You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by ch...@apache.org on 2011/01/06 18:57:56 UTC

svn commit: r1055965 - in /activemq/activemq-apollo/trunk: apollo-broker/pom.xml apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/CertificateLoginModule.scala apollo-distro/src/main/descriptors/common-bin.xml

Author: chirino
Date: Thu Jan  6 17:57:56 2011
New Revision: 1055965

URL: http://svn.apache.org/viewvc?rev=1055965&view=rev
Log:
The certificate login module can now be configured to only allow users
explicitly configured in a yaml file to connect, and to optionally give them
an alias.

Modified:
    activemq/activemq-apollo/trunk/apollo-broker/pom.xml
    activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/CertificateLoginModule.scala
    activemq/activemq-apollo/trunk/apollo-distro/src/main/descriptors/common-bin.xml

Modified: activemq/activemq-apollo/trunk/apollo-broker/pom.xml
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/pom.xml?rev=1055965&r1=1055964&r2=1055965&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-broker/pom.xml (original)
+++ activemq/activemq-apollo/trunk/apollo-broker/pom.xml Thu Jan  6 17:57:56 2011
@@ -73,6 +73,12 @@
       <version>${hawtbuf-version}</version>
     </dependency>
 
+    <dependency>
+      <groupId>org.yaml</groupId>
+      <artifactId>snakeyaml</artifactId>
+      <version>1.7</version>
+    </dependency>
+
 
     <!-- Scala Support -->
     <dependency>

Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/CertificateLoginModule.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/CertificateLoginModule.scala?rev=1055965&r1=1055964&r2=1055965&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/CertificateLoginModule.scala (original)
+++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/CertificateLoginModule.scala Thu Jan  6 17:57:56 2011
@@ -1,6 +1,5 @@
 package org.apache.activemq.apollo.broker.security
 
-import java.io.IOException
 import java.security.Principal
 import javax.security.auth.Subject
 import javax.security.auth.callback.CallbackHandler
@@ -8,12 +7,13 @@ import javax.security.auth.callback.Unsu
 import javax.security.auth.login.FailedLoginException
 import javax.security.auth.login.LoginException
 import java.security.cert.X509Certificate
-import java.util.HashSet
-
-
 import java.{util => ju}
-import org.apache.activemq.apollo.util.Log
-import org.apache.activemq.jaas.CertificateCallback
+import java.io.{FileInputStream, File, IOException}
+import org.yaml.snakeyaml.Yaml
+import org.apache.activemq.apollo.util.{FileSupport, Log}
+import java.lang.String
+import org.apache.activemq.jaas.{UserPrincipal, CertificateCallback}
+import java.util.{LinkedList, Properties, HashSet}
 
 /**
  * <p>
@@ -21,7 +21,10 @@ import org.apache.activemq.jaas.Certific
  *
  * @author <a href="http://hiramchirino.com">Hiram Chirino</a>
  */
-object CertificateLoginModule extends Log
+object CertificateLoginModule extends Log {
+  val LOGIN_CONFIG = "java.security.auth.login.config"
+  val FILE_OPTION = "dn_file"
+}
 
 /**
  * <p>
@@ -37,7 +40,9 @@ class CertificateLoginModule {
   var subject: Subject = _
 
   var certificates: Array[X509Certificate] = _
-  var principals = new HashSet[Principal]()
+  var principals = new LinkedList[Principal]()
+
+  var file: Option[File] = None
 
   /**
    * Overriding to allow for proper initialization. Standard JAAS.
@@ -45,6 +50,15 @@ class CertificateLoginModule {
   def initialize(subject: Subject, callback_handler: CallbackHandler, shared_state: ju.Map[String, _], options: ju.Map[String, _]): Unit = {
     this.subject = subject
     this.callback_handler = callback_handler
+
+    val base_dir = if (System.getProperty(LOGIN_CONFIG) != null) {
+      new File(System.getProperty(LOGIN_CONFIG)).getParentFile()
+    } else {
+      new File(".")
+    }
+
+    file = Option(options.get(FILE_OPTION)).map(x=> new File(base_dir,x.asInstanceOf[String]))
+    debug("Initialized file=%s", file)
   }
 
   def login: Boolean = {
@@ -62,13 +76,47 @@ class CertificateLoginModule {
     if (certificates == null || certificates.isEmpty) {
       throw new FailedLoginException("No associated certificates")
     }
+
+    // Are we restricting the logins to known DNs?
+    file match {
+      case None =>
+        for (cert <- certificates) {
+          principals.add(cert.getSubjectX500Principal)
+        }
+
+      case Some(file)=>
+        val users = try {
+          import FileSupport._
+          using( new FileInputStream(file) ) { in=>
+            (new Yaml().load(in)).asInstanceOf[java.util.Map[String, AnyRef]]
+          }
+        } catch {
+          case e: Throwable =>
+            warn(e, "Unable to load the distinguished name file: " + file)
+            e.printStackTrace
+            throw new LoginException("Invalid login module configuration")
+        }
+
+        for (cert <- certificates) {
+          val dn: String = cert.getSubjectX500Principal.getName
+          if( users.containsKey(dn) ) {
+            val alias = users.get(dn)
+            if( alias!=null ) {
+              principals.add(new UserPrincipal(alias.toString))
+            }
+            principals.add(cert.getSubjectX500Principal)
+          }
+        }
+
+        if (principals.isEmpty) {
+          throw new FailedLoginException("Does not have a listed distinguished name")
+        }
+    }
+
     return true
   }
 
   def commit: Boolean = {
-    for (cert <- certificates) {
-      principals.add(cert.getSubjectX500Principal)
-    }
     subject.getPrincipals().addAll(principals)
     certificates = null;
     debug("commit")
@@ -76,6 +124,7 @@ class CertificateLoginModule {
   }
 
   def abort: Boolean = {
+    principals.clear
     certificates = null;
     debug("abort")
     return true

Modified: activemq/activemq-apollo/trunk/apollo-distro/src/main/descriptors/common-bin.xml
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-distro/src/main/descriptors/common-bin.xml?rev=1055965&r1=1055964&r2=1055965&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-distro/src/main/descriptors/common-bin.xml (original)
+++ activemq/activemq-apollo/trunk/apollo-distro/src/main/descriptors/common-bin.xml Thu Jan  6 17:57:56 2011
@@ -39,7 +39,8 @@
         <include>commons-lang:commons-lang</include>
         <include>commons-codec:commons-codec</include>
         <include>org.apache.activemq:activemq-jaas</include>
-
+        <include>org.yaml:snakeyaml</include>
+        
         <!-- for the webapp -->
         <include>org.eclipse.jetty.aggregate:jetty-all-server</include>
         <include>javax.servlet:servlet-api</include>