You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by gt...@apache.org on 2017/09/06 09:29:21 UTC

activemq-artemis git commit: ARTEMIS-1372 ARTEMIS-1373 documentation updates

Repository: activemq-artemis
Updated Branches:
  refs/heads/master c8982d775 -> 125bd41f9


ARTEMIS-1372 ARTEMIS-1373 documentation updates


Project: http://git-wip-us.apache.org/repos/asf/activemq-artemis/repo
Commit: http://git-wip-us.apache.org/repos/asf/activemq-artemis/commit/125bd41f
Tree: http://git-wip-us.apache.org/repos/asf/activemq-artemis/tree/125bd41f
Diff: http://git-wip-us.apache.org/repos/asf/activemq-artemis/diff/125bd41f

Branch: refs/heads/master
Commit: 125bd41f9ddcd7fda64a3833597387d9ee5cfbf2
Parents: c8982d7
Author: gtully <ga...@gmail.com>
Authored: Wed Sep 6 10:22:08 2017 +0100
Committer: gtully <ga...@gmail.com>
Committed: Wed Sep 6 10:22:28 2017 +0100

----------------------------------------------------------------------
 .../spi/core/security/jaas/LDAPLoginModule.java       |  6 +++---
 docs/user-manual/en/security.md                       | 13 ++++++++++---
 .../tests/integration/amqp/JMSSaslGssapiTest.java     | 14 ++++++++++++++
 .../integration-tests/src/test/resources/login.config |  2 +-
 4 files changed, 28 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/125bd41f/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java
----------------------------------------------------------------------
diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java b/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java
index 65dc5ad..7338e19 100644
--- a/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java
+++ b/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java
@@ -78,7 +78,7 @@ public class LDAPLoginModule implements LoginModule {
    private static final String USER_ROLE_NAME = "userRoleName";
    private static final String EXPAND_ROLES = "expandRoles";
    private static final String EXPAND_ROLES_MATCHING = "expandRolesMatching";
-   private static final String LOGIN_CONFIG_SCOPE = "loginConfigScope";
+   private static final String SASL_LOGIN_CONFIG_SCOPE = "saslLoginConfigScope";
    private static final String AUTHENTICATE_USER = "authenticateUser";
 
    protected DirContext context;
@@ -100,7 +100,7 @@ public class LDAPLoginModule implements LoginModule {
       this.subject = subject;
       this.handler = callbackHandler;
 
