You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by rg...@apache.org on 2015/12/31 00:01:27 UTC
svn commit: r1722416 - in /qpid/java/trunk:
broker-core/src/main/java/org/apache/qpid/server/model/
broker-core/src/main/java/org/apache/qpid/server/security/
broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/
broker-core/src/main/...
Author: rgodfrey
Date: Wed Dec 30 23:01:26 2015
New Revision: 1722416
URL: http://svn.apache.org/viewvc?rev=1722416&view=rev
Log:
QPID-6965 : Make preemptive HTTP authentication pluggable
Added:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/UsernamePasswordAuthenticationProvider.java (with props)
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpRequestPreemptiveAuthenticator.java (with props)
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/AnonymousPreemptiveAuthenticator.java (with props)
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/BasicAuthPreemptiveAuthenticator.java (with props)
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/SSLClientCertPreemptiveAuthenticator.java (with props)
Removed:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/AuthorizationHolder.java
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/AuthenticationProvider.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/PasswordCredentialManagingAuthenticationProvider.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SubjectCreator.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AnonymousAuthenticationManager.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/ExternalAuthenticationManagerImpl.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManager.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/PlainAuthenticationProvider.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManager.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManager.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainAdapterSaslServer.java
qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/security/SubjectCreatorTest.java
qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManagerTest.java
qpid/java/trunk/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerConnection.java
qpid/java/trunk/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerSession.java
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/AuthenticationProvider.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/AuthenticationProvider.java?rev=1722416&r1=1722415&r2=1722416&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/AuthenticationProvider.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/AuthenticationProvider.java Wed Dec 30 23:01:26 2015
@@ -96,14 +96,4 @@ public interface AuthenticationProvider<
*/
AuthenticationResult authenticate(SaslServer server, byte[] response);
- /**
- * Authenticates a user using their username and password.
- *
- * @param username username
- * @param password password
- *
- * @return authentication result
- */
- AuthenticationResult authenticate(String username, String password);
-
}
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/PasswordCredentialManagingAuthenticationProvider.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/PasswordCredentialManagingAuthenticationProvider.java?rev=1722416&r1=1722415&r2=1722416&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/PasswordCredentialManagingAuthenticationProvider.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/PasswordCredentialManagingAuthenticationProvider.java Wed Dec 30 23:01:26 2015
@@ -25,8 +25,11 @@ import java.util.Map;
import javax.security.auth.login.AccountNotFoundException;
+import org.apache.qpid.server.security.auth.manager.UsernamePasswordAuthenticationProvider;
+
@ManagedAnnotation
-public interface PasswordCredentialManagingAuthenticationProvider<X extends PasswordCredentialManagingAuthenticationProvider<X>> extends AuthenticationProvider<X>, ManagedInterface
+public interface PasswordCredentialManagingAuthenticationProvider<X extends PasswordCredentialManagingAuthenticationProvider<X>>
+ extends AuthenticationProvider<X>, UsernamePasswordAuthenticationProvider<X>, ManagedInterface
{
boolean createUser(String username, String password, Map<String, String> attributes);
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SubjectCreator.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SubjectCreator.java?rev=1722416&r1=1722415&r2=1722416&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SubjectCreator.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SubjectCreator.java Wed Dec 30 23:01:26 2015
@@ -64,7 +64,12 @@ public class SubjectCreator
_secure = secure;
}
- /**
+ public AuthenticationProvider<?> getAuthenticationProvider()
+ {
+ return _authenticationProvider;
+ }
+
+ /**
* Gets the known SASL mechanisms
*
* @return SASL mechanism names, space separated.
@@ -120,17 +125,7 @@ public class SubjectCreator
}
}
- /**
- * Authenticates a user using their username and password.
