https://issues.apache.org/jira/browse/ARTEMIS-537 - allow artemis to work properly with karaf jaas implementation

This commit is contained in:
Dejan Bosanac 2016-05-25 13:39:46 +02:00 committed by Clebert Suconic
parent 4a11a631bc
commit 5db163753d
5 changed files with 121 additions and 19 deletions

View File

@ -65,14 +65,14 @@ under the License.
<security-settings> <security-settings>
<security-setting match="#"> <security-setting match="#">
<permission type="createNonDurableQueue" roles="amq"/> <permission type="createNonDurableQueue" roles="manager"/>
<permission type="deleteNonDurableQueue" roles="amq"/> <permission type="deleteNonDurableQueue" roles="manager"/>
<permission type="createDurableQueue" roles="amq"/> <permission type="createDurableQueue" roles="manager"/>
<permission type="deleteDurableQueue" roles="amq"/> <permission type="deleteDurableQueue" roles="manager"/>
<permission type="consume" roles="amq"/> <permission type="consume" roles="manager"/>
<permission type="send" roles="amq"/> <permission type="send" roles="manager"/>
<!-- we need this otherwise ./artemis data imp wouldn't work --> <!-- we need this otherwise ./artemis data imp wouldn't work -->
<permission type="manage" roles="amq"/> <permission type="manage" roles="manager"/>
</security-setting> </security-setting>
</security-settings> </security-settings>
@ -85,6 +85,7 @@ under the License.
<max-size-bytes>10485760</max-size-bytes> <max-size-bytes>10485760</max-size-bytes>
<message-counter-history-day-limit>10</message-counter-history-day-limit> <message-counter-history-day-limit>10</message-counter-history-day-limit>
<address-full-policy>BLOCK</address-full-policy> <address-full-policy>BLOCK</address-full-policy>
<auto-create-jms-queues>true</auto-create-jms-queues>
</address-setting> </address-setting>
</address-settings> </address-settings>
</core> </core>

View File

@ -1,3 +1,4 @@
config=file:etc/artemis.xml config=file:etc/artemis.xml
name=local name=local
domain=local domain=karaf
rolePrincipalClass=org.apache.karaf.jaas.boot.principal.RolePrincipal

View File

@ -50,6 +50,7 @@ import org.osgi.util.tracker.ServiceTracker;
public class OsgiBroker { public class OsgiBroker {
private String name; private String name;
private String configurationUrl; private String configurationUrl;
private String rolePrincipalClass;
private Map<String, ActiveMQComponent> components; private Map<String, ActiveMQComponent> components;
private Map<String, ServiceRegistration<?>> registrations; private Map<String, ServiceRegistration<?>> registrations;
private ServiceTracker tracker; private ServiceTracker tracker;
@ -60,8 +61,12 @@ public class OsgiBroker {
final Dictionary<String, Object> properties = cctx.getProperties(); final Dictionary<String, Object> properties = cctx.getProperties();
configurationUrl = getMandatory(properties, "config"); configurationUrl = getMandatory(properties, "config");
name = getMandatory(properties, "name"); name = getMandatory(properties, "name");
rolePrincipalClass = (String)properties.get("rolePrincipalClass");
String domain = getMandatory(properties, "domain"); String domain = getMandatory(properties, "domain");
ActiveMQJAASSecurityManager security = new ActiveMQJAASSecurityManager(domain); ActiveMQJAASSecurityManager security = new ActiveMQJAASSecurityManager(domain);
if (rolePrincipalClass != null) {
security.setRolePrincipalClass(rolePrincipalClass);
}
String brokerInstance = null; String brokerInstance = null;
String karafDataDir = System.getProperty("karaf.data"); String karafDataDir = System.getProperty("karaf.data");
if (karafDataDir != null) { if (karafDataDir != null) {

