You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by cl...@apache.org on 2017/08/08 17:34:01 UTC
[2/5] activemq-artemis git commit: [ARTEMIS-1310] [ARTEMIS-1264]
consolidate configuration to require login configuration scope
[ARTEMIS-1310] [ARTEMIS-1264] consolidate configuration to require login configuration scope
Project: http://git-wip-us.apache.org/repos/asf/activemq-artemis/repo
Commit: http://git-wip-us.apache.org/repos/asf/activemq-artemis/commit/9fedb47c
Tree: http://git-wip-us.apache.org/repos/asf/activemq-artemis/tree/9fedb47c
Diff: http://git-wip-us.apache.org/repos/asf/activemq-artemis/diff/9fedb47c
Branch: refs/heads/master
Commit: 9fedb47c400b9a00dec08b8f3bc280fe674ad915
Parents: ca7197b
Author: gtully <ga...@gmail.com>
Authored: Wed Aug 2 12:19:07 2017 +0100
Committer: Clebert Suconic <cl...@apache.org>
Committed: Tue Aug 8 13:28:50 2017 -0400
----------------------------------------------------------------------
.../impl/TransportConfigurationUtil.java | 29 +-------------------
.../remoting/impl/netty/NettyConnector.java | 15 ++--------
.../core/remoting/impl/netty/NettyAcceptor.java | 13 ++-------
.../integration/amqp/JMSSaslGssapiTest.java | 20 +++++++-------
.../ssl/CoreClientOverOneWaySSLKerb5Test.java | 6 ++--
.../src/test/resources/login.config | 17 +++++++++++-
6 files changed, 34 insertions(+), 66 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/9fedb47c/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/TransportConfigurationUtil.java
----------------------------------------------------------------------
diff --git a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/TransportConfigurationUtil.java b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/TransportConfigurationUtil.java
index 97a4bd2..c6d8a5f 100644
--- a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/TransportConfigurationUtil.java
+++ b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/TransportConfigurationUtil.java
@@ -27,9 +27,6 @@ import org.apache.activemq.artemis.core.remoting.impl.netty.NettyConnectorFactor
import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants;
import org.apache.activemq.artemis.utils.ClassloadingUtil;
-import javax.security.auth.login.AppConfigurationEntry;
-import javax.security.auth.login.Configuration;
-
/**
* Stores static mappings of class names to ConnectorFactory instances to act as a central repo for ConnectorFactory
* objects.
@@ -99,28 +96,4 @@ public class TransportConfigurationUtil {
return false;
}
- public static Configuration kerb5Config(String principal, boolean initiator) {
- final Map<String, String> krb5LoginModuleOptions = new HashMap<>();
- krb5LoginModuleOptions.put("isInitiator", String.valueOf(initiator));
- krb5LoginModuleOptions.put("principal", principal);
- krb5LoginModuleOptions.put("useKeyTab", "true");
- krb5LoginModuleOptions.put("storeKey", "true");
- krb5LoginModuleOptions.put("doNotPrompt", "true");
- krb5LoginModuleOptions.put("renewTGT", "true");
- krb5LoginModuleOptions.put("refreshKrb5Config", "true");
- krb5LoginModuleOptions.put("useTicketCache", "true");
- String ticketCache = System.getenv("KRB5CCNAME");
- if (ticketCache != null) {
- krb5LoginModuleOptions.put("ticketCache", ticketCache);
- }
- return new Configuration() {
- @Override
- public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
- return new AppConfigurationEntry[]{
- new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
- AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
- krb5LoginModuleOptions)};
- }
- };
- }
-}
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/9fedb47c/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java
----------------------------------------------------------------------
diff --git a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java
index 1882490..8e48cf9 100644
--- a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java
+++ b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java
@@ -98,7 +98,6 @@ import org.apache.activemq.artemis.api.core.ActiveMQException;
import org.apache.activemq.artemis.core.client.ActiveMQClientLogger;
import org.apache.activemq.artemis.core.client.ActiveMQClientMessageBundle;
