You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by kw...@apache.org on 2014/10/06 18:09:06 UTC
svn commit: r1629695 - in
/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager:
SimpleLDAPAuthenticationManager.java SimpleLDAPAuthenticationManagerImpl.java
Author: kwall
Date: Mon Oct 6 16:09:06 2014
New Revision: 1629695
URL: http://svn.apache.org/r1629695
Log:
QPID-6132: [Java Broker] Fix defect introduced by r1629664 (validateChange was not validating the to be state).
Modified:
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManager.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerImpl.java
Modified: qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManager.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManager.java?rev=1629695&r1=1629694&r2=1629695&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManager.java (original)
+++ qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManager.java Mon Oct 6 16:09:06 2014
@@ -30,13 +30,13 @@ import org.apache.qpid.server.model.Trus
public interface SimpleLDAPAuthenticationManager<X extends SimpleLDAPAuthenticationManager<X>> extends AuthenticationProvider<X>
{
String PROVIDER_TYPE = "SimpleLDAP";
- String TRUST_STORE = "trustStore";
String PROVIDER_URL = "providerUrl";
String PROVIDER_AUTH_URL = "providerAuthUrl";
String SEARCH_CONTEXT = "searchContext";
String LDAP_CONTEXT_FACTORY = "ldapContextFactory";
String SEARCH_USERNAME = "getSearchUsername";
String SEARCH_PASSWORD = "getSearchPassword";
+ String TRUST_STORE = "trustStore";
@ManagedAttribute( description = "LDAP server URL", mandatory = true)
Modified: qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerImpl.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerImpl.java?rev=1629695&r1=1629694&r2=1629695&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerImpl.java (original)
+++ qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerImpl.java Mon Oct 6 16:09:06 2014
@@ -25,8 +25,6 @@ import static java.util.Collections.sing
import java.io.IOException;
import java.security.GeneralSecurityException;
-import java.security.KeyManagementException;
-import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.util.Arrays;
import java.util.Hashtable;
@@ -66,7 +64,6 @@ import org.apache.qpid.server.security.a
import org.apache.qpid.server.security.auth.manager.ldap.LDAPSSLSocketFactoryGenerator;
import org.apache.qpid.server.security.auth.sasl.plain.PlainPasswordCallback;
import org.apache.qpid.server.security.auth.sasl.plain.PlainSaslServer;
-import org.apache.qpid.server.util.ServerScopedRuntimeException;
import org.apache.qpid.server.util.StringUtil;
import org.apache.qpid.ssl.SSLContextFactory;
@@ -80,7 +77,8 @@ public class SimpleLDAPAuthenticationMan
SEARCH_CONTEXT,
LDAP_CONTEXT_FACTORY,
SEARCH_USERNAME,
- SEARCH_PASSWORD));
+ SEARCH_PASSWORD,
+ TRUST_STORE));
/**
* Environment key to instruct {@link InitialDirContext} to override the socket factory.
@@ -129,17 +127,24 @@ public class SimpleLDAPAuthenticationMan
protected void validateOnCreate()
{
super.validateOnCreate();
- validateInitialDirContext();
+
+ Class<? extends SocketFactory> sslSocketFactoryOverrideClass = _trustStore == null ? null : createSslSocketFactoryOverrideClass(_trustStore);
+ validateInitialDirContext(sslSocketFactoryOverrideClass, _providerUrl, _searchUsername, _searchPassword);
}
@Override
- protected void validateChange(ConfiguredObject<?> proxyForValidation, Set<String> changedAttributes)
+ protected void validateChange(final ConfiguredObject<?> proxyForValidation, final Set<String> changedAttributes)
{
super.validateChange(proxyForValidation, changedAttributes);
if (!disjoint(changedAttributes, CONNECTIVITY_ATTRS))
{
- validateInitialDirContext();
+ SimpleLDAPAuthenticationManager changed = (SimpleLDAPAuthenticationManager)proxyForValidation;
+ TrustStore changedTruststore = changed.getTrustStore();
+ Class<? extends SocketFactory> sslSocketFactoryOverrideClass = changedTruststore == null ? null : createSslSocketFactoryOverrideClass(
+ changedTruststore);
+ validateInitialDirContext(sslSocketFactoryOverrideClass, changed.getProviderUrl(), changed.getSearchUsername(),
+ changed.getSearchPassword());
}
}
@@ -148,7 +153,7 @@ public class SimpleLDAPAuthenticationMan
{
super.onOpen();
- _sslSocketFactoryOverrideClass = createSslSocketFactoryOverrideClass();
+ _sslSocketFactoryOverrideClass = _trustStore == null ? null : createSslSocketFactoryOverrideClass(_trustStore);
}
@Override
@@ -288,7 +293,7 @@ public class SimpleLDAPAuthenticationMan
InitialDirContext ctx = null;
try
{
- ctx = createInitialDirContext(env);
+ ctx = createInitialDirContext(env, _sslSocketFactoryOverrideClass);
//Authentication succeeded
return new AuthenticationResult(new UsernamePrincipal(name));
@@ -320,7 +325,8 @@ public class SimpleLDAPAuthenticationMan
return env;
}
- private InitialDirContext createInitialDirContext(Hashtable<String, Object> env) throws NamingException
+ private InitialDirContext createInitialDirContext(Hashtable<String, Object> env,
+ Class<? extends SocketFactory> sslSocketFactoryOverrideClass) throws NamingException
{
ClassLoader existingContextClassLoader = null;
@@ -329,11 +335,11 @@ public class SimpleLDAPAuthenticationMan
boolean revertContentClassLoader = false;
try
{
- if (isLdaps && _sslSocketFactoryOverrideClass != null)
+ if (isLdaps && sslSocketFactoryOverrideClass != null)
{
existingContextClassLoader = Thread.currentThread().getContextClassLoader();
- env.put(JAVA_NAMING_LDAP_FACTORY_SOCKET, _sslSocketFactoryOverrideClass.getName());
- Thread.currentThread().setContextClassLoader(_sslSocketFactoryOverrideClass.getClassLoader());
+ env.put(JAVA_NAMING_LDAP_FACTORY_SOCKET, sslSocketFactoryOverrideClass.getName());
+ Thread.currentThread().setContextClassLoader(sslSocketFactoryOverrideClass.getClassLoader());
revertContentClassLoader = true;
}
return new InitialDirContext(env);
@@ -352,43 +358,29 @@ public class SimpleLDAPAuthenticationMan
* associated with the {@link SSLContext} generated from that trust store.
