You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Rajith Attapattu (JIRA)" <qp...@incubator.apache.org> on 2009/02/05 00:31:02 UTC
[jira] Created: (QPID-1645) Kerberos auth support for the java
client
Kerberos auth support for the java client
-----------------------------------------
Key: QPID-1645
URL: https://issues.apache.org/jira/browse/QPID-1645
Project: Qpid
Issue Type: Bug
Components: Java Client
Affects Versions: M4
Reporter: Rajith Attapattu
Assignee: Rajith Attapattu
Fix For: M5
Currently the 0-8 java client only supports PLAIN and cram-MD5 as authentication mechanisms.
The 0-10 java client only uses PLAIN.
It would be good to add Keberos as an authentication mechanism to the java client.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] Issue Comment Edited: (QPID-1645) Kerberos auth support for
the java client
Posted by "Jan Sarenik (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-1645?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12700101#action_12700101 ]
Jan Sarenik edited comment on QPID-1645 at 4/17/09 2:51 AM:
------------------------------------------------------------
VERIFIED
========
On RHEL4 and RHEL5 I have verified this using the following
script:
-------------------------------------------------------------------------------
#!/bin/sh
#
# Prerequisities:
# * broker has to be run with "qpidd --auth yes --realm EXAMPLE.COM"
# * you have to get the ticket first
# * packages (qpidd, krb5-*, cyrus-sasl-gssapi, qpid-java-*,
# rhm-docs)
EXAMPLE_PATH=/usr/share/doc/rhm-0.5/java
EXAMPLE_LIST=`find $EXAMPLE_PATH -type f -name '*.java'`
CLASSPATH=`find /usr/share/java -name '*.jar' | tr '\n' :`
TMPFILE=`mktemp`
PROPFILE=$EXAMPLE_PATH/org/apache/qpid/example/jmsexample/requestResponse/\
requestResponse.properties
cat $PROPFILE > $TMPFILE
sed -i "s|^\(connectionfactory.qpidConnectionfactory\).*$|\1 = amqp://testuser:test@clientid/testpath?brokerlist='tcp://$HOSTNAME:5672'|" $PROPFILE
cat > $EXAMPLE_PATH/myjas.conf <<EOF
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true;
};
EOF
pushd $EXAMPLE_PATH
find $EXAMPLE_PATH -iname *.class -exec rm {} \;
javac -cp "$CLASSPATH" -sourcepath "$EXAMPLE_PATH" \
-d "$EXAMPLE_PATH" $EXAMPLE_LIST
java \
-Djavax.security.auth.useSubjectCredsOnly=false \
-Djava.security.auth.login.config=myjas.conf \
-Dsun.security.krb5.debug=true \
-Dqpid.sasl_mechs="GSSAPI" \
-Dqpid.sasl_protocol=qpidd \
-Dqpid.sasl_server_name=$HOSTNAME \
-cp "$CLASSPATH" \
org.apache.qpid.example.jmsexample.requestResponse.Server \
&> /dev/null &
sleep 3
java \
-Djavax.security.auth.useSubjectCredsOnly=false \
-Djava.security.auth.login.config=myjas.conf \
-Dsun.security.krb5.debug=true \
-Dqpid.sasl_mechs="GSSAPI" \
-Dqpid.sasl_protocol=qpidd \
-Dqpid.sasl_server_name=$HOSTNAME \
-cp "$CLASSPATH" \
org.apache.qpid.example.jmsexample.requestResponse.Client
killall java
cat $TMPFILE > $PROPFILE
rm -rfv $TMPFILE $EXAMPLE_PATH/myjas.conf
-------------------------------------------------------------------------------
was (Author: jasan):
VERIFIED
========
On RHEL4 and RHEL5 I have verified this using the following
script:
-------------------------------------------------------------------------------
#!/bin/sh
#
# Prerequisities:
# * broker has to be run with "qpidd --auth yes --realm EXAMPLE.COM"
# * you have to get the ticket first
# * packages (qpidd, krb5-*, cyrus-sasl-gssapi, qpid-java-*,
# rhm-docs)
EXAMPLE_PATH=/usr/share/doc/rhm-0.5/java
EXAMPLE_LIST=`find $EXAMPLE_PATH -type f -name '*.java'`
CLASSPATH=`find /usr/share/java -name '*.jar' | tr '\n' :`
TMPFILE=`mktemp`
PROPFILE=$EXAMPLE_PATH/org/apache/qpid/example/jmsexample/requestResponse/\
requestResponse.properties
cat $PROPFILE > $TMPFILE
sed -i "s|^\(connectionfactory.qpidConnectionfactory\).*$|\1 = amqp://testuser:test@clientid/testpath?brokerlist='tcp://$HOSTNAME:5672'|" $PROPFILE