import org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQClientProtocolManager;
-import org.apache.activemq.artemis.core.remoting.impl.TransportConfigurationUtil;
import org.apache.activemq.artemis.core.remoting.impl.ssl.SSLSupport;
import org.apache.activemq.artemis.core.server.ActiveMQComponent;
import org.apache.activemq.artemis.spi.core.remoting.AbstractConnector;
@@ -523,18 +522,8 @@ public class NettyConnector extends AbstractConnector {
if (sslEnabled && !useServlet) {
Subject subject = null;
- if (kerb5Config != null && kerb5Config.length() > 0) {
-
- LoginContext loginContext = null;
- if (Character.isUpperCase(kerb5Config.charAt(0))) {
- // use as login.config scope
- loginContext = new LoginContext(kerb5Config);
- } else {
- // inline keytab config using kerb5Config as principal
- loginContext = new LoginContext("", null, null,
- TransportConfigurationUtil.kerb5Config(kerb5Config, true));
- }
-
+ if (kerb5Config != null) {
+ LoginContext loginContext = new LoginContext(kerb5Config);
loginContext.login();
subject = loginContext.getSubject();
verifyHost = true;
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/9fedb47c/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java
----------------------------------------------------------------------
diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java b/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java
index d626fad..b41fc70 100644
--- a/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java
+++ b/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java
@@ -71,7 +71,6 @@ import org.apache.activemq.artemis.api.core.management.CoreNotificationType;
import org.apache.activemq.artemis.core.client.impl.ClientSessionFactoryImpl;
import org.apache.activemq.artemis.core.protocol.ProtocolHandler;
import org.apache.activemq.artemis.core.remoting.impl.AbstractAcceptor;
-import org.apache.activemq.artemis.core.remoting.impl.TransportConfigurationUtil;
import org.apache.activemq.artemis.core.remoting.impl.ssl.SSLSupport;
import org.apache.activemq.artemis.core.security.ActiveMQPrincipal;
import org.apache.activemq.artemis.core.server.ActiveMQComponent;
@@ -442,17 +441,9 @@ public class NettyAcceptor extends AbstractAcceptor {
throw ise;
}
Subject subject = null;
- if (kerb5Config != null && kerb5Config.length() > 0) {
- LoginContext loginContext = null;
- if (Character.isUpperCase(kerb5Config.charAt(0))) {
- // use as login.config scope
- loginContext = new LoginContext(kerb5Config);
- } else {
- loginContext = new LoginContext("", null, null,
- TransportConfigurationUtil.kerb5Config(kerb5Config, false));
- }
+ if (kerb5Config != null) {
+ LoginContext loginContext = new LoginContext(kerb5Config);
loginContext.login();
-
subject = loginContext.getSubject();
}
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/9fedb47c/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslGssapiTest.java
----------------------------------------------------------------------
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslGssapiTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslGssapiTest.java
index a4f9476..17d70a5 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslGssapiTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslGssapiTest.java
@@ -16,15 +16,6 @@
*/
package org.apache.activemq.artemis.tests.integration.amqp;
-import org.apache.activemq.artemis.core.security.Role;
-import org.apache.activemq.artemis.core.server.ActiveMQServer;
-import org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager;
-import org.apache.activemq.artemis.utils.RandomUtil;
-import org.apache.hadoop.minikdc.MiniKdc;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-
import javax.jms.Connection;
import javax.jms.MessageConsumer;
import javax.jms.MessageProducer;
@@ -37,6 +28,15 @@ import java.util.HashSet;
import java.util.Map;
import java.util.Set;
+import org.apache.activemq.artemis.core.security.Role;
+import org.apache.activemq.artemis.core.server.ActiveMQServer;
+import org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager;
+import org.apache.activemq.artemis.utils.RandomUtil;
+import org.apache.hadoop.minikdc.MiniKdc;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