*
* @return generated socket factory class
+ * @param trustStore
*/
- private Class<? extends SocketFactory> createSslSocketFactoryOverrideClass()
+ private Class<? extends SocketFactory> createSslSocketFactoryOverrideClass(final TrustStore trustStore)
{
- if (_trustStore != null)
+ String clazzName = new StringUtil().createUniqueJavaName(getName() + "_" + trustStore.getName());
+ SSLContext sslContext = null;
+ try
{
- String clazzName = new StringUtil().createUniqueJavaName(getName());
- SSLContext sslContext = null;
- try
- {
- sslContext = SSLContext.getInstance("TLS");
- sslContext.init(null, _trustStore.getTrustManagers(), null);
- }
- catch (NoSuchAlgorithmException e)
- {
- _logger.error("Exception creating SSLContext", e);
- throw new ServerScopedRuntimeException("Error creating SSLContext for trust store : " + _trustStore.getName() , e);
- }
- catch (KeyManagementException e)
- {
- _logger.error("Exception creating SSLContext", e);
- throw new ServerScopedRuntimeException("Error creating SSLContext for trust store : " + _trustStore.getName() , e);
- }
- catch (GeneralSecurityException e)
- {
- _logger.error("Exception creating SSLContext", e);
- throw new ServerScopedRuntimeException("Error creating SSLContext for trust store : " + _trustStore.getName() , e);
- }
-
- Class<? extends AbstractLDAPSSLSocketFactory> clazz = LDAPSSLSocketFactoryGenerator.createSubClass(clazzName, sslContext.getSocketFactory());
- if (_logger.isDebugEnabled())
- {
- _logger.debug("Connection to Directory will use custom SSL socket factory : " + clazz);
- }
- return clazz;
+ sslContext = SSLContext.getInstance("TLS");
+ sslContext.init(null, trustStore.getTrustManagers(), null);
+ }
+ catch (GeneralSecurityException e)
+ {
+ _logger.error("Exception creating SSLContext", e);
+ throw new IllegalConfigurationException("Error creating SSLContext with trust store : " + trustStore.getName() , e);
}
- return null;
+ Class<? extends AbstractLDAPSSLSocketFactory> clazz = LDAPSSLSocketFactoryGenerator.createSubClass(clazzName, sslContext.getSocketFactory());
+ if (_logger.isDebugEnabled())
+ {
+ _logger.debug("Connection to Directory will use custom SSL socket factory : " + clazz);
+ }
+ return clazz;
}
@Override
@@ -402,20 +394,22 @@ public class SimpleLDAPAuthenticationMan
", searchUsername=" + _searchUsername + "]";
}
- private void validateInitialDirContext()
+ private void validateInitialDirContext(Class<? extends SocketFactory> sslSocketFactoryOverrideClass,
+ final String providerUrl,
+ final String searchUsername, final String searchPassword)
{
- Hashtable<String,Object> env = createInitialDirContextEnvironment(_providerUrl);
+ Hashtable<String,Object> env = createInitialDirContextEnvironment(providerUrl);
- setupSearchContext(env);
+ setupSearchContext(env, searchUsername, searchPassword);
InitialDirContext ctx = null;
try
{
- ctx = createInitialDirContext(env);
+ ctx = createInitialDirContext(env, sslSocketFactoryOverrideClass);
}
catch (NamingException e)
{
- _logger.error("Failed to establish connectivity to the ldap server for " + this, e);
+ _logger.error("Failed to establish connectivity to the ldap server for " + providerUrl, e);
throw new IllegalConfigurationException("Failed to establish connectivity to the ldap server." , e);
}
finally
@@ -424,13 +418,14 @@ public class SimpleLDAPAuthenticationMan
}
}
- private void setupSearchContext(final Hashtable<String, Object> env)
+ private void setupSearchContext(final Hashtable<String, Object> env,
+ final String searchUsername, final String searchPassword)
{
if(_searchUsername != null && _searchUsername.trim().length()>0)
{
env.put(Context.SECURITY_AUTHENTICATION, "simple");
- env.put(Context.SECURITY_PRINCIPAL, _searchUsername);
- env.put(Context.SECURITY_CREDENTIALS, _searchPassword);
+ env.put(Context.SECURITY_PRINCIPAL, searchUsername);
+ env.put(Context.SECURITY_CREDENTIALS, searchPassword);
}
else
{
@@ -495,9 +490,9 @@ public class SimpleLDAPAuthenticationMan
{
Hashtable<String, Object> env = createInitialDirContextEnvironment(_providerUrl);
- setupSearchContext(env);
+ setupSearchContext(env, _searchUsername, _searchPassword);
- InitialDirContext ctx = createInitialDirContext(env);
+ InitialDirContext ctx = createInitialDirContext(env, _sslSocketFactoryOverrideClass);
try
{
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org