Apache
/
activemq-artemis
mirror of https://github.com/apache/activemq-artemis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ARTEMIS-529 support dual auth 

A new feature whereby 2-way SSL connections can be authenticated differently
than non-SSL connections.
This commit is contained in:
jbertram 2016-05-26 09:18:11 -05:00
parent 70562ad7ec
commit 7715b5ee12
27 changed files with 802 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
artemis-cli/src/main/java/org/apache/activemq/artemis/factory/JaasSecurityHandler.java
View File

@ -25,7 +25,7 @@ public class JaasSecurityHandler implements SecurityHandler {
@Override
public ActiveMQSecurityManager createSecurityManager(SecurityDTO security) throws Exception {
JaasSecurityDTO jaasSecurity = (JaasSecurityDTO) security;
ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager(jaasSecurity.domain);
ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager(jaasSecurity.domain, jaasSecurity.certificateDomain);
return securityManager;
}
}

3
artemis-dto/src/main/java/org/apache/activemq/artemis/dto/JaasSecurityDTO.java
View File

@ -27,4 +27,7 @@ public class JaasSecurityDTO extends SecurityDTO {
@XmlAttribute(name = "domain", required = true)
public String domain;
@XmlAttribute(name = "certificate-domain", required = false)
public String certificateDomain;
}

38
artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQJAASSecurityManager.java
View File

@ -50,7 +50,9 @@ public class ActiveMQJAASSecurityManager implements ActiveMQSecurityManager2 {
private static final String WILDCARD = "*";
private String configurationName;
private String certificateConfigurationName;
private SecurityConfiguration configuration;
private SecurityConfiguration certificateConfiguration;
private String rolePrincipalClass = "org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal";
public ActiveMQJAASSecurityManager() {
@ -60,11 +62,23 @@ public class ActiveMQJAASSecurityManager implements ActiveMQSecurityManager2 {
this.configurationName = configurationName;
}
public ActiveMQJAASSecurityManager(String configurationName, String certificateConfigurationName) {
this.configurationName = configurationName;
this.certificateConfigurationName = certificateConfigurationName;
}
public ActiveMQJAASSecurityManager(String configurationName, SecurityConfiguration configuration) {
this.configurationName = configurationName;
this.configuration = configuration;
}
public ActiveMQJAASSecurityManager(String configurationName, String certificateConfigurationName, SecurityConfiguration configuration, SecurityConfiguration certificateConfiguration) {
this.configurationName = configurationName;
this.configuration = configuration;
this.certificateConfigurationName = certificateConfigurationName;
this.certificateConfiguration = certificateConfiguration;
}
@Override
public boolean validateUser(String user, String password) {
return validateUser(user, password, null);
@ -144,7 +158,13 @@ public class ActiveMQJAASSecurityManager implements ActiveMQSecurityManager2 {
}
private Subject getAuthenticatedSubject(final String user, final String password, final X509Certificate[] certificates) throws LoginException {
LoginContext lc = new LoginContext(configurationName, null, new JaasCallbackHandler(user, password, certificates), configuration);
LoginContext lc;
if (certificateConfigurationName != null && certificateConfigurationName.length() > 0 && certificates != null) {
lc = new LoginContext(certificateConfigurationName, null, new JaasCallbackHandler(user, password, certificates), certificateConfiguration);
}
else {
lc = new LoginContext(configurationName, null, new JaasCallbackHandler(user, password, certificates), configuration);
}
lc.login();
return lc.getSubject();
}
@ -172,6 +192,14 @@ public class ActiveMQJAASSecurityManager implements ActiveMQSecurityManager2 {
this.configuration = configuration;
}
public void setCertificateConfigurationName(final String certificateConfigurationName) {
this.certificateConfigurationName = certificateConfigurationName;
}
public void setCertificateConfiguration(SecurityConfiguration certificateConfiguration) {
this.certificateConfiguration = certificateConfiguration;
}
public SecurityConfiguration getConfiguration() {
if (configuration == null) {
configuration = new SecurityConfiguration();
@ -180,6 +208,14 @@ public class ActiveMQJAASSecurityManager implements ActiveMQSecurityManager2 {
return configuration;
}
public SecurityConfiguration getCertificateConfiguration() {
if (certificateConfiguration == null) {
certificateConfiguration = new SecurityConfiguration();
}
return certificateConfiguration;
}
public String getRolePrincipalClass() {
return rolePrincipalClass;
}

