You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by lq...@apache.org on 2016/12/05 16:38:43 UTC
svn commit: r1772712 - in /qpid/java/trunk/broker-core/src:
main/java/org/apache/qpid/server/logging/messages/
main/java/org/apache/qpid/server/model/
main/java/org/apache/qpid/server/security/
main/java/org/apache/qpid/server/security/auth/manager/ ma...
Author: lquack
Date: Mon Dec 5 16:38:42 2016
New Revision: 1772712
URL: http://svn.apache.org/viewvc?rev=1772712&view=rev
Log:
QPID-7371: [Java Broker] Add operational logging ATH-1010 for failed login attempts
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/messages/AuthenticationProviderMessages.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/messages/AuthenticationProvider_logmessages.properties
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/AuthenticationProvider.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SubjectCreator.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractAuthenticationManager.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/SaslNegotiator.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/anonymous/AnonymousNegotiator.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/crammd5/AbstractCramMd5Negotiator.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/external/ExternalNegotiator.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/kerberos/KerberosNegotiator.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/oauth2/OAuth2Negotiator.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainNegotiator.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramNegotiator.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServer.java
qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/security/SubjectCreatorTest.java
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/messages/AuthenticationProviderMessages.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/messages/AuthenticationProviderMessages.java?rev=1772712&r1=1772711&r2=1772712&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/messages/AuthenticationProviderMessages.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/messages/AuthenticationProviderMessages.java Mon Dec 5 16:38:42 2016
@@ -64,18 +64,20 @@ public class AuthenticationProviderMessa
public static final String AUTHENTICATIONPROVIDER_LOG_HIERARCHY = DEFAULT_LOG_HIERARCHY_PREFIX + "authenticationprovider";
public static final String DELETE_LOG_HIERARCHY = DEFAULT_LOG_HIERARCHY_PREFIX + "authenticationprovider.delete";
- public static final String CLOSE_LOG_HIERARCHY = DEFAULT_LOG_HIERARCHY_PREFIX + "authenticationprovider.close";
public static final String CREATE_LOG_HIERARCHY = DEFAULT_LOG_HIERARCHY_PREFIX + "authenticationprovider.create";
public static final String OPERATION_LOG_HIERARCHY = DEFAULT_LOG_HIERARCHY_PREFIX + "authenticationprovider.operation";
+ public static final String AUTHENTICATION_FAILED_LOG_HIERARCHY = DEFAULT_LOG_HIERARCHY_PREFIX + "authenticationprovider.authentication_failed";
+ public static final String CLOSE_LOG_HIERARCHY = DEFAULT_LOG_HIERARCHY_PREFIX + "authenticationprovider.close";
public static final String OPEN_LOG_HIERARCHY = DEFAULT_LOG_HIERARCHY_PREFIX + "authenticationprovider.open";
static
{
LoggerFactory.getLogger(AUTHENTICATIONPROVIDER_LOG_HIERARCHY);
LoggerFactory.getLogger(DELETE_LOG_HIERARCHY);
- LoggerFactory.getLogger(CLOSE_LOG_HIERARCHY);
LoggerFactory.getLogger(CREATE_LOG_HIERARCHY);
LoggerFactory.getLogger(OPERATION_LOG_HIERARCHY);
+ LoggerFactory.getLogger(AUTHENTICATION_FAILED_LOG_HIERARCHY);
+ LoggerFactory.getLogger(CLOSE_LOG_HIERARCHY);
LoggerFactory.getLogger(OPEN_LOG_HIERARCHY);
_messages = ResourceBundle.getBundle("org.apache.qpid.server.logging.messages.AuthenticationProvider_logmessages", _currentLocale);
@@ -141,16 +143,21 @@ public class AuthenticationProviderMessa
/**
* Log a AuthenticationProvider message of the Format:
- * <pre>ATH-1003 : Close</pre>
+ * <pre>ATH-1001 : Create "{0}"</pre>
* Optional values are contained in [square brackets] and are numbered
* sequentially in the method call.
*
*/
- public static LogMessage CLOSE()
+ public static LogMessage CREATE(String param1)
{
- String rawMessage = _messages.getString("CLOSE");
+ String rawMessage = _messages.getString("CREATE");
- final String message = rawMessage;
+ final Object[] messageArguments = {param1};
+ // Create a new MessageFormat to ensure thread safety.
