ARTEMIS-1706 - Add support for wantClientAuth

Support setting wantClientAuth on a netty acceptor
This commit is contained in:
Christopher L. Shannon (cshannon) 2018-02-27 09:47:36 -05:00
parent 247f2a309a
commit 642654ff7a
4 changed files with 46 additions and 3 deletions

View File

@ -103,6 +103,8 @@ public class TransportConstants {
public static final String NEED_CLIENT_AUTH_PROP_NAME = "needClientAuth"; public static final String NEED_CLIENT_AUTH_PROP_NAME = "needClientAuth";
public static final String WANT_CLIENT_AUTH_PROP_NAME = "wantClientAuth";
public static final String VERIFY_HOST_PROP_NAME = "verifyHost"; public static final String VERIFY_HOST_PROP_NAME = "verifyHost";
public static final String TRUST_ALL_PROP_NAME = "trustAll"; public static final String TRUST_ALL_PROP_NAME = "trustAll";
@ -201,6 +203,8 @@ public class TransportConstants {
public static final boolean DEFAULT_NEED_CLIENT_AUTH = false; public static final boolean DEFAULT_NEED_CLIENT_AUTH = false;
public static final boolean DEFAULT_WANT_CLIENT_AUTH = false;
public static final boolean DEFAULT_VERIFY_HOST = false; public static final boolean DEFAULT_VERIFY_HOST = false;
public static final String DEFAULT_SSL_PROVIDER = "JDK"; public static final String DEFAULT_SSL_PROVIDER = "JDK";
@ -297,6 +301,7 @@ public class TransportConstants {
allowableAcceptorKeys.add(TransportConstants.ENABLED_CIPHER_SUITES_PROP_NAME); allowableAcceptorKeys.add(TransportConstants.ENABLED_CIPHER_SUITES_PROP_NAME);
allowableAcceptorKeys.add(TransportConstants.ENABLED_PROTOCOLS_PROP_NAME); allowableAcceptorKeys.add(TransportConstants.ENABLED_PROTOCOLS_PROP_NAME);
allowableAcceptorKeys.add(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME); allowableAcceptorKeys.add(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME);
allowableAcceptorKeys.add(TransportConstants.WANT_CLIENT_AUTH_PROP_NAME);
allowableAcceptorKeys.add(TransportConstants.VERIFY_HOST_PROP_NAME); allowableAcceptorKeys.add(TransportConstants.VERIFY_HOST_PROP_NAME);
allowableAcceptorKeys.add(TransportConstants.TCP_NODELAY_PROPNAME); allowableAcceptorKeys.add(TransportConstants.TCP_NODELAY_PROPNAME);
allowableAcceptorKeys.add(TransportConstants.TCP_SENDBUFFER_SIZE_PROPNAME); allowableAcceptorKeys.add(TransportConstants.TCP_SENDBUFFER_SIZE_PROPNAME);

View File

@ -166,6 +166,8 @@ public class NettyAcceptor extends AbstractAcceptor {
private final boolean needClientAuth; private final boolean needClientAuth;
private final boolean wantClientAuth;
private final String sslProvider; private final String sslProvider;
private final boolean verifyHost; private final boolean verifyHost;
@ -273,6 +275,8 @@ public class NettyAcceptor extends AbstractAcceptor {
needClientAuth = ConfigurationHelper.getBooleanProperty(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, TransportConstants.DEFAULT_NEED_CLIENT_AUTH, configuration); needClientAuth = ConfigurationHelper.getBooleanProperty(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, TransportConstants.DEFAULT_NEED_CLIENT_AUTH, configuration);
wantClientAuth = ConfigurationHelper.getBooleanProperty(TransportConstants.WANT_CLIENT_AUTH_PROP_NAME, TransportConstants.DEFAULT_WANT_CLIENT_AUTH, configuration);
verifyHost = ConfigurationHelper.getBooleanProperty(TransportConstants.VERIFY_HOST_PROP_NAME, TransportConstants.DEFAULT_VERIFY_HOST, configuration); verifyHost = ConfigurationHelper.getBooleanProperty(TransportConstants.VERIFY_HOST_PROP_NAME, TransportConstants.DEFAULT_VERIFY_HOST, configuration);
sslProvider = ConfigurationHelper.getStringProperty(TransportConstants.SSL_PROVIDER, TransportConstants.DEFAULT_SSL_PROVIDER, configuration); sslProvider = ConfigurationHelper.getStringProperty(TransportConstants.SSL_PROVIDER, TransportConstants.DEFAULT_SSL_PROVIDER, configuration);
@ -287,6 +291,7 @@ public class NettyAcceptor extends AbstractAcceptor {
enabledCipherSuites = TransportConstants.DEFAULT_ENABLED_CIPHER_SUITES; enabledCipherSuites = TransportConstants.DEFAULT_ENABLED_CIPHER_SUITES;
enabledProtocols = TransportConstants.DEFAULT_ENABLED_PROTOCOLS; enabledProtocols = TransportConstants.DEFAULT_ENABLED_PROTOCOLS;
needClientAuth = TransportConstants.DEFAULT_NEED_CLIENT_AUTH; needClientAuth = TransportConstants.DEFAULT_NEED_CLIENT_AUTH;
wantClientAuth = TransportConstants.DEFAULT_WANT_CLIENT_AUTH;
verifyHost = TransportConstants.DEFAULT_VERIFY_HOST; verifyHost = TransportConstants.DEFAULT_VERIFY_HOST;
sslProvider = TransportConstants.DEFAULT_SSL_PROVIDER; sslProvider = TransportConstants.DEFAULT_SSL_PROVIDER;
} }
@ -468,8 +473,11 @@ public class NettyAcceptor extends AbstractAcceptor {
engine.setUseClientMode(false); engine.setUseClientMode(false);
if (needClientAuth) if (needClientAuth) {
engine.setNeedClientAuth(true); engine.setNeedClientAuth(true);
} else if (wantClientAuth) {
engine.setWantClientAuth(true);
}
// setting the enabled cipher suites resets the enabled protocols so we need // setting the enabled cipher suites resets the enabled protocols so we need
// to save the enabled protocols so that after the customer cipher suite is enabled // to save the enabled protocols so that after the customer cipher suite is enabled