- */
- public SubjectAuthenticationResult authenticate(String username, String password)
- {
- final AuthenticationResult authenticationResult = _authenticationProvider.authenticate(username, password);
-
- return createResultWithGroups(username, authenticationResult);
- }
-
- private SubjectAuthenticationResult createResultWithGroups(String username, final AuthenticationResult authenticationResult)
+ public SubjectAuthenticationResult createResultWithGroups(String username, final AuthenticationResult authenticationResult)
{
if(authenticationResult.getStatus() == AuthenticationStatus.SUCCESS)
{
@@ -149,6 +144,8 @@ public class SubjectCreator
}
}
+
+
public Subject createSubjectWithGroups(Principal principal)
{
Subject authenticationSubject = new Subject();
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AnonymousAuthenticationManager.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AnonymousAuthenticationManager.java?rev=1722416&r1=1722415&r2=1722416&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AnonymousAuthenticationManager.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AnonymousAuthenticationManager.java Wed Dec 30 23:01:26 2015
@@ -52,7 +52,7 @@ public class AnonymousAuthenticationMana
ANONYMOUS_SUBJECT.getPrincipals().add(ANONYMOUS_PRINCIPAL);
}
- private static final AuthenticationResult ANONYMOUS_AUTHENTICATION = new AuthenticationResult(ANONYMOUS_PRINCIPAL);
+ public static final AuthenticationResult ANONYMOUS_AUTHENTICATION = new AuthenticationResult(ANONYMOUS_PRINCIPAL);
@ManagedObjectFactoryConstructor
protected AnonymousAuthenticationManager(final Map<String, Object> attributes, final Broker broker)
@@ -102,11 +102,4 @@ public class AnonymousAuthenticationMana
}
}
- @Override
- public AuthenticationResult authenticate(String username, String password)
- {
- return ANONYMOUS_AUTHENTICATION;
- }
-
-
}
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/ExternalAuthenticationManagerImpl.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/ExternalAuthenticationManagerImpl.java?rev=1722416&r1=1722415&r2=1722416&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/ExternalAuthenticationManagerImpl.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/ExternalAuthenticationManagerImpl.java Wed Dec 30 23:01:26 2015
@@ -98,10 +98,4 @@ public class ExternalAuthenticationManag
}
- @Override
- public AuthenticationResult authenticate(String username, String password)
- {
- return new AuthenticationResult(new UsernamePrincipal(username));
- }
-
}
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManager.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManager.java?rev=1722416&r1=1722415&r2=1722416&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManager.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManager.java Wed Dec 30 23:01:26 2015
@@ -96,12 +96,6 @@ public class KerberosAuthenticationManag
}
}
- @Override
- public AuthenticationResult authenticate(String username, String password)
- {
- return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR);
- }
-
private static class GssApiCallbackHandler implements CallbackHandler
{
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/PlainAuthenticationProvider.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/PlainAuthenticationProvider.java?rev=1722416&r1=1722415&r2=1722416&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/PlainAuthenticationProvider.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/PlainAuthenticationProvider.java Wed Dec 30 23:01:26 2015
@@ -47,19 +47,43 @@ import org.apache.qpid.server.security.a
import org.apache.qpid.server.security.auth.sasl.crammd5.CRAMMD5Initialiser;
import org.apache.qpid.server.security.auth.sasl.plain.PlainAdapterSaslServer;
import org.apache.qpid.server.security.auth.sasl.plain.PlainSaslServer;
+import org.apache.qpid.server.security.auth.sasl.scram.ScramSaslServer;
+import org.apache.qpid.server.security.auth.sasl.scram.ScramSaslServerSourceAdapter;
@ManagedObject( category = false, type = "Plain" )
public class PlainAuthenticationProvider
extends ConfigModelPasswordManagingAuthenticationProvider<PlainAuthenticationProvider>
{
private final List<String> _mechanisms = Collections.unmodifiableList(Arrays.asList(PlainSaslServer.MECHANISM,
- CRAMMD5Initialiser.MECHANISM));
+ CRAMMD5Initialiser.MECHANISM,
+ ScramSHA1AuthenticationManager.MECHANISM,
+ ScramSHA256AuthenticationManager.MECHANISM));
+ private final ScramSaslServerSourceAdapter _scramSha1Adapter;
+ private final ScramSaslServerSourceAdapter _scramSha256Adapter;
@ManagedObjectFactoryConstructor
protected PlainAuthenticationProvider(final Map<String, Object> attributes, final Broker broker)
{
super(attributes, broker);
+
+ ScramSaslServerSourceAdapter.PasswordSource passwordSource =
+ new ScramSaslServerSourceAdapter.PasswordSource()
+ {
+ @Override
+ public char[] getPassword(final String username)
+ {
+ ManagedUser user = getUser(username);
+
+ return user == null ? null : user.getPassword().toCharArray();
+ }
+ };
+
+
+
+ _scramSha1Adapter = new ScramSaslServerSourceAdapter(4096, "HmacSHA1", passwordSource);
+ _scramSha256Adapter = new ScramSaslServerSourceAdapter(4096, "HmacSHA256", passwordSource);
+
}
@Override
@@ -95,6 +119,14 @@ public class PlainAuthenticationProvider
//simply delegate to the built in CRAM-MD5 SaslServer
return Sasl.createSaslServer(mechanism, "AMQP", localFQDN, null, new ServerCallbackHandler());
}
+ else if (ScramSHA1AuthenticationManager.MECHANISM.equals(mechanism))
+ {
