Apache
/
activemq-artemis
mirror of https://github.com/apache/activemq-artemis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ARTEMIS-1102 cert-based auth impl for OpenWire

This commit is contained in:
Justin Bertram 2017-04-06 12:19:42 -05:00 committed by Martyn Taylor
parent e81fb16bda
commit 004eda42a2
2 changed files with 45 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
artemis-protocols/artemis-openwire-protocol/src/main/java/org/apache/activemq/artemis/core/protocol/openwire/OpenWireProtocolManager.java
View File

@ -17,6 +17,7 @@
package org.apache.activemq.artemis.core.protocol.openwire; package org.apache.activemq.artemis.core.protocol.openwire;
import javax.jms.InvalidClientIDException; import javax.jms.InvalidClientIDException;
import javax.security.cert.X509Certificate;
import java.io.IOException; import java.io.IOException;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collections; import java.util.Collections;
@ -42,6 +43,7 @@ import org.apache.activemq.artemis.api.core.client.TopologyMember;
import org.apache.activemq.artemis.core.protocol.openwire.amq.AMQConnectionContext; import org.apache.activemq.artemis.core.protocol.openwire.amq.AMQConnectionContext;
import org.apache.activemq.artemis.core.protocol.openwire.amq.AMQProducerBrokerExchange; import org.apache.activemq.artemis.core.protocol.openwire.amq.AMQProducerBrokerExchange;
import org.apache.activemq.artemis.core.protocol.openwire.amq.AMQSession; import org.apache.activemq.artemis.core.protocol.openwire.amq.AMQSession;
import org.apache.activemq.artemis.core.remoting.impl.netty.NettyConnection;
import org.apache.activemq.artemis.core.remoting.impl.netty.NettyServerConnection; import org.apache.activemq.artemis.core.remoting.impl.netty.NettyServerConnection;
import org.apache.activemq.artemis.core.server.ActiveMQServer; import org.apache.activemq.artemis.core.server.ActiveMQServer;
import org.apache.activemq.artemis.core.server.ActiveMQServerLogger; import org.apache.activemq.artemis.core.server.ActiveMQServerLogger;
@ -54,8 +56,7 @@ import org.apache.activemq.artemis.spi.core.protocol.ProtocolManagerFactory;
import org.apache.activemq.artemis.spi.core.protocol.RemotingConnection; import org.apache.activemq.artemis.spi.core.protocol.RemotingConnection;
import org.apache.activemq.artemis.spi.core.remoting.Acceptor; import org.apache.activemq.artemis.spi.core.remoting.Acceptor;
import org.apache.activemq.artemis.spi.core.remoting.Connection; import org.apache.activemq.artemis.spi.core.remoting.Connection;
import org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager; import org.apache.activemq.artemis.utils.CertificateUtil;
import org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager3;
import org.apache.activemq.artemis.utils.DataConstants; import org.apache.activemq.artemis.utils.DataConstants;
import org.apache.activemq.command.ActiveMQMessage; import org.apache.activemq.command.ActiveMQMessage;
import org.apache.activemq.command.ActiveMQTopic; import org.apache.activemq.command.ActiveMQTopic;
@ -288,9 +289,7 @@ public class OpenWireProtocolManager implements ProtocolManager<Interceptor>, Cl
String username = info.getUserName(); String username = info.getUserName();
String password = info.getPassword(); String password = info.getPassword();
if (!this.validateUser(username, password)) { validateUser(username, password, connection);
throw new SecurityException("User name [" + username + "] or password is invalid.");
}
String clientId = info.getClientId(); String clientId = info.getClientId();
if (clientId == null) { if (clientId == null) {
@ -454,20 +453,13 @@ public class OpenWireProtocolManager implements ProtocolManager<Interceptor>, Cl
return false; return false;
} }
public boolean validateUser(String login, String passcode) { public void validateUser(String login, String passcode, OpenWireConnection connection) throws Exception {
boolean validated = true; X509Certificate[] certificates = null;
if (connection.getTransportConnection() instanceof NettyConnection) {
ActiveMQSecurityManager sm = server.getSecurityManager(); certificates = CertificateUtil.getCertsFromChannel(((NettyConnection) connection.getTransportConnection()).getChannel());
if (sm != null && server.getConfiguration().isSecurityEnabled()) {
if (sm instanceof ActiveMQSecurityManager3) {
validated = ((ActiveMQSecurityManager3) sm).validateUser(login, passcode, null) != null;
} else {
validated = sm.validateUser(login, passcode);
}
} }
return validated; server.getSecurityStore().authenticate(login, passcode, certificates);
} }
public void sendBrokerInfo(OpenWireConnection connection) throws Exception { public void sendBrokerInfo(OpenWireConnection connection) throws Exception {

36
tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/SecurityTest.java
View File

@ -16,6 +16,8 @@
*/ */
package org.apache.activemq.artemis.tests.integration.security; package org.apache.activemq.artemis.tests.integration.security;
import javax.jms.MessageProducer;
import javax.jms.Session;
import javax.security.cert.X509Certificate; import javax.security.cert.X509Certificate;
import javax.transaction.xa.XAResource; import javax.transaction.xa.XAResource;
import javax.transaction.xa.Xid; import javax.transaction.xa.Xid;
@ -26,6 +28,8 @@ import java.util.HashSet;
import java.util.Map; import java.util.Map;
import java.util.Set; import java.util.Set;
import org.apache.activemq.ActiveMQConnection;
import org.apache.activemq.ActiveMQSslConnectionFactory;
import org.apache.activemq.artemis.api.core.ActiveMQException; import org.apache.activemq.artemis.api.core.ActiveMQException;
import org.apache.activemq.artemis.api.core.ActiveMQExceptionType; import org.apache.activemq.artemis.api.core.ActiveMQExceptionType;
import org.apache.activemq.artemis.api.core.ActiveMQSecurityException; import org.apache.activemq.artemis.api.core.ActiveMQSecurityException;
@ -175,6 +179,38 @@ public class SecurityTest extends ActiveMQTestBase {
} }
} }
@Test
public void testJAASSecurityManagerAuthenticationWithCertsAndOpenWire() throws Exception {
ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager("CertLogin");
ActiveMQServer server = addServer(ActiveMQServers.newActiveMQServer(createDefaultInVMConfig().setSecurityEnabled(true), ManagementFactory.getPlatformMBeanServer(), securityManager, false));
Map<String, Object> params = new HashMap<>();
params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-side-keystore.jks");
params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-side-truststore.jks");
params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
params.put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true);
server.getConfiguration().addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params));
server.start();
ActiveMQSslConnectionFactory factory = new ActiveMQSslConnectionFactory("ssl://localhost:61616");
factory.setTrustStore("client-side-truststore.jks");
factory.setTrustStorePassword("secureexample");
factory.setKeyStore("client-side-keystore.jks");
factory.setKeyStorePassword("secureexample");
try (ActiveMQConnection connection = (ActiveMQConnection) factory.createConnection()) {
Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
session.close();
} catch (Throwable e) {
e.printStackTrace();
Assert.fail("should not throw exception");
}
}
@Test @Test
public void testJAASSecurityManagerAuthenticationBadPassword() throws Exception { public void testJAASSecurityManagerAuthenticationBadPassword() throws Exception {
ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager("PropertiesLogin"); ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager("PropertiesLogin");