cat > $EXAMPLE_PATH/myjas.conf <<EOF
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true;
};
EOF
pushd $EXAMPLE_PATH
find $EXAMPLE_PATH -iname *.class -exec rm -v {} \ &> /dev/null
javac -cp "$CLASSPATH" -sourcepath "$EXAMPLE_PATH" \
-d "$EXAMPLE_PATH" $EXAMPLE_LIST
java \
-Djavax.security.auth.useSubjectCredsOnly=false \
-Djava.security.auth.login.config=myjas.conf \
-Dsun.security.krb5.debug=true \
-Dqpid.sasl_mechs="GSSAPI" \
-Dqpid.sasl_protocol=qpidd \
-Dqpid.sasl_server_name=$HOSTNAME \
-cp "$CLASSPATH" \
org.apache.qpid.example.jmsexample.requestResponse.Server \
&> /dev/null &
sleep 3
java \
-Djavax.security.auth.useSubjectCredsOnly=false \
-Djava.security.auth.login.config=myjas.conf \
-Dsun.security.krb5.debug=true \
-Dqpid.sasl_mechs="GSSAPI" \
-Dqpid.sasl_protocol=qpidd \
-Dqpid.sasl_server_name=$HOSTNAME \
-cp "$CLASSPATH" \
org.apache.qpid.example.jmsexample.requestResponse.Client
killall java
cat $TMPFILE > $PROPFILE
rm -rfv $TMPFILE $EXAMPLE_PATH/myjas.conf
-------------------------------------------------------------------------------
> Kerberos auth support for the java client
> -----------------------------------------
>
> Key: QPID-1645
> URL: https://issues.apache.org/jira/browse/QPID-1645
> Project: Qpid
> Issue Type: Bug
> Components: Java Client
> Affects Versions: M4
> Reporter: Rajith Attapattu
> Assignee: Rajith Attapattu
> Fix For: 0.5
>
>
> Currently the 0-8 java client only supports PLAIN and cram-MD5 as authentication mechanisms.
> The 0-10 java client only uses PLAIN.
> It would be good to add Keberos as an authentication mechanism to the java client.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] Commented: (QPID-1645) Kerberos auth support for the java
client
Posted by "Jan Sarenik (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-1645?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12696946#action_12696946 ]
Jan Sarenik commented on QPID-1645:
-----------------------------------
I am about to verify the Java client SASL auth works.
> Kerberos auth support for the java client
> -----------------------------------------
>
> Key: QPID-1645
> URL: https://issues.apache.org/jira/browse/QPID-1645
> Project: Qpid
> Issue Type: Bug
> Components: Java Client
> Affects Versions: M4
> Reporter: Rajith Attapattu
> Assignee: Rajith Attapattu
> Fix For: 0.5
>
>
> Currently the 0-8 java client only supports PLAIN and cram-MD5 as authentication mechanisms.
> The 0-10 java client only uses PLAIN.
> It would be good to add Keberos as an authentication mechanism to the java client.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] Commented: (QPID-1645) Kerberos auth support for the java
client
Posted by "Rajith Attapattu (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-1645?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12671736#action_12671736 ]
Rajith Attapattu commented on QPID-1645:
----------------------------------------
This is commited to trunk at rev 742267.
I have only added this to the 0-10 code path, and should be trivial to add this to the 0-8/9 code path.
However currently only the c++ broker supports kerberos.
How to
==========
You could force the java client to use kerberos auth by specifying it in the connection URL as follows.
amqp://guest:guest@clientid/testpath?brokerlist='tcp://localhost:5672?'&sasl_mechs='GSSAPI'
You would then need to pass in the following jvm arguments
-Djavax.security.auth.useSubjectCredsOnly=false (This will force the SASL GASSPI client to obtain the kerberos credentials explicitly instead of obtaining from the "subject" that owns the currents thread)
-Djava.security.auth.login.config=myjas.conf (this specifies the jass config file)
-Dsun.security.krb5.debug=true (to enable detailed debug info for troubleshooting)
Before running the java client you would need to do kinit and grab a kerberos ticket.