+ return new ScramSaslServer(_scramSha1Adapter, mechanism, "HmacSHA1", "SHA-1");
+ }
+ else if(ScramSHA256AuthenticationManager.MECHANISM.equals(mechanism))
+ {
+ return new ScramSaslServer(_scramSha256Adapter, mechanism, "HmacSHA256", "SHA-256");
+ }
else
{
throw new SaslException("Unsupported mechanism: " + mechanism);
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManager.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManager.java?rev=1722416&r1=1722415&r2=1722416&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManager.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManager.java Wed Dec 30 23:01:26 2015
@@ -47,20 +47,42 @@ import org.apache.qpid.server.security.a
import org.apache.qpid.server.security.auth.UsernamePrincipal;
import org.apache.qpid.server.security.auth.sasl.plain.PlainPasswordCallback;
import org.apache.qpid.server.security.auth.sasl.plain.PlainSaslServer;
+import org.apache.qpid.server.security.auth.sasl.scram.ScramSaslServer;
+import org.apache.qpid.server.security.auth.sasl.scram.ScramSaslServerSourceAdapter;
@ManagedObject( category = false, type = "Simple", register = false )
-public class SimpleAuthenticationManager extends AbstractAuthenticationManager<SimpleAuthenticationManager> implements PreferencesSupportingAuthenticationProvider
+public class SimpleAuthenticationManager extends AbstractAuthenticationManager<SimpleAuthenticationManager>
+ implements UsernamePasswordAuthenticationProvider<SimpleAuthenticationManager>,
+ PreferencesSupportingAuthenticationProvider
{
private static final Logger _logger = LoggerFactory.getLogger(SimpleAuthenticationManager.class);
private static final String PLAIN_MECHANISM = "PLAIN";
private static final String CRAM_MD5_MECHANISM = "CRAM-MD5";
+ private static final String SCRAM_SHA1_MECHANISM = ScramSHA1AuthenticationManager.MECHANISM;
+ private static final String SCRAM_SHA256_MECHANISM = ScramSHA256AuthenticationManager.MECHANISM;
private final Map<String, String> _users = Collections.synchronizedMap(new HashMap<String, String>());
+ private final ScramSaslServerSourceAdapter _scramSha1Adapter;
+ private final ScramSaslServerSourceAdapter _scramSha256Adapter;
public SimpleAuthenticationManager(final Map<String, Object> attributes, final Broker broker)
{
super(attributes, broker);
+ ScramSaslServerSourceAdapter.PasswordSource passwordSource =
+ new ScramSaslServerSourceAdapter.PasswordSource()
+ {
+ @Override
+ public char[] getPassword(final String username)
+ {
+ String password = _users.get(username);
+ return password == null ? null : password.toCharArray();
+ }
+ };
+
+ _scramSha1Adapter = new ScramSaslServerSourceAdapter(4096, "HmacSHA1", passwordSource);
+ _scramSha256Adapter = new ScramSaslServerSourceAdapter(4096, "HmacSHA256", passwordSource);
+
}
@@ -72,7 +94,7 @@ public class SimpleAuthenticationManager
@Override
public List<String> getMechanisms()
{
- return Collections.unmodifiableList(Arrays.asList(PLAIN_MECHANISM, CRAM_MD5_MECHANISM));
+ return Collections.unmodifiableList(Arrays.asList(PLAIN_MECHANISM, CRAM_MD5_MECHANISM, SCRAM_SHA1_MECHANISM, SCRAM_SHA256_MECHANISM));
}
@Override
@@ -86,6 +108,14 @@ public class SimpleAuthenticationManager
{
return Sasl.createSaslServer(mechanism, "AMQP", localFQDN, null, new SimpleCramMd5CallbackHandler());
}
+ else if (SCRAM_SHA1_MECHANISM.equals(mechanism))
+ {
+ return new ScramSaslServer(_scramSha1Adapter, mechanism, "HmacSHA1", "SHA-1");
+ }
+ else if(ScramSHA256AuthenticationManager.MECHANISM.equals(mechanism))
+ {
+ return new ScramSaslServer(_scramSha256Adapter, mechanism, "HmacSHA256", "SHA-256");
+ }
else
{
throw new SaslException("Unknown mechanism: " + mechanism);
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManager.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManager.java?rev=1722416&r1=1722415&r2=1722416&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManager.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManager.java Wed Dec 30 23:01:26 2015
@@ -28,7 +28,10 @@ import org.apache.qpid.server.model.Pref
import org.apache.qpid.server.model.TrustStore;
@ManagedObject( category = false, type = "SimpleLDAP" )
-public interface SimpleLDAPAuthenticationManager<X extends SimpleLDAPAuthenticationManager<X>> extends AuthenticationProvider<X>, PreferencesSupportingAuthenticationProvider
+public interface SimpleLDAPAuthenticationManager<X extends SimpleLDAPAuthenticationManager<X>>
+ extends AuthenticationProvider<X>,
+ UsernamePasswordAuthenticationProvider<X>,
+ PreferencesSupportingAuthenticationProvider
{
String PROVIDER_TYPE = "SimpleLDAP";
String PROVIDER_URL = "providerUrl";
Added: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/UsernamePasswordAuthenticationProvider.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/UsernamePasswordAuthenticationProvider.java?rev=1722416&view=auto
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/UsernamePasswordAuthenticationProvider.java (added)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/UsernamePasswordAuthenticationProvider.java Wed Dec 30 23:01:26 2015
@@ -0,0 +1,38 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.server.security.auth.manager;
+
+import org.apache.qpid.server.model.AuthenticationProvider;
+import org.apache.qpid.server.security.auth.AuthenticationResult;
+
+public interface UsernamePasswordAuthenticationProvider<X extends UsernamePasswordAuthenticationProvider<X>>
+ extends AuthenticationProvider<X>
+{
+ /**
+ * Authenticates a user using their username and password.