+ // Sharing a MessageFormat and using applyPattern is not thread safe
+ MessageFormat formatter = new MessageFormat(rawMessage, _currentLocale);
+
+ final String message = formatter.format(messageArguments);
return new LogMessage()
{
@@ -161,7 +168,7 @@ public class AuthenticationProviderMessa
public String getLogHierarchy()
{
- return CLOSE_LOG_HIERARCHY;
+ return CREATE_LOG_HIERARCHY;
}
@Override
@@ -194,14 +201,14 @@ public class AuthenticationProviderMessa
/**
* Log a AuthenticationProvider message of the Format:
- * <pre>ATH-1001 : Create "{0}"</pre>
+ * <pre>ATH-1005 : Operation : {0}</pre>
* Optional values are contained in [square brackets] and are numbered
* sequentially in the method call.
*
*/
- public static LogMessage CREATE(String param1)
+ public static LogMessage OPERATION(String param1)
{
- String rawMessage = _messages.getString("CREATE");
+ String rawMessage = _messages.getString("OPERATION");
final Object[] messageArguments = {param1};
// Create a new MessageFormat to ensure thread safety.
@@ -219,7 +226,7 @@ public class AuthenticationProviderMessa
public String getLogHierarchy()
{
- return CREATE_LOG_HIERARCHY;
+ return OPERATION_LOG_HIERARCHY;
}
@Override
@@ -252,14 +259,37 @@ public class AuthenticationProviderMessa
/**
* Log a AuthenticationProvider message of the Format:
- * <pre>ATH-1005 : Operation : {0}</pre>
+ * <pre>ATH-1010 : Authentication Failed[ : "{0}"]</pre>
* Optional values are contained in [square brackets] and are numbered
* sequentially in the method call.
*
*/
- public static LogMessage OPERATION(String param1)
+ public static LogMessage AUTHENTICATION_FAILED(String param1, boolean opt1)
{
- String rawMessage = _messages.getString("OPERATION");
+ String rawMessage = _messages.getString("AUTHENTICATION_FAILED");
+ StringBuffer msg = new StringBuffer();
+
+ // Split the formatted message up on the option values so we can
+ // rebuild the message based on the configured options.
+ String[] parts = rawMessage.split("\\[");
+ msg.append(parts[0]);
+
+ int end;
+ if (parts.length > 1)
+ {
+
+ // Add Option : : "{0}".
+ end = parts[1].indexOf(']');
+ if (opt1)
+ {
+ msg.append(parts[1].substring(0, end));
+ }
+
+ // Use 'end + 1' to remove the ']' from the output
+ msg.append(parts[1].substring(end + 1));
+ }
+
+ rawMessage = msg.toString();
final Object[] messageArguments = {param1};
// Create a new MessageFormat to ensure thread safety.
@@ -277,7 +307,60 @@ public class AuthenticationProviderMessa
public String getLogHierarchy()
{
- return OPERATION_LOG_HIERARCHY;
+ return AUTHENTICATION_FAILED_LOG_HIERARCHY;
+ }
+
+ @Override
+ public boolean equals(final Object o)
+ {
+ if (this == o)
+ {
+ return true;
+ }
+ if (o == null || getClass() != o.getClass())
+ {
+ return false;
+ }
+
+ final LogMessage that = (LogMessage) o;
+
+ return getLogHierarchy().equals(that.getLogHierarchy()) && toString().equals(that.toString());
+
+ }
+
+ @Override
+ public int hashCode()
+ {
+ int result = toString().hashCode();
+ result = 31 * result + getLogHierarchy().hashCode();
+ return result;
+ }
+ };
+ }
+
+ /**
+ * Log a AuthenticationProvider message of the Format:
+ * <pre>ATH-1003 : Close</pre>
+ * Optional values are contained in [square brackets] and are numbered
+ * sequentially in the method call.