49
docs/user-manual/en/security.md
View File

@ -238,10 +238,9 @@ As mentioned, there are a few places where a translation was performed to achiev
## Secure Sockets Layer (SSL) Transport
When messaging clients are connected to servers, or servers are
connected to other servers (e.g. via bridges) over an untrusted network
then Apache ActiveMQ Artemis allows that traffic to be encrypted using the Secure
Sockets Layer (SSL) transport.
When messaging clients are connected to servers, or servers are connected to other servers (e.g. via bridges) over an
untrusted network then Apache ActiveMQ Artemis allows that traffic to be encrypted using the Secure Sockets Layer (SSL)
transport.
For more information on configuring the SSL transport, please see [Configuring the Transport](configuring-transports.md).
@ -250,12 +249,11 @@ For more information on configuring the SSL transport, please see [Configuring t
Apache ActiveMQ Artemis ships with two security manager implementations:
- The legacy, deprecated `ActiveMQSecurityManager` that reads user credentials, i.e. user names, passwords and role
information from properties files on the classpath called `artemis-users.properties` and `artemis-roles.properties`.
This is the default security manager.
information from properties files on the classpath called `artemis-users.properties` and `artemis-roles.properties`.
- The flexible, pluggable `ActiveMQJAASSecurityManager` which supports any standard JAAS login module. Artemis ships
with several login modules which will be discussed further down.
with several login modules which will be discussed further down. This is the default security manager.
### JAAS Security Manager
When using JAAS much of the configuration depends on which login module is used. However, there are a few commonalities
@ -278,17 +276,46 @@ The `login.config` file is a standard JAAS configuration file. You can read more
[Oracle's website](https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/LoginConfigFile.html).
In short, the file defines:
- an alias for a configuration (e.g. `PropertiesLogin`)
- an alias for an entry (e.g. `PropertiesLogin`)
- the implementation class (e.g. `org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule`)
- the implementation class for the login module (e.g. `org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule`)
- a flag which indicates whether the success of the LoginModule is `required`, `requisite`, `sufficient`, or `optional`
- a flag which indicates whether the success of the login module is `required`, `requisite`, `sufficient`, or `optional`
(see more details on these flags in the [JavaDoc](http://docs.oracle.com/javase/8/docs/api/javax/security/auth/login/Configuration.html)
- a list of configuration options specific to the login module implementation
By default, the location and name of `login.config` is specified on the Artemis command-line which is set by
`etc/artemis.profile` on linux and `etc\artemis.profile.cmd` on Windows.
#### Dual Authentication
The JAAS Security Manager also supports another configuration parameter - `certificate-domain`. This is useful when you
want to authenticate clients connecting with SSL connections based on their SSL certificates (e.g. using the `CertificateLoginModule`
discussed below) but you still want to authenticate clients connecting with non-SSL connections with, e.g., username and
password. Here's an example of what would go in `bootstrap.xml`:
<jaas-security domain="PropertiesLogin" certificate-domain="CertLogin"/>
And here's the corresponding `login.config`:
PropertiesLogin {
org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule required
debug=false
org.apache.activemq.jaas.properties.user="artemis-users.properties"
org.apache.activemq.jaas.properties.role="artemis-roles.properties";
};
CertLogin {
org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule required
debug=true
org.apache.activemq.jaas.textfiledn.user="cert-users.properties"
org.apache.activemq.jaas.textfiledn.role="cert-roles.properties";
};
When the broker is configured this way then any client connecting with SSL and a client certificate will be authenticated
using `CertLogin` and any client connecting without SSL will be authenticated using `PropertiesLogin`.
### JAAS Login Modules
#### GuestLoginModule