+ *
+ * @param username username
+ * @param password password
+ *
+ * @return authentication result
+ */
+ AuthenticationResult authenticate(String username, String password);
+}
Propchange: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/UsernamePasswordAuthenticationProvider.java
------------------------------------------------------------------------------
svn:eol-style = native
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainAdapterSaslServer.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainAdapterSaslServer.java?rev=1722416&r1=1722415&r2=1722416&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainAdapterSaslServer.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainAdapterSaslServer.java Wed Dec 30 23:01:26 2015
@@ -28,6 +28,7 @@ import javax.security.sasl.SaslServer;
import org.apache.qpid.server.model.AuthenticationProvider;
import org.apache.qpid.server.security.auth.AuthenticationResult;
+import org.apache.qpid.server.security.auth.manager.UsernamePasswordAuthenticationProvider;
public class PlainAdapterSaslServer implements SaslServer
{
@@ -50,7 +51,7 @@ public class PlainAdapterSaslServer impl
_passwordValidator = passwordValidator;
}
- public PlainAdapterSaslServer(final AuthenticationProvider authProvider)
+ public PlainAdapterSaslServer(final UsernamePasswordAuthenticationProvider<?> authProvider)
{
this(new PasswordValidator()
{
Modified: qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/security/SubjectCreatorTest.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/security/SubjectCreatorTest.java?rev=1722416&r1=1722415&r2=1722416&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/security/SubjectCreatorTest.java (original)
+++ qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/security/SubjectCreatorTest.java Wed Dec 30 23:01:26 2015
@@ -66,24 +66,6 @@ public class SubjectCreatorTest extends
_subjectCreator = new SubjectCreator(_authenticationProvider, new HashSet<GroupProvider<?>>(Arrays.asList(_groupManager1, _groupManager2)),
false);
_authenticationResult = new AuthenticationResult(_userPrincipal);
- when(_authenticationProvider.authenticate(USERNAME, PASSWORD)).thenReturn(_authenticationResult);
- }
-
- public void testAuthenticateUsernameAndPasswordReturnsSubjectWithUserAndGroupPrincipals()
- {
- final SubjectAuthenticationResult actualResult = _subjectCreator.authenticate(USERNAME, PASSWORD);
-
- assertEquals(AuthenticationStatus.SUCCESS, actualResult.getStatus());
-
- final Subject actualSubject = actualResult.getSubject();
-
- assertEquals("Should contain one user principal and two groups ", 3, actualSubject.getPrincipals().size());
-
- assertTrue(actualSubject.getPrincipals().contains(new AuthenticatedPrincipal(_userPrincipal)));
- assertTrue(actualSubject.getPrincipals().contains(_group1));
- assertTrue(actualSubject.getPrincipals().contains(_group2));
-
- assertTrue(actualSubject.isReadOnly());
}
public void testSaslAuthenticationSuccessReturnsSubjectWithUserAndGroupPrincipals() throws Exception
@@ -104,24 +86,6 @@ public class SubjectCreatorTest extends
assertTrue(actualSubject.isReadOnly());
}
- public void testAuthenticateUnsuccessfulWithUsernameReturnsNullSubjectAndCorrectStatus()
- {
- testUnsuccessfulAuthentication(AuthenticationResult.AuthenticationStatus.CONTINUE);
- testUnsuccessfulAuthentication(AuthenticationResult.AuthenticationStatus.ERROR);
- }
-
- private void testUnsuccessfulAuthentication(AuthenticationStatus expectedStatus)
- {
- AuthenticationResult failedAuthenticationResult = new AuthenticationResult(expectedStatus);
-
- when(_authenticationProvider.authenticate(USERNAME, PASSWORD)).thenReturn(failedAuthenticationResult);
-
- SubjectAuthenticationResult subjectAuthenticationResult = _subjectCreator.authenticate(USERNAME, PASSWORD);
-
- assertSame(expectedStatus, subjectAuthenticationResult.getStatus());
- assertNull(subjectAuthenticationResult.getSubject());
- }
-
public void testAuthenticateUnsuccessfulWithSaslServerReturnsNullSubjectAndCorrectStatus()
{
testUnsuccessfulAuthenticationWithSaslServer(AuthenticationResult.AuthenticationStatus.CONTINUE);
Modified: qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManagerTest.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManagerTest.java?rev=1722416&r1=1722415&r2=1722416&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManagerTest.java (original)
+++ qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManagerTest.java Wed Dec 30 23:01:26 2015
@@ -42,7 +42,7 @@ public class SimpleAuthenticationManager