Alternative you could set useTicketCache=false and when the client loads, it will prompt you for the user/pass and will obtain the ticket
(You would also need to setup your kerberos environment properly -refer to doc links below).
======== Sample JASS Config file =============================
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true;
};
=========================================================
Please refer to the following documentation for more details
http://java.sun.com/j2se/1.5.0/docs/guide/security/sasl/sasl-refguide.html
http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/index.html
http://tldp.org/HOWTO/Kerberos-Infrastructure-HOWTO/
> Kerberos auth support for the java client
> -----------------------------------------
>
> Key: QPID-1645
> URL: https://issues.apache.org/jira/browse/QPID-1645
> Project: Qpid
> Issue Type: Bug
> Components: Java Client
> Affects Versions: M4
> Reporter: Rajith Attapattu
> Assignee: Rajith Attapattu
> Fix For: M5
>
>
> Currently the 0-8 java client only supports PLAIN and cram-MD5 as authentication mechanisms.
> The 0-10 java client only uses PLAIN.
> It would be good to add Keberos as an authentication mechanism to the java client.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] Assigned: (QPID-1645) Kerberos auth support for the java
client
Posted by "Gordon Sim (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-1645?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gordon Sim reassigned QPID-1645:
--------------------------------
Assignee: Rajith Attapattu (was: Jan Sarenik)
> Kerberos auth support for the java client
> -----------------------------------------
>
> Key: QPID-1645
> URL: https://issues.apache.org/jira/browse/QPID-1645
> Project: Qpid
> Issue Type: Bug
> Components: Java Client
> Affects Versions: M4
> Reporter: Rajith Attapattu
> Assignee: Rajith Attapattu
> Fix For: 0.5
>
>
> Currently the 0-8 java client only supports PLAIN and cram-MD5 as authentication mechanisms.
> The 0-10 java client only uses PLAIN.
> It would be good to add Keberos as an authentication mechanism to the java client.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] Issue Comment Edited: (QPID-1645) Kerberos auth support for
the java client
Posted by "Jan Sarenik (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-1645?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12696946#action_12696946 ]
Jan Sarenik edited comment on QPID-1645 at 4/8/09 2:17 AM:
-----------------------------------------------------------
I am about to verify the Java client kerberos SASL auth works.
was (Author: jasan):
I am about to verify the Java client SASL auth works.
> Kerberos auth support for the java client
> -----------------------------------------
>
> Key: QPID-1645
> URL: https://issues.apache.org/jira/browse/QPID-1645
> Project: Qpid
> Issue Type: Bug
> Components: Java Client
> Affects Versions: M4
> Reporter: Rajith Attapattu
> Assignee: Rajith Attapattu
> Fix For: 0.5
>
>
> Currently the 0-8 java client only supports PLAIN and cram-MD5 as authentication mechanisms.
> The 0-10 java client only uses PLAIN.
> It would be good to add Keberos as an authentication mechanism to the java client.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] Commented: (QPID-1645) Kerberos auth support for the java
client
Posted by "Jan Sarenik (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-1645?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12700101#action_12700101 ]
Jan Sarenik commented on QPID-1645:
-----------------------------------
VERIFIED
========
On RHEL4 and RHEL5 I have verified this using the following
script:
-------------------------------------------------------------------------------
#!/bin/sh
#
# Prerequisities:
# * broker has to be run with "qpidd --auth yes --realm EXAMPLE.COM"
# * you have to get the ticket first
# * packages (qpidd, krb5-*, cyrus-sasl-gssapi, qpid-java-*,
# rhm-docs)
EXAMPLE_PATH=/usr/share/doc/rhm-0.5/java
EXAMPLE_LIST=`find $EXAMPLE_PATH -type f -name '*.java'`
CLASSPATH=`find /usr/share/java -name '*.jar' | tr '\n' :`
TMPFILE=`mktemp`
PROPFILE=$EXAMPLE_PATH/org/apache/qpid/example/jmsexample/requestResponse/\
requestResponse.properties
cat $PROPFILE > $TMPFILE
sed -i "s|^\(connectionfactory.qpidConnectionfactory\).*$|\1 = amqp://testuser:test@clientid/testpath?brokerlist='tcp://$HOSTNAME:5672'|" $PROPFILE
