\" is true then \"" + TransportConstants.KEYSTORE_PATH_PROP_NAME + "\" must be non-null unless an alternative \"" + TransportConstants.KEYSTORE_PROVIDER_PROP_NAME + "\" has been specified.");
}
}
private SSLEngine loadOpenSslEngine(ByteBufAllocator alloc, String peerHost, int peerPort) throws Exception {
final SslContext context = (SslContext) providerAgnosticSslContext;
- Subject subject = null;
- if (kerb5Config != null) {
- LoginContext loginContext = new LoginContext(kerb5Config);
- loginContext.login();
- subject = loginContext.getSubject();
- }
- SSLEngine engine = Subject.doAs(subject, new PrivilegedExceptionAction<SSLEngine>() {
- @Override
- public SSLEngine run() {
- if (peerHost != null && peerPort != 0) {
- return context.newEngine(alloc, peerHost, peerPort);
- } else {
- return context.newEngine(alloc);
- }
- }
- });
- return engine;
+ if (peerHost != null && peerPort != 0) {
+ return context.newEngine(alloc, peerHost, peerPort);
+ } else {
+ return context.newEngine(alloc);
+ }
}
private void startServerChannels() {
diff --git a/docs/user-manual/en/security.md b/docs/user-manual/en/security.md
index fb0f745..88478ad 100644
--- a/docs/user-manual/en/security.md
+++ b/docs/user-manual/en/security.md
@@ -1159,16 +1159,6 @@ amqp-sasl-gssapi {
};
```
-##### TLS Kerberos Cipher Suites
-
-The legacy [rfc2712](https://www.ietf.org/rfc/rfc2712.txt) defines TLS Kerberos
-cipher suites that can be used by TLS to negotiate Kerberos authentication. The
-cypher suites offered by rfc2712 are dated and insecure and rfc2712 has been
-superseded by SASL GSSAPI. However, for clients that don't support SASL (core
-client), using TLS can provide Kerberos authentication over an *unsecure*
-channel.
-
-
### Role Mapping
On the server, a Kerberos or SCRAM-SHA JAAS authenticated Principal must be added to the
diff --git a/tests/integration-tests/src/test/resources/login.config b/tests/integration-tests/src/test/resources/login.config
index 6ff980c..b1af825 100644
--- a/tests/integration-tests/src/test/resources/login.config
+++ b/tests/integration-tests/src/test/resources/login.config
@@ -282,21 +282,6 @@ Krb5PlusLdapMemberOfNoRoleName {
;
};
-core-tls-krb5-server {
- com.sun.security.auth.module.Krb5LoginModule required
- isInitiator=false
- storeKey=true
- useKeyTab=true
- principal="host/sni.host"
- debug=true;
-};
-
-core-tls-krb5-client {
- com.sun.security.auth.module.Krb5LoginModule required
- principal="client"
- useKeyTab=true;
-};
-
amqp-sasl-gssapi {
com.sun.security.auth.module.Krb5LoginModule required
isInitiator=false