+ *
+ */
+ public static LogMessage CLOSE()
+ {
+ String rawMessage = _messages.getString("CLOSE");
+
+ final String message = rawMessage;
+
+ return new LogMessage()
+ {
+ public String toString()
+ {
+ return message;
+ }
+
+ public String getLogHierarchy()
+ {
+ return CLOSE_LOG_HIERARCHY;
}
@Override
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/messages/AuthenticationProvider_logmessages.properties
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/messages/AuthenticationProvider_logmessages.properties?rev=1772712&r1=1772711&r2=1772712&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/messages/AuthenticationProvider_logmessages.properties (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/messages/AuthenticationProvider_logmessages.properties Mon Dec 5 16:38:42 2016
@@ -25,3 +25,5 @@ DELETE = ATH-1004 : Delete "{0}"
# 0 - operation name
OPERATION = ATH-1005 : Operation : {0}
+
+AUTHENTICATION_FAILED = ATH-1010 : Authentication Failed[ : "{0}"]
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/AuthenticationProvider.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/AuthenticationProvider.java?rev=1772712&r1=1772711&r2=1772712&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/AuthenticationProvider.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/AuthenticationProvider.java Mon Dec 5 16:38:42 2016
@@ -26,13 +26,15 @@ import java.util.List;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
+import org.apache.qpid.server.logging.EventLoggerProvider;
import org.apache.qpid.server.security.SubjectCreator;
import org.apache.qpid.server.security.auth.AuthenticationResult;
import org.apache.qpid.server.security.auth.sasl.SaslNegotiator;
import org.apache.qpid.server.security.auth.sasl.SaslSettings;
@ManagedObject
-public interface AuthenticationProvider<X extends AuthenticationProvider<X>> extends ConfiguredObject<X>
+public interface AuthenticationProvider<X extends AuthenticationProvider<X>> extends ConfiguredObject<X>,
+ EventLoggerProvider
{
/**
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SubjectCreator.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SubjectCreator.java?rev=1772712&r1=1772711&r2=1772712&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SubjectCreator.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SubjectCreator.java Mon Dec 5 16:38:42 2016
@@ -20,6 +20,8 @@
*/
package org.apache.qpid.server.security;
+import static org.apache.qpid.server.logging.messages.AuthenticationProviderMessages.AUTHENTICATION_FAILED;
+
import java.security.Principal;
import java.util.ArrayList;
import java.util.Collection;
@@ -30,6 +32,7 @@ import java.util.Set;
import javax.security.auth.Subject;
+import org.apache.qpid.server.logging.LogMessage;
import org.apache.qpid.server.model.AuthenticationProvider;
import org.apache.qpid.server.model.GroupProvider;
import org.apache.qpid.server.security.auth.AuthenticationResult;
@@ -51,6 +54,7 @@ import org.apache.qpid.server.security.a
*/
public class SubjectCreator
{
+ private static final String UNKNOWN_AUTHENTICATION_ID = "<<UNKNOWN>>";
private final boolean _secure;
private AuthenticationProvider<?> _authenticationProvider;
private Collection<GroupProvider<?>> _groupProviders;
@@ -110,6 +114,11 @@ public class SubjectCreator
}
else
{
+ if (authenticationResult.getStatus() == AuthenticationStatus.ERROR)
+ {
+ String authenticationId = saslNegotiator.getAttemptedAuthenticationId();
+ _authenticationProvider.getEventLogger().message(AUTHENTICATION_FAILED(authenticationId, authenticationId != null));
+ }
return new SubjectAuthenticationResult(authenticationResult);
}
}
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractAuthenticationManager.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractAuthenticationManager.java?rev=1772712&r1=1772711&r2=1772712&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractAuthenticationManager.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractAuthenticationManager.java Mon Dec 5 16:38:42 2016
@@ -33,6 +33,7 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.apache.qpid.server.logging.EventLogger;
+import org.apache.qpid.server.logging.EventLoggerProvider;
import org.apache.qpid.server.logging.messages.AuthenticationProviderMessages;
import org.apache.qpid.server.model.AbstractConfiguredObject;
import org.apache.qpid.server.model.AuthenticationProvider;
@@ -198,4 +199,10 @@ public abstract class AbstractAuthentica
{
_container.getEventLogger().message(AuthenticationProviderMessages.OPERATION(operation));
}
+
+ @Override
+ public EventLogger getEventLogger()
+ {
+ return _eventLogger;
+ }
}