-      config = new LDAPLoginProperty[]{new LDAPLoginProperty(INITIAL_CONTEXT_FACTORY, (String) options.get(INITIAL_CONTEXT_FACTORY)), new LDAPLoginProperty(CONNECTION_URL, (String) options.get(CONNECTION_URL)), new LDAPLoginProperty(CONNECTION_USERNAME, (String) options.get(CONNECTION_USERNAME)), new LDAPLoginProperty(CONNECTION_PASSWORD, (String) options.get(CONNECTION_PASSWORD)), new LDAPLoginProperty(CONNECTION_PROTOCOL, (String) options.get(CONNECTION_PROTOCOL)), new LDAPLoginProperty(AUTHENTICATION, (String) options.get(AUTHENTICATION)), new LDAPLoginProperty(USER_BASE, (String) options.get(USER_BASE)), new LDAPLoginProperty(USER_SEARCH_MATCHING, (String) options.get(USER_SEARCH_MATCHING)), new LDAPLoginProperty(USER_SEARCH_SUBTREE, (String) options.get(USER_SEARCH_SUBTREE)), new LDAPLoginProperty(ROLE_BASE, (String) options.get(ROLE_BASE)), new LDAPLoginProperty(ROLE_NAME, (String) options.get(ROLE_NAME)), new LDAPLoginProperty(ROLE_SEARCH_MATCHING, (String) options.get(ROLE_S
 EARCH_MATCHING)), new LDAPLoginProperty(ROLE_SEARCH_SUBTREE, (String) options.get(ROLE_SEARCH_SUBTREE)), new LDAPLoginProperty(USER_ROLE_NAME, (String) options.get(USER_ROLE_NAME)), new LDAPLoginProperty(EXPAND_ROLES, (String) options.get(EXPAND_ROLES)), new LDAPLoginProperty(EXPAND_ROLES_MATCHING, (String) options.get(EXPAND_ROLES_MATCHING)), new LDAPLoginProperty(LOGIN_CONFIG_SCOPE, (String) options.get(LOGIN_CONFIG_SCOPE)), new LDAPLoginProperty(AUTHENTICATE_USER, (String) options.get(AUTHENTICATE_USER))};
+      config = new LDAPLoginProperty[]{new LDAPLoginProperty(INITIAL_CONTEXT_FACTORY, (String) options.get(INITIAL_CONTEXT_FACTORY)), new LDAPLoginProperty(CONNECTION_URL, (String) options.get(CONNECTION_URL)), new LDAPLoginProperty(CONNECTION_USERNAME, (String) options.get(CONNECTION_USERNAME)), new LDAPLoginProperty(CONNECTION_PASSWORD, (String) options.get(CONNECTION_PASSWORD)), new LDAPLoginProperty(CONNECTION_PROTOCOL, (String) options.get(CONNECTION_PROTOCOL)), new LDAPLoginProperty(AUTHENTICATION, (String) options.get(AUTHENTICATION)), new LDAPLoginProperty(USER_BASE, (String) options.get(USER_BASE)), new LDAPLoginProperty(USER_SEARCH_MATCHING, (String) options.get(USER_SEARCH_MATCHING)), new LDAPLoginProperty(USER_SEARCH_SUBTREE, (String) options.get(USER_SEARCH_SUBTREE)), new LDAPLoginProperty(ROLE_BASE, (String) options.get(ROLE_BASE)), new LDAPLoginProperty(ROLE_NAME, (String) options.get(ROLE_NAME)), new LDAPLoginProperty(ROLE_SEARCH_MATCHING, (String) options.get(ROLE_S
 EARCH_MATCHING)), new LDAPLoginProperty(ROLE_SEARCH_SUBTREE, (String) options.get(ROLE_SEARCH_SUBTREE)), new LDAPLoginProperty(USER_ROLE_NAME, (String) options.get(USER_ROLE_NAME)), new LDAPLoginProperty(EXPAND_ROLES, (String) options.get(EXPAND_ROLES)), new LDAPLoginProperty(EXPAND_ROLES_MATCHING, (String) options.get(EXPAND_ROLES_MATCHING)), new LDAPLoginProperty(SASL_LOGIN_CONFIG_SCOPE, (String) options.get(SASL_LOGIN_CONFIG_SCOPE)), new LDAPLoginProperty(AUTHENTICATE_USER, (String) options.get(AUTHENTICATE_USER))};
       if (isLoginPropertySet(AUTHENTICATE_USER)) {
          authenticateUser = Boolean.valueOf(getLDAPPropertyValue(AUTHENTICATE_USER));
       }
@@ -526,7 +526,7 @@ public class LDAPLoginModule implements LoginModule {
 
             if ("GSSAPI".equalsIgnoreCase(getLDAPPropertyValue(AUTHENTICATION))) {
 
-               final String configScope = isLoginPropertySet(LOGIN_CONFIG_SCOPE) ? getLDAPPropertyValue(LOGIN_CONFIG_SCOPE) : "broker-sasl-gssapi";
+               final String configScope = isLoginPropertySet(SASL_LOGIN_CONFIG_SCOPE) ? getLDAPPropertyValue(SASL_LOGIN_CONFIG_SCOPE) : "broker-sasl-gssapi";
                try {
                   LoginContext loginContext = new LoginContext(configScope);
                   loginContext.login();

http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/125bd41f/docs/user-manual/en/security.md
----------------------------------------------------------------------
diff --git a/docs/user-manual/en/security.md b/docs/user-manual/en/security.md
index 91a3d33..1d7f314 100644
--- a/docs/user-manual/en/security.md
+++ b/docs/user-manual/en/security.md
@@ -459,7 +459,7 @@ managed using the X.500 system. It is implemented by `org.apache.activemq.artemi
     tree. For example, ldap://ldapserver:10389/ou=system.
 
 -   `authentication` - specifies the authentication method used when binding to the LDAP server. Can take either of
-    the values, `simple` (username and password) or `none` (anonymous).
+    the values, `simple` (username and password), `GSSAPI` (Kerberos SASL) or `none` (anonymous).
 
 -   `connectionUsername` - the DN of the user that opens the connection to the directory server. For example,
     `uid=admin,ou=system`. Directory servers generally require clients to present username/password credentials in order
@@ -468,6 +468,9 @@ managed using the X.500 system. It is implemented by `org.apache.activemq.artemi
 -   `connectionPassword` - the password that matches the DN from `connectionUsername`. In the directory server,
     in the DIT, the password is normally stored as a `userPassword` attribute in the corresponding directory entry.
 
