You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by jb...@apache.org on 2022/08/17 05:45:00 UTC
[activemq] branch activemq-5.17.x updated: AMQ-8987 EncryptableLDAPLoginModule support wider password encryption schemes
This is an automated email from the ASF dual-hosted git repository.
jbonofre pushed a commit to branch activemq-5.17.x
in repository https://gitbox.apache.org/repos/asf/activemq.git
The following commit(s) were added to refs/heads/activemq-5.17.x by this push:
new 36973a83c AMQ-8987 EncryptableLDAPLoginModule support wider password encryption schemes
36973a83c is described below
commit 36973a83c5dcec15f7af07207e4a951d0d6c6f69
Author: charlie-aws <ch...@amazon.com>
AuthorDate: Fri Jul 8 10:20:27 2022 -0700
AMQ-8987 EncryptableLDAPLoginModule support wider password encryption schemes
(cherry picked from commit 6e3b19bd5931a569abd3a9397438cef6d1301d60)
---
.../activemq/jaas/EncryptableLDAPLoginModule.java | 5 +++++
.../apache/activemq/jaas/LDAPLoginModuleTest.java | 22 ++++++++++++++++++++++
activemq-jaas/src/test/resources/login.config | 21 +++++++++++++++++++++
3 files changed, 48 insertions(+)
diff --git a/activemq-jaas/src/main/java/org/apache/activemq/jaas/EncryptableLDAPLoginModule.java b/activemq-jaas/src/main/java/org/apache/activemq/jaas/EncryptableLDAPLoginModule.java
index 78128b082..f49d097f5 100644
--- a/activemq-jaas/src/main/java/org/apache/activemq/jaas/EncryptableLDAPLoginModule.java
+++ b/activemq-jaas/src/main/java/org/apache/activemq/jaas/EncryptableLDAPLoginModule.java
@@ -23,6 +23,7 @@ import javax.security.auth.callback.CallbackHandler;
import org.jasypt.encryption.pbe.StandardPBEStringEncryptor;
import org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig;
+import org.jasypt.iv.RandomIvGenerator;
import org.jasypt.properties.EncryptableProperties;
/**
@@ -50,6 +51,10 @@ public class EncryptableLDAPLoginModule extends LDAPLoginModule {
EnvironmentStringPBEConfig envConfig = new EnvironmentStringPBEConfig();
envConfig.setAlgorithm(passwordAlgorithm);
+ if (passwordAlgorithm.startsWith("PBE") && passwordAlgorithm.contains("AES")) {
+ envConfig.setIvGenerator(new RandomIvGenerator());
+ }
+
//If the password was set, use it
//else look up the password from the environment
if (encryptionPassword == null) {
diff --git a/activemq-jaas/src/test/java/org/apache/activemq/jaas/LDAPLoginModuleTest.java b/activemq-jaas/src/test/java/org/apache/activemq/jaas/LDAPLoginModuleTest.java
index 208dba2fe..1653355ad 100644
--- a/activemq-jaas/src/test/java/org/apache/activemq/jaas/LDAPLoginModuleTest.java
+++ b/activemq-jaas/src/test/java/org/apache/activemq/jaas/LDAPLoginModuleTest.java
@@ -145,6 +145,28 @@ public class LDAPLoginModuleTest extends AbstractLdapTestUnit {
context.logout();
}
+ @Test
+ public void testAESEncryptedLogin() throws LoginException {
+
+ LoginContext context = new LoginContext("EncryptedAESLDAPLogin", new CallbackHandler() {
+ @Override
+ public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
+ for (int i = 0; i < callbacks.length; i++) {
+ if (callbacks[i] instanceof NameCallback) {
+ ((NameCallback) callbacks[i]).setName("first");
+ } else if (callbacks[i] instanceof PasswordCallback) {
+ ((PasswordCallback) callbacks[i]).setPassword("secret".toCharArray());
+ } else {
+ throw new UnsupportedCallbackException(callbacks[i]);
+ }
+ }
+ }
+ });
+ context.login();
+ context.logout();
+ }
+
+
@Test
public void testUnauthenticated() throws LoginException {
LoginContext context = new LoginContext("UnAuthenticatedLDAPLogin", new CallbackHandler() {
diff --git a/activemq-jaas/src/test/resources/login.config b/activemq-jaas/src/test/resources/login.config
index b5e8cf82a..2dca7b45d 100644
--- a/activemq-jaas/src/test/resources/login.config
+++ b/activemq-jaas/src/test/resources/login.config
@@ -86,6 +86,27 @@ EncryptedLDAPLogin {
;
};
+EncryptedAESLDAPLogin {
+ org.apache.activemq.jaas.EncryptableLDAPLoginModule required
+ debug=true
+ initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
+ connectionURL="ldap://localhost:1024"
+ connectionUsername="uid=admin,ou=system"
+ connectionPassword="ENC(l3ZDKzR+ADzlmYr2Csd/CBXnFRd5Jk02JGKaraMHc7NRQp5amOxvHbuUCQNUQ0cE)"
+ connectionProtocol=s
+ authentication=simple
+ userBase="ou=system"
+ userSearchMatching="(uid={0})"
+ userSearchSubtree=false
+ roleBase="ou=system"
+ roleName=dummyRoleName
+ roleSearchMatching="(uid={1})"
+ roleSearchSubtree=false
+ encryptionAlgorithm=PBEWITHHMACSHA256ANDAES_256
+ encryptionPassword="activemq"
+ ;
+};
+
UnAuthenticatedLDAPLogin {
org.apache.activemq.jaas.LDAPLoginModule required
debug=true