View File

@ -20,6 +20,8 @@ import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext; import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException; import javax.security.auth.login.LoginException;
import javax.security.cert.X509Certificate; import javax.security.cert.X509Certificate;
import java.lang.reflect.Constructor;
import java.lang.reflect.Method;
import java.security.Principal; import java.security.Principal;
import java.util.HashSet; import java.util.HashSet;
import java.util.Iterator; import java.util.Iterator;
@ -45,8 +47,11 @@ public class ActiveMQJAASSecurityManager implements ActiveMQSecurityManager2 {
private static final Logger logger = Logger.getLogger(ActiveMQJAASSecurityManager.class); private static final Logger logger = Logger.getLogger(ActiveMQJAASSecurityManager.class);
private static final String WILDCARD = "*";
private String configurationName; private String configurationName;
private SecurityConfiguration configuration; private SecurityConfiguration configuration;
private String rolePrincipalClass = "org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal";
public ActiveMQJAASSecurityManager() { public ActiveMQJAASSecurityManager() {
} }
@ -72,7 +77,10 @@ public class ActiveMQJAASSecurityManager implements ActiveMQSecurityManager2 {
return true; return true;
} }
catch (LoginException e) { catch (LoginException e) {
logger.info("Couldn't validate user: " + e.getMessage());
if (logger.isDebugEnabled()) {
logger.debug("Couldn't validate user", e); logger.debug("Couldn't validate user", e);
}
return false; return false;
} }
} }
@ -108,9 +116,15 @@ public class ActiveMQJAASSecurityManager implements ActiveMQSecurityManager2 {
Set<RolePrincipal> rolesWithPermission = getPrincipalsInRole(checkType, roles); Set<RolePrincipal> rolesWithPermission = getPrincipalsInRole(checkType, roles);
// Check the caller's roles // Check the caller's roles
Set<RolePrincipal> rolesForSubject = localSubject.getPrincipals(RolePrincipal.class); Set<Principal> rolesForSubject = new HashSet<Principal>();
try {
rolesForSubject.addAll(localSubject.getPrincipals(Class.forName(rolePrincipalClass).asSubclass(Principal.class)));
}
catch (Exception e) {
logger.info("Can't find roles for the subject", e);
}
if (rolesForSubject.size() > 0 && rolesWithPermission.size() > 0) { if (rolesForSubject.size() > 0 && rolesWithPermission.size() > 0) {
Iterator<RolePrincipal> rolesForSubjectIter = rolesForSubject.iterator(); Iterator<Principal> rolesForSubjectIter = rolesForSubject.iterator();
while (!authorized && rolesForSubjectIter.hasNext()) { while (!authorized && rolesForSubjectIter.hasNext()) {
Iterator<RolePrincipal> rolesWithPermissionIter = rolesWithPermission.iterator(); Iterator<RolePrincipal> rolesWithPermissionIter = rolesWithPermission.iterator();
Principal subjectRole = rolesForSubjectIter.next(); Principal subjectRole = rolesForSubjectIter.next();
@ -136,10 +150,15 @@ public class ActiveMQJAASSecurityManager implements ActiveMQSecurityManager2 {
} }
private Set<RolePrincipal> getPrincipalsInRole(final CheckType checkType, final Set<Role> roles) { private Set<RolePrincipal> getPrincipalsInRole(final CheckType checkType, final Set<Role> roles) {
Set<RolePrincipal> principals = new HashSet<>(); Set principals = new HashSet<>();
for (Role role : roles) { for (Role role : roles) {
if (checkType.hasRole(role)) { if (checkType.hasRole(role)) {
principals.add(new RolePrincipal(role.getName())); try {
principals.add(createGroupPrincipal(role.getName(), rolePrincipalClass));
}
catch (Exception e) {
logger.info("Can't add role principal", e);
}
} }
} }
return principals; return principals;
@ -160,4 +179,71 @@ public class ActiveMQJAASSecurityManager implements ActiveMQSecurityManager2 {
return configuration; return configuration;
} }
public String getRolePrincipalClass() {
return rolePrincipalClass;
}
public void setRolePrincipalClass(String rolePrincipalClass) {
this.rolePrincipalClass = rolePrincipalClass;
}
public static Object createGroupPrincipal(String name, String groupClass) throws Exception {
if (WILDCARD.equals(name)) {
// simple match all group principal - match any name and class
return new Principal() {
@Override
public String getName() {
return WILDCARD;
}
@Override
public boolean equals(Object other) {
return true;
}
@Override
public int hashCode() {
return WILDCARD.hashCode();
}
};
}
Object[] param = new Object[]{name};
Class<?> cls = Class.forName(groupClass);
Constructor<?>[] constructors = cls.getConstructors();
int i;
Object instance;
for (i = 0; i < constructors.length; i++) {
Class<?>[] paramTypes = constructors[i].getParameterTypes();
if (paramTypes.length != 0 && paramTypes[0].equals(String.class)) {
break;
}
}
if (i < constructors.length) {
instance = constructors[i].newInstance(param);
}
else {
instance = cls.newInstance();
Method[] methods = cls.getMethods();
i = 0;
for (i = 0; i < methods.length; i++) {
Class<?>[] paramTypes = methods[i].getParameterTypes();
if (paramTypes.length != 0 && methods[i].getName().equals("setName") && paramTypes[0].equals(String.class)) {
break;
}
}
if (i < methods.length) {
methods[i].invoke(instance, param);
}
else {
throw new NoSuchMethodException();
}
}
return instance;
}
} }

View File

@ -40,6 +40,11 @@ import org.osgi.framework.InvalidSyntaxException;
import org.osgi.util.tracker.ServiceTracker; import org.osgi.util.tracker.ServiceTracker;
import javax.inject.Inject; import javax.inject.Inject;
import javax.jms.Connection;
import javax.jms.Message;
import javax.jms.MessageConsumer;
import javax.jms.MessageProducer;
import javax.jms.Queue;
import javax.security.auth.Subject; import javax.security.auth.Subject;
import java.io.ByteArrayOutputStream; import java.io.ByteArrayOutputStream;
import java.io.File; import java.io.File;
@ -137,13 +142,17 @@ public class ArtemisFeatureTest extends Assert {
String amqpURI = "amqp://localhost:5672"; String amqpURI = "amqp://localhost:5672";
JmsConnectionFactory factory = new JmsConnectionFactory(amqpURI); JmsConnectionFactory factory = new JmsConnectionFactory(amqpURI);
factory.setUsername(USER); Connection connection = factory.createConnection(USER, PASSWORD);
factory.setPassword(PASSWORD); connection.start();
//TODO fix security settings and test sending/receiving messages javax.jms.Session sess = connection.createSession(false, javax.jms.Session.AUTO_ACKNOWLEDGE);
/* Queue queue = sess.createQueue("jms.queue.exampleQueue");
Connection connection = factory.createConnection(); MessageProducer producer = sess.createProducer(queue);
connection.start();*/ producer.send(sess.createTextMessage("TEST"));
MessageConsumer consumer = sess.createConsumer(queue);
Message msg = consumer.receive(5000);
assertNotNull(msg);
} }
protected String executeCommand(final String command, final Long timeout, final Boolean silent) { protected String executeCommand(final String command, final Long timeout, final Boolean silent) {