You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by ch...@apache.org on 2011/01/06 18:57:56 UTC
svn commit: r1055965 - in /activemq/activemq-apollo/trunk:
apollo-broker/pom.xml
apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/CertificateLoginModule.scala
apollo-distro/src/main/descriptors/common-bin.xml
Author: chirino
Date: Thu Jan 6 17:57:56 2011
New Revision: 1055965
URL: http://svn.apache.org/viewvc?rev=1055965&view=rev
Log:
The certificate login module can now be configured to only allow users
explicitly configured in a yaml file to connect, and to optionally give them
an alias.
Modified:
activemq/activemq-apollo/trunk/apollo-broker/pom.xml
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/CertificateLoginModule.scala
activemq/activemq-apollo/trunk/apollo-distro/src/main/descriptors/common-bin.xml
Modified: activemq/activemq-apollo/trunk/apollo-broker/pom.xml
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/pom.xml?rev=1055965&r1=1055964&r2=1055965&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-broker/pom.xml (original)
+++ activemq/activemq-apollo/trunk/apollo-broker/pom.xml Thu Jan 6 17:57:56 2011
@@ -73,6 +73,12 @@
<version>${hawtbuf-version}</version>
</dependency>
+ <dependency>
+ <groupId>org.yaml</groupId>
+ <artifactId>snakeyaml</artifactId>
+ <version>1.7</version>
+ </dependency>
+
<!-- Scala Support -->
<dependency>
Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/CertificateLoginModule.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/CertificateLoginModule.scala?rev=1055965&r1=1055964&r2=1055965&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/CertificateLoginModule.scala (original)
+++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/CertificateLoginModule.scala Thu Jan 6 17:57:56 2011
@@ -1,6 +1,5 @@
package org.apache.activemq.apollo.broker.security
-import java.io.IOException
import java.security.Principal
import javax.security.auth.Subject
import javax.security.auth.callback.CallbackHandler
@@ -8,12 +7,13 @@ import javax.security.auth.callback.Unsu
import javax.security.auth.login.FailedLoginException
import javax.security.auth.login.LoginException
import java.security.cert.X509Certificate
-import java.util.HashSet
-
-
import java.{util => ju}
-import org.apache.activemq.apollo.util.Log
-import org.apache.activemq.jaas.CertificateCallback
+import java.io.{FileInputStream, File, IOException}
+import org.yaml.snakeyaml.Yaml
+import org.apache.activemq.apollo.util.{FileSupport, Log}
+import java.lang.String
+import org.apache.activemq.jaas.{UserPrincipal, CertificateCallback}
+import java.util.{LinkedList, Properties, HashSet}
/**
* <p>
@@ -21,7 +21,10 @@ import org.apache.activemq.jaas.Certific
*
* @author <a href="http://hiramchirino.com">Hiram Chirino</a>
*/
-object CertificateLoginModule extends Log
+object CertificateLoginModule extends Log {
+ val LOGIN_CONFIG = "java.security.auth.login.config"
+ val FILE_OPTION = "dn_file"
+}
/**
* <p>
@@ -37,7 +40,9 @@ class CertificateLoginModule {
var subject: Subject = _
var certificates: Array[X509Certificate] = _
- var principals = new HashSet[Principal]()
+ var principals = new LinkedList[Principal]()
+
+ var file: Option[File] = None
/**
* Overriding to allow for proper initialization. Standard JAAS.
@@ -45,6 +50,15 @@ class CertificateLoginModule {
def initialize(subject: Subject, callback_handler: CallbackHandler, shared_state: ju.Map[String, _], options: ju.Map[String, _]): Unit = {
this.subject = subject
this.callback_handler = callback_handler
+
+ val base_dir = if (System.getProperty(LOGIN_CONFIG) != null) {
+ new File(System.getProperty(LOGIN_CONFIG)).getParentFile()
+ } else {
+ new File(".")
+ }
+
+ file = Option(options.get(FILE_OPTION)).map(x=> new File(base_dir,x.asInstanceOf[String]))
+ debug("Initialized file=%s", file)
}
def login: Boolean = {
@@ -62,13 +76,47 @@ class CertificateLoginModule {
if (certificates == null || certificates.isEmpty) {
throw new FailedLoginException("No associated certificates")
}
+
+ // Are we restricting the logins to known DNs?
+ file match {
+ case None =>
+ for (cert <- certificates) {
+ principals.add(cert.getSubjectX500Principal)
+ }
+
+ case Some(file)=>
+ val users = try {
+ import FileSupport._
+ using( new FileInputStream(file) ) { in=>
+ (new Yaml().load(in)).asInstanceOf[java.util.Map[String, AnyRef]]
+ }
+ } catch {
+ case e: Throwable =>
+ warn(e, "Unable to load the distinguished name file: " + file)
+ e.printStackTrace
+ throw new LoginException("Invalid login module configuration")
+ }
+
+ for (cert <- certificates) {
+ val dn: String = cert.getSubjectX500Principal.getName
+ if( users.containsKey(dn) ) {
+ val alias = users.get(dn)
+ if( alias!=null ) {
+ principals.add(new UserPrincipal(alias.toString))
+ }
+ principals.add(cert.getSubjectX500Principal)
+ }
+ }
+
+ if (principals.isEmpty) {
+ throw new FailedLoginException("Does not have a listed distinguished name")
+ }
+ }
+
return true
}
def commit: Boolean = {
- for (cert <- certificates) {
- principals.add(cert.getSubjectX500Principal)
- }
subject.getPrincipals().addAll(principals)
certificates = null;
debug("commit")
@@ -76,6 +124,7 @@ class CertificateLoginModule {
}
def abort: Boolean = {
+ principals.clear
certificates = null;
debug("abort")
return true
Modified: activemq/activemq-apollo/trunk/apollo-distro/src/main/descriptors/common-bin.xml
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-distro/src/main/descriptors/common-bin.xml?rev=1055965&r1=1055964&r2=1055965&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-distro/src/main/descriptors/common-bin.xml (original)
+++ activemq/activemq-apollo/trunk/apollo-distro/src/main/descriptors/common-bin.xml Thu Jan 6 17:57:56 2011
@@ -39,7 +39,8 @@
<include>commons-lang:commons-lang</include>
<include>commons-codec:commons-codec</include>
<include>org.apache.activemq:activemq-jaas</include>
-
+ <include>org.yaml:snakeyaml</include>
+
<!-- for the webapp -->
<include>org.eclipse.jetty.aggregate:jetty-all-server</include>
<include>javax.servlet:servlet-api</include>