+-   `saslLoginConfigScope` - the scope in JAAS configuration (login.config) to use to obtain Kerberos initiator credentials
+    when the `authentication` method is SASL `GSSAPI`. The default value is `broker-sasl-gssapi`.
+
 -   `connectionProtocol` - currently, the only supported value is a blank string. In future, this option will allow
     you to select the Secure Socket Layer (SSL) for the connection to the directory server. This option must be set
     explicitly to an empty string, because it has no default value.
@@ -536,6 +539,9 @@ managed using the X.500 system. It is implemented by `org.apache.activemq.artemi
     -   `true` — try to match any entry belonging to the subtree of the roleBase node (maps to
         `javax.naming.directory.SearchControls.SUBTREE_SCOPE`).
 
+-   `authenticateUser` - boolean flag to disable authentication. Useful as an optimisation when this module is used just for
+    role mapping of a Subject's existing authenticated principals; default is `false`.
+
 -   `debug` - boolean flag; if `true`, enable debugging; this is used only for testing or debugging; normally, it
     should be set to `false`, or omitted; default is `false`
 
@@ -694,8 +700,9 @@ An example configuration scope for `login.config` that will pick up a Kerberos k
 #### Role Mapping
 
 On the server, the Kerberos authenticated Peer Principal can be added to the Subject's principal set as an Apache ActiveMQ Artemis UserPrincipal
-using the Apache ActiveMQ Artemis `Krb5LoginModule` login module. The [PropertiesLoginModule](#propertiesloginmodule) can then be used to map
-the authenticated Kerberos Peer Principal to a [Role](#role-based-security-for-addresses).
+using the Apache ActiveMQ Artemis `Krb5LoginModule` login module. The [PropertiesLoginModule](#propertiesloginmodule) or
+ [LDAPLoginModule](#ldaploginmodule) can then be used to map
+the authenticated Kerberos Peer Principal to an Apache ActiveMQ Artemis [Role](#role-based-security-for-addresses).
 
 Note: the Kerberos Peer Principal does not exist as an Apache ActiveMQ Artemis user.
 

http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/125bd41f/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslGssapiTest.java
----------------------------------------------------------------------
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslGssapiTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslGssapiTest.java
index 2a47e1f..d66c83d 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslGssapiTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslGssapiTest.java
@@ -17,6 +17,7 @@
 package org.apache.activemq.artemis.tests.integration.amqp;
 
 import javax.jms.Connection;
+import javax.jms.JMSSecurityException;
 import javax.jms.MessageConsumer;
 import javax.jms.MessageProducer;
 import javax.jms.Session;
@@ -33,6 +34,7 @@ import org.apache.activemq.artemis.core.server.ActiveMQServer;
 import org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager;
 import org.apache.activemq.artemis.utils.RandomUtil;
 import org.apache.hadoop.minikdc.MiniKdc;
+import org.apache.qpid.jms.JmsConnectionFactory;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
@@ -150,4 +152,16 @@ public class JMSSaslGssapiTest extends JMSClientTestSupport {
          connection.close();
       }
    }
+
+   @Test(timeout = 600000)
+   public void testSaslPlainConnectionDenied() throws Exception {
+
+      JmsConnectionFactory factory = new JmsConnectionFactory(new URI("amqp://localhost:" + AMQP_PORT + "?amqp.saslMechanisms=PLAIN"));
+      try {
+         factory.createConnection("plain", "secret");
+         fail("Expect sasl failure");
+      } catch (JMSSecurityException expected) {
+         assertTrue(expected.getMessage().contains("SASL"));
+      }
+   }
 }

http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/125bd41f/tests/integration-tests/src/test/resources/login.config
----------------------------------------------------------------------
diff --git a/tests/integration-tests/src/test/resources/login.config b/tests/integration-tests/src/test/resources/login.config
index f8e48ba..1fceada 100644
--- a/tests/integration-tests/src/test/resources/login.config
+++ b/tests/integration-tests/src/test/resources/login.config
@@ -159,7 +159,7 @@ Krb5PlusLdap {
         initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
         connectionURL="ldap://localhost:1024"
         authentication=GSSAPI
-        loginConfigScope=broker-sasl-gssapi
+        saslLoginConfigScope=broker-sasl-gssapi
         connectionProtocol=s
         userBase="ou=users,dc=example,dc=com"
         userSearchMatching="(krb5PrincipalName={0})"