View File

@ -403,6 +403,18 @@ following additional properties:
This property is only for an `acceptor`. It tells a client This property is only for an `acceptor`. It tells a client
connecting to this acceptor that 2-way SSL is required. Valid values connecting to this acceptor that 2-way SSL is required. Valid values
are `true` or `false`. Default is `false`. are `true` or `false`. Default is `false`.
Note that this property takes precedence over `wantClientAuth` and if
its value is set to true then `wantClientAuth` will be ignored.
- `wantClientAuth`
This property is only for an `acceptor`. It tells a client
connecting to this acceptor that 2-way SSL is requested but not required.
Valid values are `true` or `false`. Default is `false`.
Note that if the property `needClientAuth` is set to true then that
property will take precedence and this property will be ignored.
- `verifyHost` - `verifyHost`

View File

@ -146,6 +146,15 @@ public class SecurityTest extends ActiveMQTestBase {
@Test @Test
public void testJAASSecurityManagerAuthenticationWithCerts() throws Exception { public void testJAASSecurityManagerAuthenticationWithCerts() throws Exception {
testJAASSecurityManagerAuthenticationWithCerts(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME);
}
@Test
public void testJAASSecurityManagerAuthenticationWithCertsWantClientAuth() throws Exception {
testJAASSecurityManagerAuthenticationWithCerts(TransportConstants.WANT_CLIENT_AUTH_PROP_NAME);
}
protected void testJAASSecurityManagerAuthenticationWithCerts(String clientAuthPropName) throws Exception {
ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager("CertLogin"); ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager("CertLogin");
ActiveMQServer server = addServer(ActiveMQServers.newActiveMQServer(createDefaultInVMConfig().setSecurityEnabled(true), ManagementFactory.getPlatformMBeanServer(), securityManager, false)); ActiveMQServer server = addServer(ActiveMQServers.newActiveMQServer(createDefaultInVMConfig().setSecurityEnabled(true), ManagementFactory.getPlatformMBeanServer(), securityManager, false));
@ -155,7 +164,7 @@ public class SecurityTest extends ActiveMQTestBase {
params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample"); params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-side-truststore.jks"); params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-side-truststore.jks");
params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample"); params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
params.put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true); params.put(clientAuthPropName, true);
server.getConfiguration().addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params)); server.getConfiguration().addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params));
@ -612,6 +621,15 @@ public class SecurityTest extends ActiveMQTestBase {
@Test @Test
public void testJAASSecurityManagerAuthorizationPositiveWithCerts() throws Exception { public void testJAASSecurityManagerAuthorizationPositiveWithCerts() throws Exception {
testJAASSecurityManagerAuthorizationPositiveWithCerts(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME);
}
@Test
public void testJAASSecurityManagerAuthorizationPositiveWithCertsWantClientAuth() throws Exception {
testJAASSecurityManagerAuthorizationPositiveWithCerts(TransportConstants.WANT_CLIENT_AUTH_PROP_NAME);
}
protected void testJAASSecurityManagerAuthorizationPositiveWithCerts(String clientAuthPropName) throws Exception {
final SimpleString ADDRESS = new SimpleString("address"); final SimpleString ADDRESS = new SimpleString("address");
final SimpleString DURABLE_QUEUE = new SimpleString("durableQueue"); final SimpleString DURABLE_QUEUE = new SimpleString("durableQueue");
final SimpleString NON_DURABLE_QUEUE = new SimpleString("nonDurableQueue"); final SimpleString NON_DURABLE_QUEUE = new SimpleString("nonDurableQueue");
@ -625,7 +643,7 @@ public class SecurityTest extends ActiveMQTestBase {
params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample"); params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-side-truststore.jks"); params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-side-truststore.jks");
params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample"); params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
params.put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true); params.put(clientAuthPropName, true);
server.getConfiguration().addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params)); server.getConfiguration().addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params));