{
private static final String TEST_USER = "testUser";
private static final String TEST_PASSWORD = "testPassword";
- private AuthenticationProvider _authenticationManager;
+ private SimpleAuthenticationManager _authenticationManager;
public void setUp() throws Exception
{
@@ -60,9 +60,11 @@ public class SimpleAuthenticationManager
public void testGetMechanisms()
{
List<String> mechanisms = _authenticationManager.getMechanisms();
- assertEquals("Unexpected number of mechanisms", 2, mechanisms.size());
- assertTrue("PLAIN was not present", mechanisms.contains("PLAIN"));
- assertTrue("CRAM-MD5 was not present", mechanisms.contains("CRAM-MD5"));
+ assertEquals("Unexpected number of mechanisms", 4, mechanisms.size());
+ assertTrue("PLAIN was not present: " + mechanisms, mechanisms.contains("PLAIN"));
+ assertTrue("CRAM-MD5 was not present: " + mechanisms, mechanisms.contains("CRAM-MD5"));
+ assertTrue("SCRAM-SHA-1 was not present: " + mechanisms, mechanisms.contains("SCRAM-SHA-1"));
+ assertTrue("SCRAM-SHA-256 was not present: " + mechanisms, mechanisms.contains("SCRAM-SHA-256"));
}
public void testCreateSaslServerForUnsupportedMechanisms() throws Exception
Modified: qpid/java/trunk/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerConnection.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerConnection.java?rev=1722416&r1=1722415&r2=1722416&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerConnection.java (original)
+++ qpid/java/trunk/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerConnection.java Wed Dec 30 23:01:26 2015
@@ -49,7 +49,6 @@ import org.apache.qpid.server.model.Brok
import org.apache.qpid.server.model.Transport;
import org.apache.qpid.server.model.port.AmqpPort;
import org.apache.qpid.server.protocol.AMQSessionModel;
-import org.apache.qpid.server.security.AuthorizationHolder;
import org.apache.qpid.server.security.auth.AuthenticatedPrincipal;
import org.apache.qpid.server.util.Action;
import org.apache.qpid.server.util.ServerScopedRuntimeException;
@@ -64,7 +63,7 @@ import org.apache.qpid.transport.Option;
import org.apache.qpid.transport.ProtocolEvent;
import org.apache.qpid.transport.Session;
-public class ServerConnection extends Connection implements AuthorizationHolder
+public class ServerConnection extends Connection
{
private static final Logger LOGGER = LoggerFactory.getLogger(ServerConnection.class);
public static final long CLOSE_OK_TIMEOUT = 10000l;
Modified: qpid/java/trunk/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerSession.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerSession.java?rev=1722416&r1=1722415&r2=1722416&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerSession.java (original)
+++ qpid/java/trunk/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerSession.java Wed Dec 30 23:01:26 2015
@@ -116,8 +116,7 @@ import org.apache.qpid.transport.Xid;
import org.apache.qpid.transport.network.Ticker;
public class ServerSession extends Session
- implements AuthorizationHolder,
- AMQSessionModel<ServerSession>, LogSubject, AsyncAutoCommitTransaction.FutureRecorder,
+ implements AMQSessionModel<ServerSession>, LogSubject, AsyncAutoCommitTransaction.FutureRecorder,
Deletable<ServerSession>
{
Modified: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java?rev=1722416&r1=1722415&r2=1722416&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java (original)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java Wed Dec 30 23:01:26 2015
@@ -26,7 +26,10 @@ import java.nio.charset.StandardCharsets
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Collection;
import java.util.Collections;
+import java.util.List;
import java.util.zip.GZIPOutputStream;
import javax.security.auth.Subject;
@@ -41,14 +44,17 @@ import org.apache.qpid.server.management
import org.apache.qpid.server.management.plugin.session.LoginLogoutReporter;
import org.apache.qpid.server.model.AuthenticationProvider;
import org.apache.qpid.server.model.Broker;
+import org.apache.qpid.server.plugin.QpidServiceLoader;
import org.apache.qpid.server.security.SecurityManager;
import org.apache.qpid.server.security.SubjectCreator;
import org.apache.qpid.server.security.auth.AuthenticatedPrincipal;
+import org.apache.qpid.server.security.auth.AuthenticationResult;
import org.apache.qpid.server.security.auth.AuthenticationResult.AuthenticationStatus;
import org.apache.qpid.server.security.auth.SubjectAuthenticationResult;
import org.apache.qpid.server.security.auth.UsernamePrincipal;