public class JMSSaslGssapiTest extends JMSClientTestSupport {
static {
@@ -85,7 +85,7 @@ public class JMSSaslGssapiTest extends JMSClientTestSupport {
protected void configureBrokerSecurity(ActiveMQServer server) {
server.getConfiguration().setSecurityEnabled(isSecurityEnabled());
ActiveMQJAASSecurityManager securityManager = (ActiveMQJAASSecurityManager) server.getSecurityManager();
- securityManager.setConfigurationName("Krb5SslPlus");
+ securityManager.setConfigurationName("Krb5Plus");
securityManager.setConfiguration(null);
final String roleName = "ALLOW_ALL";
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/9fedb47c/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverOneWaySSLKerb5Test.java
----------------------------------------------------------------------
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverOneWaySSLKerb5Test.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverOneWaySSLKerb5Test.java
index 1dd238f..a9f5c88 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverOneWaySSLKerb5Test.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverOneWaySSLKerb5Test.java
@@ -88,7 +88,7 @@ public class CoreClientOverOneWaySSLKerb5Test extends ActiveMQTestBase {
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
tc.getParams().put(TransportConstants.ENABLED_CIPHER_SUITES_PROP_NAME, getSuitableCipherSuite());
tc.getParams().put(TransportConstants.SNIHOST_PROP_NAME, SNI_HOST); // static service name rather than dynamic machine name
- tc.getParams().put(TransportConstants.SSL_KRB5_CONFIG_PROP_NAME, "client"); // lower case used as principal with default keytab
+ tc.getParams().put(TransportConstants.SSL_KRB5_CONFIG_PROP_NAME, "core-tls-krb5-client");
final ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
ClientSessionFactory sf = null;
@@ -171,7 +171,7 @@ public class CoreClientOverOneWaySSLKerb5Test extends ActiveMQTestBase {
params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
params.put(TransportConstants.ENABLED_CIPHER_SUITES_PROP_NAME, getSuitableCipherSuite());
- params.put(TransportConstants.SSL_KRB5_CONFIG_PROP_NAME, SERVICE_PRINCIPAL);
+ params.put(TransportConstants.SSL_KRB5_CONFIG_PROP_NAME, "core-tls-krb5-server");
ConfigurationImpl config = createBasicConfig().addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params, "nettySSL"));
config.setPopulateValidatedUser(true); // so we can verify the kerb5 id is present
@@ -179,7 +179,7 @@ public class CoreClientOverOneWaySSLKerb5Test extends ActiveMQTestBase {
config.addAcceptorConfiguration(new TransportConfiguration(INVM_ACCEPTOR_FACTORY));
- ActiveMQSecurityManager securityManager = new ActiveMQJAASSecurityManager("Krb5SslPlus");
+ ActiveMQSecurityManager securityManager = new ActiveMQJAASSecurityManager("Krb5Plus");
server = addServer(ActiveMQServers.newActiveMQServer(config, ManagementFactory.getPlatformMBeanServer(), securityManager, false));
HierarchicalRepository<Set<Role>> securityRepository = server.getSecurityRepository();
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/9fedb47c/tests/integration-tests/src/test/resources/login.config
----------------------------------------------------------------------
diff --git a/tests/integration-tests/src/test/resources/login.config b/tests/integration-tests/src/test/resources/login.config
index 5c0e2eb..a834627 100644
--- a/tests/integration-tests/src/test/resources/login.config
+++ b/tests/integration-tests/src/test/resources/login.config
@@ -138,7 +138,7 @@ DualAuthenticationPropertiesLogin {
org.apache.activemq.jaas.properties.role="dual-authentication-roles.properties";
};
-Krb5SslPlus {
+Krb5Plus {
org.apache.activemq.artemis.spi.core.security.jaas.Krb5LoginModule optional
debug=true;
@@ -149,6 +149,21 @@ Krb5SslPlus {
org.apache.activemq.jaas.properties.role="dual-authentication-roles.properties";
};
+core-tls-krb5-server {
+ com.sun.security.auth.module.Krb5LoginModule required
+ isInitiator=false
+ storeKey=true
+ useKeyTab=true
+ principal="host/sni.host"
+ debug=true;
+};
+
+core-tls-krb5-client {
+ com.sun.security.auth.module.Krb5LoginModule required
+ principal="client"
+ useKeyTab=true;
+};
+
amqp-sasl-gssapi {
com.sun.security.auth.module.Krb5LoginModule required
isInitiator=false