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/SaslNegotiator.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/SaslNegotiator.java?rev=1772712&r1=1772711&r2=1772712&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/SaslNegotiator.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/SaslNegotiator.java Mon Dec 5 16:38:42 2016
@@ -27,4 +27,6 @@ public interface SaslNegotiator
AuthenticationResult handleResponse(byte[] response);
void dispose();
+
+ String getAttemptedAuthenticationId();
}
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/anonymous/AnonymousNegotiator.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/anonymous/AnonymousNegotiator.java?rev=1772712&r1=1772711&r2=1772712&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/anonymous/AnonymousNegotiator.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/anonymous/AnonymousNegotiator.java Mon Dec 5 16:38:42 2016
@@ -54,4 +54,10 @@ public class AnonymousNegotiator impleme
{
}
+
+ @Override
+ public String getAttemptedAuthenticationId()
+ {
+ return _anonymousAuthenticationResult.getMainPrincipal().getName();
+ }
}
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/crammd5/AbstractCramMd5Negotiator.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/crammd5/AbstractCramMd5Negotiator.java?rev=1772712&r1=1772711&r2=1772712&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/crammd5/AbstractCramMd5Negotiator.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/crammd5/AbstractCramMd5Negotiator.java Mon Dec 5 16:38:42 2016
@@ -62,6 +62,7 @@ public class AbstractCramMd5Negotiator e
private final SaslServer _saslServer;
private final SaslException _exception;
private final PasswordCredentialManagingAuthenticationProvider<?> _authenticationProvider;
+ private volatile String _username;
AbstractCramMd5Negotiator(final PasswordCredentialManagingAuthenticationProvider<?> authenticationProvider,
String localFQDN,
@@ -106,13 +107,17 @@ public class AbstractCramMd5Negotiator e
return _authenticationProvider;
}
- private static class ServerCallbackHandler implements CallbackHandler
+ @Override
+ public String getAttemptedAuthenticationId()
+ {
+ return _username;
+ }
+
+ private class ServerCallbackHandler implements CallbackHandler
{
private final PasswordSource _passwordSource;
private final PasswordTransformer _passwordTransformer;
- private String _username;
-
private ServerCallbackHandler(PasswordSource passwordSource, PasswordTransformer passwordTransformer)
{
_passwordTransformer = passwordTransformer;
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/external/ExternalNegotiator.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/external/ExternalNegotiator.java?rev=1772712&r1=1772711&r2=1772712&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/external/ExternalNegotiator.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/external/ExternalNegotiator.java Mon Dec 5 16:38:42 2016
@@ -38,13 +38,13 @@ public class ExternalNegotiator implemen
{
private final static Logger LOGGER = LoggerFactory.getLogger(ExternalNegotiator.class);
private final AuthenticationResult _result;
+ private final Principal _principal;
private volatile boolean _isComplete;
public ExternalNegotiator(final ExternalAuthenticationManager externalAuthenticationManager,
final Principal externalPrincipal)
{
boolean useFullDN = externalAuthenticationManager.getUseFullDN();
- final Principal principal;
if (externalPrincipal instanceof X500Principal && !useFullDN)
{
// Construct username as <CN>@<DC1>.<DC2>.<DC3>....<DCN>
@@ -59,29 +59,29 @@ public class ExternalNegotiator implemen
// CN is empty => Cannot construct username => Authentication failed => return null
LOGGER.debug("CN value was empty in Principal name, unable to construct username");
- principal = null;
+ _principal = null;
}
else
{
LOGGER.debug("Constructing Principal with username: {}", username);
- principal = new UsernamePrincipal(username, externalAuthenticationManager);
+ _principal = new UsernamePrincipal(username, externalAuthenticationManager);
}
}
else
{
LOGGER.debug("Using external Principal: {}", externalPrincipal);
- principal = externalPrincipal;
+ _principal = externalPrincipal;
}
- if (principal == null)
+ if (_principal == null)
{
_result = new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, new IllegalArgumentException("CN value was empty in Principal name, unable to construct username"));
}
else
{
- _result = new AuthenticationResult(principal);
+ _result = new AuthenticationResult(_principal);
}
}
@@ -106,4 +106,10 @@ public class ExternalNegotiator implemen
{
}
+
+ @Override
+ public String getAttemptedAuthenticationId()
+ {
+ return (_principal == null ? null : _principal.getName());
+ }
}