import org.apache.qpid.server.security.auth.manager.AnonymousAuthenticationManager;
import org.apache.qpid.server.security.auth.manager.ExternalAuthenticationManager;
+import org.apache.qpid.server.security.auth.manager.UsernamePasswordAuthenticationProvider;
import org.apache.qpid.transport.network.security.ssl.SSLUtil;
public class HttpManagementUtil
@@ -77,6 +83,17 @@ public class HttpManagementUtil
private static final String CONTENT_ENCODING_HEADER = "Content-Encoding";
private static final String GZIP_CONTENT_ENCODING = "gzip";
+ private static final Collection<HttpRequestPreemptiveAuthenticator> AUTHENTICATORS;
+ static
+ {
+ List<HttpRequestPreemptiveAuthenticator> authenticators = new ArrayList<>();
+ for(HttpRequestPreemptiveAuthenticator authenticator : (new QpidServiceLoader()).instancesOf(HttpRequestPreemptiveAuthenticator.class))
+ {
+ authenticators.add(authenticator);
+ }
+ AUTHENTICATORS = Collections.unmodifiableList(authenticators);
+ }
+
public static Broker<?> getBroker(ServletContext servletContext)
{
return (Broker<?>) servletContext.getAttribute(ATTR_BROKER);
@@ -146,80 +163,17 @@ public class HttpManagementUtil
public static Subject tryToAuthenticate(HttpServletRequest request, HttpManagementConfiguration managementConfig)
{
Subject subject = null;
- final AuthenticationProvider authenticationProvider = managementConfig.getAuthenticationProvider(request);
- SubjectCreator subjectCreator = authenticationProvider.getSubjectCreator(request.isSecure());
- String remoteUser = request.getRemoteUser();
-
- if (remoteUser != null || authenticationProvider instanceof AnonymousAuthenticationManager)
+ for(HttpRequestPreemptiveAuthenticator authenticator : AUTHENTICATORS)
{
- subject = authenticateUser(subjectCreator, remoteUser, null);
- }
- else if(authenticationProvider instanceof ExternalAuthenticationManager
- && Collections.list(request.getAttributeNames()).contains("javax.servlet.request.X509Certificate"))
- {
- Principal principal = null;
- X509Certificate[] certificates =
- (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
- if(certificates != null && certificates.length != 0)
+ subject = authenticator.attemptAuthentication(request, managementConfig);
+ if(subject != null)
{
- principal = certificates[0].getSubjectX500Principal();
-
- if(!Boolean.valueOf(String.valueOf(authenticationProvider.getAttribute(ExternalAuthenticationManager.ATTRIBUTE_USE_FULL_DN))))
- {
- String username;
- String dn = ((X500Principal) principal).getName(X500Principal.RFC2253);
-
-
- username = SSLUtil.getIdFromSubjectDN(dn);
- principal = new UsernamePrincipal(username);
- }
-
- subject = subjectCreator.createSubjectWithGroups(new AuthenticatedPrincipal(principal));
- }
- }
- else
- {
- String header = request.getHeader("Authorization");
- if (header != null)
- {
- String[] tokens = header.split("\\s");
- if (tokens.length >= 2 && "BASIC".equalsIgnoreCase(tokens[0]))
- {
- boolean isBasicAuthSupported = false;
- if (request.isSecure())
- {
- isBasicAuthSupported = managementConfig.isHttpsBasicAuthenticationEnabled();
- }
- else
- {
- isBasicAuthSupported = managementConfig.isHttpBasicAuthenticationEnabled();
- }
- if (isBasicAuthSupported)
- {
- String base64UsernameAndPassword = tokens[1];
- String[] credentials = (new String(DatatypeConverter.parseBase64Binary(base64UsernameAndPassword),
- StandardCharsets.UTF_8)).split(":", 2);
- if (credentials.length == 2)
- {
- subject = authenticateUser(subjectCreator, credentials[0], credentials[1]);
- }
- }
- }
+ break;
}
}
return subject;
}
- private static Subject authenticateUser(SubjectCreator subjectCreator, String username, String password)
- {
- SubjectAuthenticationResult authResult = subjectCreator.authenticate(username, password);
- if (authResult.getStatus() == AuthenticationStatus.SUCCESS)
- {
- return authResult.getSubject();
- }
- return null;
- }
-
public static OutputStream getOutputStream(final HttpServletRequest request, final HttpServletResponse response)
throws IOException
{
Added: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpRequestPreemptiveAuthenticator.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpRequestPreemptiveAuthenticator.java?rev=1722416&view=auto
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpRequestPreemptiveAuthenticator.java (added)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpRequestPreemptiveAuthenticator.java Wed Dec 30 23:01:26 2015
@@ -0,0 +1,32 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.server.management.plugin;