cat > $EXAMPLE_PATH/myjas.conf <<EOF
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true;
};
EOF
pushd $EXAMPLE_PATH
find $EXAMPLE_PATH -iname *.class -exec rm -v {} \ &> /dev/null
javac -cp "$CLASSPATH" -sourcepath "$EXAMPLE_PATH" \
-d "$EXAMPLE_PATH" $EXAMPLE_LIST
java \
-Djavax.security.auth.useSubjectCredsOnly=false \
-Djava.security.auth.login.config=myjas.conf \
-Dsun.security.krb5.debug=true \
-Dqpid.sasl_mechs="GSSAPI" \
-Dqpid.sasl_protocol=qpidd \
-Dqpid.sasl_server_name=$HOSTNAME \
-cp "$CLASSPATH" \
org.apache.qpid.example.jmsexample.requestResponse.Server \
&> /dev/null &
sleep 3
java \
-Djavax.security.auth.useSubjectCredsOnly=false \
-Djava.security.auth.login.config=myjas.conf \
-Dsun.security.krb5.debug=true \
-Dqpid.sasl_mechs="GSSAPI" \
-Dqpid.sasl_protocol=qpidd \
-Dqpid.sasl_server_name=$HOSTNAME \
-cp "$CLASSPATH" \
org.apache.qpid.example.jmsexample.requestResponse.Client
killall java
cat $TMPFILE > $PROPFILE
rm -rfv $TMPFILE $EXAMPLE_PATH/myjas.conf
-------------------------------------------------------------------------------
> Kerberos auth support for the java client
> -----------------------------------------
>
> Key: QPID-1645
> URL: https://issues.apache.org/jira/browse/QPID-1645
> Project: Qpid
> Issue Type: Bug
> Components: Java Client
> Affects Versions: M4
> Reporter: Rajith Attapattu
> Assignee: Rajith Attapattu
> Fix For: 0.5
>
>
> Currently the 0-8 java client only supports PLAIN and cram-MD5 as authentication mechanisms.
> The 0-10 java client only uses PLAIN.
> It would be good to add Keberos as an authentication mechanism to the java client.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] Closed: (QPID-1645) Kerberos auth support for the java
client
Posted by "Rafael H. Schloming (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-1645?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rafael H. Schloming closed QPID-1645.
-------------------------------------
Reviewed commits.
> Kerberos auth support for the java client
> -----------------------------------------
>
> Key: QPID-1645
> URL: https://issues.apache.org/jira/browse/QPID-1645
> Project: Qpid
> Issue Type: Bug
> Components: Java Client
> Affects Versions: M4
> Reporter: Rajith Attapattu
> Assignee: Rajith Attapattu
> Fix For: 0.5
>
>
> Currently the 0-8 java client only supports PLAIN and cram-MD5 as authentication mechanisms.
> The 0-10 java client only uses PLAIN.
> It would be good to add Keberos as an authentication mechanism to the java client.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] Resolved: (QPID-1645) Kerberos auth support for the java
client
Posted by "Rafael H. Schloming (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-1645?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rafael H. Schloming resolved QPID-1645.
---------------------------------------
Resolution: Fixed
> Kerberos auth support for the java client
> -----------------------------------------
>
> Key: QPID-1645
> URL: https://issues.apache.org/jira/browse/QPID-1645
> Project: Qpid
> Issue Type: Bug
> Components: Java Client
> Affects Versions: M4
> Reporter: Rajith Attapattu
> Assignee: Rajith Attapattu
> Fix For: 0.5
>
>
> Currently the 0-8 java client only supports PLAIN and cram-MD5 as authentication mechanisms.
> The 0-10 java client only uses PLAIN.
> It would be good to add Keberos as an authentication mechanism to the java client.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] Assigned: (QPID-1645) Kerberos auth support for the java
client
Posted by "Gordon Sim (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-1645?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gordon Sim reassigned QPID-1645:
--------------------------------
Assignee: Jan Sarenik (was: Rajith Attapattu)
> Kerberos auth support for the java client
> -----------------------------------------
>
> Key: QPID-1645
> URL: https://issues.apache.org/jira/browse/QPID-1645
> Project: Qpid
> Issue Type: Bug
> Components: Java Client
> Affects Versions: M4
> Reporter: Rajith Attapattu
> Assignee: Jan Sarenik
> Fix For: 0.5
>
>
> Currently the 0-8 java client only supports PLAIN and cram-MD5 as authentication mechanisms.
> The 0-10 java client only uses PLAIN.
> It would be good to add Keberos as an authentication mechanism to the java client.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org