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/kerberos/KerberosNegotiator.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/kerberos/KerberosNegotiator.java?rev=1772712&r1=1772711&r2=1772712&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/kerberos/KerberosNegotiator.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/kerberos/KerberosNegotiator.java Mon Dec 5 16:38:42 2016
@@ -83,6 +83,12 @@ public class KerberosNegotiator extends
return _authenticationProvider;
}
+ @Override
+ public String getAttemptedAuthenticationId()
+ {
+ return null;
+ }
+
private static class GssApiCallbackHandler implements CallbackHandler
{
@Override
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/oauth2/OAuth2Negotiator.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/oauth2/OAuth2Negotiator.java?rev=1772712&r1=1772711&r2=1772712&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/oauth2/OAuth2Negotiator.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/oauth2/OAuth2Negotiator.java Mon Dec 5 16:38:42 2016
@@ -80,6 +80,12 @@ public class OAuth2Negotiator implements
}
+ @Override
+ public String getAttemptedAuthenticationId()
+ {
+ return null;
+ }
+
private Map<String, String> splitResponse(final byte[] response)
{
String[] splitResponse = new String(response, StandardCharsets.US_ASCII).split("\1");
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainNegotiator.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainNegotiator.java?rev=1772712&r1=1772711&r2=1772712&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainNegotiator.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainNegotiator.java Mon Dec 5 16:38:42 2016
@@ -34,6 +34,7 @@ public class PlainNegotiator implements
private UsernamePasswordAuthenticationProvider _usernamePasswordAuthenticationProvider;
private volatile boolean _isComplete;
+ private volatile String _username;
public PlainNegotiator(final UsernamePasswordAuthenticationProvider usernamePasswordAuthenticationProvider)
{
@@ -68,11 +69,10 @@ public class PlainNegotiator implements
"Invalid PLAIN encoding, authcid null terminator not found"));
}
- String username;
String password;
try
{
- username = new String(response, authzidNullPosition + 1, authcidNullPosition - authzidNullPosition - 1, UTF8);
+ _username = new String(response, authzidNullPosition + 1, authcidNullPosition - authzidNullPosition - 1, UTF8);
// TODO: should not get pwd as a String but as a char array...
int passwordLen = response.length - authcidNullPosition - 1;
password = new String(response, authcidNullPosition + 1, passwordLen, UTF8);
@@ -81,7 +81,7 @@ public class PlainNegotiator implements
{
throw new RuntimeException("JVM does not support UTF8", e);
}
- return _usernamePasswordAuthenticationProvider.authenticate(username, password);
+ return _usernamePasswordAuthenticationProvider.authenticate(_username, password);
}
@Override
@@ -90,6 +90,12 @@ public class PlainNegotiator implements
}
+ @Override
+ public String getAttemptedAuthenticationId()
+ {
+ return _username;
+ }
+
private int findNullPosition(byte[] response, int startPosition)
{
int position = startPosition;
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramNegotiator.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramNegotiator.java?rev=1772712&r1=1772711&r2=1772712&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramNegotiator.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramNegotiator.java Mon Dec 5 16:38:42 2016
@@ -52,4 +52,10 @@ public class ScramNegotiator extends Abs
{
return _saslServer;
}
+
+ @Override
+ public String getAttemptedAuthenticationId()
+ {
+ return _saslServer.getAuthorizationID();
+ }
}
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServer.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServer.java?rev=1772712&r1=1772711&r2=1772712&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServer.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServer.java Mon Dec 5 16:38:42 2016
@@ -36,26 +36,25 @@ import javax.xml.bind.DatatypeConverter;
import org.apache.qpid.util.Strings;
-public class ScramSaslServer implements SaslServer
+class ScramSaslServer implements SaslServer
{
- public final String _mechanism;
- public final String _hmacName;
- public final String _digestName;
-
private static final Charset ASCII = Charset.forName("ASCII");
+ private final String _mechanism;
+ private final String _hmacName;
+ private final String _digestName;
private final ScramSaslServerSource _authManager;
- private State _state = State.INITIAL;
- private String _nonce;
- private String _username;
- private byte[] _gs2Header;
- private String _serverFirstMessage;
- private String _clientFirstMessageBare;
- private byte[] _serverSignature;
- private ScramSaslServerSource.SaltAndPasswordKeys _saltAndPassword;
+ private volatile State _state = State.INITIAL;