+
+import javax.security.auth.Subject;
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.qpid.server.model.port.HttpPort;
+import org.apache.qpid.server.plugin.Pluggable;
+
+public interface HttpRequestPreemptiveAuthenticator extends Pluggable
+{
+ Subject attemptAuthentication(HttpServletRequest request, HttpManagementConfiguration configuration);
+}
Propchange: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpRequestPreemptiveAuthenticator.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/AnonymousPreemptiveAuthenticator.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/AnonymousPreemptiveAuthenticator.java?rev=1722416&view=auto
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/AnonymousPreemptiveAuthenticator.java (added)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/AnonymousPreemptiveAuthenticator.java Wed Dec 30 23:01:26 2015
@@ -0,0 +1,59 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.server.management.plugin.auth;
+
+import javax.security.auth.Subject;
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.qpid.server.management.plugin.HttpManagementConfiguration;
+import org.apache.qpid.server.management.plugin.HttpRequestPreemptiveAuthenticator;
+import org.apache.qpid.server.model.AuthenticationProvider;
+import org.apache.qpid.server.plugin.PluggableService;
+import org.apache.qpid.server.security.SubjectCreator;
+import org.apache.qpid.server.security.auth.manager.AnonymousAuthenticationManager;
+
+@PluggableService
+public class AnonymousPreemptiveAuthenticator implements HttpRequestPreemptiveAuthenticator
+{
+
+ private static final String ANONYMOUS = "Anonymous";
+
+ @Override
+ public Subject attemptAuthentication(final HttpServletRequest request,
+ final HttpManagementConfiguration managementConfig)
+ {
+ final AuthenticationProvider authenticationProvider = managementConfig.getAuthenticationProvider(request);
+ SubjectCreator subjectCreator = authenticationProvider.getSubjectCreator(request.isSecure());
+ if(authenticationProvider instanceof AnonymousAuthenticationManager)
+ {
+ return subjectCreator.createResultWithGroups(AnonymousAuthenticationManager.ANONYMOUS_USERNAME,
+ AnonymousAuthenticationManager.ANONYMOUS_AUTHENTICATION).getSubject();
+ }
+
+ return null;
+ }
+
+ @Override
+ public String getType()
+ {
+ return ANONYMOUS;
+ }
+}
Propchange: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/AnonymousPreemptiveAuthenticator.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/BasicAuthPreemptiveAuthenticator.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/BasicAuthPreemptiveAuthenticator.java?rev=1722416&view=auto
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/BasicAuthPreemptiveAuthenticator.java (added)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/BasicAuthPreemptiveAuthenticator.java Wed Dec 30 23:01:26 2015
@@ -0,0 +1,96 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.server.management.plugin.auth;
+
+import java.nio.charset.StandardCharsets;
+
+import javax.security.auth.Subject;
+import javax.servlet.http.HttpServletRequest;
+import javax.xml.bind.DatatypeConverter;
+
+import org.apache.qpid.server.management.plugin.HttpManagementConfiguration;
+import org.apache.qpid.server.management.plugin.HttpRequestPreemptiveAuthenticator;
+import org.apache.qpid.server.model.AuthenticationProvider;
+import org.apache.qpid.server.model.port.HttpPort;
+import org.apache.qpid.server.plugin.PluggableService;
+import org.apache.qpid.server.security.SubjectCreator;
+import org.apache.qpid.server.security.auth.AuthenticationResult;
+import org.apache.qpid.server.security.auth.SubjectAuthenticationResult;
+import org.apache.qpid.server.security.auth.manager.UsernamePasswordAuthenticationProvider;
+
+@PluggableService
+public class BasicAuthPreemptiveAuthenticator implements HttpRequestPreemptiveAuthenticator
+{
+
+ private static final String BASIC_AUTH = "BasicAuth";
+
+ @Override
+ public Subject attemptAuthentication(final HttpServletRequest request, final HttpManagementConfiguration managementConfiguration)
+ {
+ String header = request.getHeader("Authorization");
+ final AuthenticationProvider<?> authenticationProvider = managementConfiguration.getAuthenticationProvider(request);
+ SubjectCreator subjectCreator = authenticationProvider.getSubjectCreator(request.isSecure());
+
+ if (header != null && authenticationProvider instanceof UsernamePasswordAuthenticationProvider)
+ {
+ UsernamePasswordAuthenticationProvider<?> namePasswdAuthProvider = (UsernamePasswordAuthenticationProvider<?>)authenticationProvider;
+
+ String[] tokens = header.split("\\s");
+ if (tokens.length >= 2 && "BASIC".equalsIgnoreCase(tokens[0]))
+ {
+ boolean isBasicAuthSupported = false;
+ if (request.isSecure())
+ {
+ isBasicAuthSupported = managementConfiguration.isHttpsBasicAuthenticationEnabled();
+ }
+ else
+ {
+ isBasicAuthSupported = managementConfiguration.isHttpBasicAuthenticationEnabled();
+ }
+ if (isBasicAuthSupported)
+ {
+ String base64UsernameAndPassword = tokens[1];
+ String[] credentials = (new String(DatatypeConverter.parseBase64Binary(base64UsernameAndPassword),
+ StandardCharsets.UTF_8)).split(":", 2);
+ if (credentials.length == 2)
+ {
+ String username = credentials[0];
+ String password = credentials[1];
+ AuthenticationResult authenticationResult = namePasswdAuthProvider.authenticate(username, password);
+ SubjectAuthenticationResult result = subjectCreator.createResultWithGroups(username,
+ authenticationResult);
+
+ return result.getSubject();
+
+
+ }
+ }
+ }
+ }
+ return null;
+ }
+
+ @Override
+ public String getType()
+ {
+ return BASIC_AUTH;
+ }
+}
Propchange: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/BasicAuthPreemptiveAuthenticator.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/SSLClientCertPreemptiveAuthenticator.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/SSLClientCertPreemptiveAuthenticator.java?rev=1722416&view=auto
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/SSLClientCertPreemptiveAuthenticator.java (added)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/SSLClientCertPreemptiveAuthenticator.java Wed Dec 30 23:01:26 2015
@@ -0,0 +1,88 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.server.management.plugin.auth;
+
+import java.security.Principal;
+import java.security.cert.X509Certificate;
+import java.util.Collections;
+
+import javax.security.auth.Subject;
+import javax.security.auth.x500.X500Principal;
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.qpid.server.management.plugin.HttpManagementConfiguration;
+import org.apache.qpid.server.management.plugin.HttpRequestPreemptiveAuthenticator;
+import org.apache.qpid.server.model.AuthenticationProvider;
+import org.apache.qpid.server.plugin.PluggableService;
+import org.apache.qpid.server.security.SubjectCreator;
+import org.apache.qpid.server.security.auth.AuthenticatedPrincipal;
+import org.apache.qpid.server.security.auth.UsernamePrincipal;
+import org.apache.qpid.server.security.auth.manager.ExternalAuthenticationManager;
+import org.apache.qpid.transport.network.security.ssl.SSLUtil;
+
+@PluggableService
+public class SSLClientCertPreemptiveAuthenticator implements HttpRequestPreemptiveAuthenticator
+{
+
+ private static final String SSL_CLIENT_AUTH = "SSLClientAuth";
+ private static final String CERTIFICATE_ATTRIBUTE_NAME = "javax.servlet.request.X509Certificate";
+
+ @Override
+ public Subject attemptAuthentication(final HttpServletRequest request,
+ final HttpManagementConfiguration managementConfig)
+ {
+ final AuthenticationProvider authenticationProvider = managementConfig.getAuthenticationProvider(request);
+ SubjectCreator subjectCreator = authenticationProvider.getSubjectCreator(request.isSecure());
+ if(request.isSecure()
+ && authenticationProvider instanceof ExternalAuthenticationManager
+ && Collections.list(request.getAttributeNames()).contains(CERTIFICATE_ATTRIBUTE_NAME))
+ {
+ ExternalAuthenticationManager<?> externalAuthManager = (ExternalAuthenticationManager<?>)authenticationProvider;
+ Principal principal = null;
+ X509Certificate[] certificates =
+ (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
+ if(certificates != null && certificates.length != 0)
+ {
+ principal = certificates[0].getSubjectX500Principal();
+
+ if(!externalAuthManager.getUseFullDN())
+ {
+ String username;
+ String dn = ((X500Principal) principal).getName(X500Principal.RFC2253);
+
+
+ username = SSLUtil.getIdFromSubjectDN(dn);
+ principal = new UsernamePrincipal(username);
+ }
+
+ return subjectCreator.createSubjectWithGroups(new AuthenticatedPrincipal(principal));
+ }
+ }
+
+ return null;
+ }
+
+ @Override
+ public String getType()
+ {
+ return SSL_CLIENT_AUTH;
+ }
+}
Propchange: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/SSLClientCertPreemptiveAuthenticator.java
------------------------------------------------------------------------------
svn:eol-style = native
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org