+ private volatile String _nonce;
+ private volatile String _username;
+ private volatile byte[] _gs2Header;
+ private volatile String _serverFirstMessage;
+ private volatile String _clientFirstMessageBare;
+ private volatile byte[] _serverSignature;
+ private volatile ScramSaslServerSource.SaltAndPasswordKeys _saltAndPassword;
- public ScramSaslServer(final ScramSaslServerSource authenticationManager,
- final String mechanism)
+ ScramSaslServer(final ScramSaslServerSource authenticationManager,
+ final String mechanism)
{
_authManager = authenticationManager;
_mechanism = mechanism;
@@ -207,11 +206,7 @@ public class ScramSaslServer implements
return finalResponse.getBytes(ASCII);
}
- catch (NoSuchAlgorithmException e)
- {
- throw new SaslException(e.getMessage(), e);
- }
- catch (UnsupportedEncodingException e)
+ catch (NoSuchAlgorithmException | UnsupportedEncodingException e)
{
throw new SaslException(e.getMessage(), e);
}
@@ -272,11 +267,7 @@ public class ScramSaslServer implements
mac.init(key);
return mac;
}
- catch (NoSuchAlgorithmException e)
- {
- throw new SaslException(e.getMessage(), e);
- }
- catch (InvalidKeyException e)
+ catch (NoSuchAlgorithmException | InvalidKeyException e)
{
throw new SaslException(e.getMessage(), e);
}
Modified: qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/security/SubjectCreatorTest.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/security/SubjectCreatorTest.java?rev=1772712&r1=1772711&r2=1772712&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/security/SubjectCreatorTest.java (original)
+++ qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/security/SubjectCreatorTest.java Mon Dec 5 16:38:42 2016
@@ -19,6 +19,7 @@
package org.apache.qpid.server.security;
import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
import java.security.Principal;
@@ -29,6 +30,10 @@ import java.util.Set;
import javax.security.auth.Subject;
+import org.mockito.ArgumentCaptor;
+
+import org.apache.qpid.server.logging.EventLogger;
+import org.apache.qpid.server.logging.LogMessage;
import org.apache.qpid.server.model.AuthenticationProvider;
import org.apache.qpid.server.model.GroupProvider;
import org.apache.qpid.server.security.auth.AuthenticatedPrincipal;
@@ -56,6 +61,7 @@ public class SubjectCreatorTest extends
private AuthenticationResult _authenticationResult;
private SaslNegotiator _testSaslNegotiator = mock(SaslNegotiator.class);
private byte[] _saslResponseBytes = PASSWORD.getBytes();
+ private EventLogger _eventLogger;
@Override
public void setUp()
@@ -65,6 +71,8 @@ public class SubjectCreatorTest extends
_subjectCreator = new SubjectCreator(_authenticationProvider, new HashSet<GroupProvider<?>>(Arrays.asList(_groupManager1, _groupManager2)),
false);
+ _eventLogger = mock(EventLogger.class);
+ when(_authenticationProvider.getEventLogger()).thenReturn(_eventLogger);
_authenticationResult = new AuthenticationResult(USERNAME_PRINCIPAL);
}
@@ -84,22 +92,30 @@ public class SubjectCreatorTest extends
assertTrue(actualSubject.isReadOnly());
}
- public void testAuthenticateUnsuccessfulWithSaslServerReturnsNullSubjectAndCorrectStatus()
+ public void testAuthenticateUnsuccessfulReturnsNullSubjectAndCorrectStatus()
{
- testUnsuccessfulAuthenticationWithSaslServer(AuthenticationResult.AuthenticationStatus.CONTINUE);
- testUnsuccessfulAuthenticationWithSaslServer(AuthenticationResult.AuthenticationStatus.ERROR);
+ testUnsuccessfulAuthentication(AuthenticationResult.AuthenticationStatus.CONTINUE);
+ testUnsuccessfulAuthentication(AuthenticationResult.AuthenticationStatus.ERROR);
}
- private void testUnsuccessfulAuthenticationWithSaslServer(AuthenticationStatus expectedStatus)
+ private void testUnsuccessfulAuthentication(AuthenticationStatus expectedStatus)
{
AuthenticationResult failedAuthenticationResult = new AuthenticationResult(expectedStatus);
when(_testSaslNegotiator.handleResponse(_saslResponseBytes)).thenReturn(failedAuthenticationResult);
- SubjectAuthenticationResult subjectAuthenticationResult = _subjectCreator.authenticate(_testSaslNegotiator, _saslResponseBytes);
+ SubjectAuthenticationResult subjectAuthenticationResult =
+ _subjectCreator.authenticate(_testSaslNegotiator, _saslResponseBytes);
assertSame(expectedStatus, subjectAuthenticationResult.getStatus());
assertNull(subjectAuthenticationResult.getSubject());
+
+ if (expectedStatus == AuthenticationStatus.ERROR)
+ {
+ ArgumentCaptor<LogMessage> argument = ArgumentCaptor.forClass(LogMessage.class);
+ verify(_eventLogger).message(argument.capture());
+ assertTrue("Unexpected operational log message", argument.getValue().toString().startsWith("ATH-1010"));
+ }
}
public void testGetGroupPrincipals()
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org