2
examples/features/standard/pom.xml
View File

@ -86,6 +86,7 @@ under the License.
<module>send-acknowledgements</module>
<module>spring-integration</module>
<module>ssl-enabled</module>
<module>ssl-enabled-dual-authentication</module>
<module>static-selector</module>
<module>temp-queue</module>
<module>topic</module>
@ -147,6 +148,7 @@ under the License.
<module>send-acknowledgements</module>
<module>spring-integration</module>
<module>ssl-enabled</module>
<module>ssl-enabled-dual-authentication</module>
<module>static-selector</module>
<!--this needs to be run standalone as it needs manual intervention-->

110
examples/features/standard/ssl-enabled-dual-authentication/pom.xml Normal file
View File

@ -0,0 +1,110 @@
<?xml version='1.0'?>
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.apache.activemq.examples.broker</groupId>
<artifactId>jms-examples</artifactId>
<version>1.3.0-SNAPSHOT</version>
</parent>
<artifactId>ssl-enabled-dual-authentication</artifactId>
<packaging>jar</packaging>
<name>ActiveMQ Artemis JMS SSL Enabled Dual Authentication Example</name>
<properties>
<activemq.basedir>${project.basedir}/../../../..</activemq.basedir>
</properties>
<dependencies>
<dependency>
<groupId>org.apache.activemq</groupId>
<artifactId>artemis-jms-client</artifactId>
<version>${project.version}</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.activemq</groupId>
<artifactId>artemis-maven-plugin</artifactId>
<executions>
<execution>
<id>create</id>
<goals>
<goal>create</goal>
</goals>
<configuration>
<ignore>${noServer}</ignore>
</configuration>
</execution>
<execution>
<id>start</id>
<goals>
<goal>cli</goal>
</goals>
<configuration>
<ignore>${noServer}</ignore>
<spawn>true</spawn>
<testURI>tcp://localhost:61616</testURI>
<testUser>consumer</testUser>
<testPassword>activemq</testPassword>
<args>
<param>run</param>
</args>
</configuration>
</execution>
<execution>
<id>runClient</id>
<goals>
<goal>runClient</goal>
</goals>
<configuration>
<clientClass>org.apache.activemq.artemis.jms.example.SSLDualAuthenticationExample</clientClass>
</configuration>
</execution>
<execution>
<id>stop</id>
<goals>
<goal>cli</goal>
</goals>
<configuration>
<ignore>${noServer}</ignore>
<args>
<param>stop</param>
</args>
</configuration>
</execution>
</executions>
<dependencies>
<dependency>
<groupId>org.apache.activemq.examples.broker</groupId>
<artifactId>ssl-enabled-dual-authentication</artifactId>
<version>${project.version}</version>
</dependency>
</dependencies>
</plugin>
</plugins>
</build>
</project>

75
examples/features/standard/ssl-enabled-dual-authentication/readme.html Normal file
View File

@ -0,0 +1,75 @@
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<html>
<head>
<title>ActiveMQ Artemis JMS SSL Example</title>
<link rel="stylesheet" type="text/css" href="../../../common/common.css" />
<link rel="stylesheet" type="text/css" href="../../../common/prettify.css" />
<script type="text/javascript" src="../../../common/prettify.js"></script>
</head>
<body onload="prettyPrint()">
<h1>JMS SSL Dual Authentication Example</h1>
<pre>To run the example, simply type <b>mvn verify</b> from this directory, <br>or <b>mvn -PnoServer verify</b> if you want to start and create the server manually.</pre>
<p>This example shows you how to configure 2-way SSL along with 2 different authentications mechanisms so that SSL and non-SSL clients can send and consume messages to/from ActiveMQ Artemis.
The non-SSL authentication mechanism simply uses username and password. The SSL authentication mechanism uses the client's certificate.</p>
<p>To configure 2-way SSL you need to configure the acceptor as follows:</p>
<p>
<pre class="prettyprint">
<code>
&lt;!-- Acceptor --&gt;
&lt;acceptor name=&quot;netty-ssl-acceptor&quot;&gt;tcp://localhost:5500?sslEnabled=true;needClientAuth=true;keyStorePath=${data.dir}/../etc/server-side-keystore.jks;keyStorePassword=secureexample;trustStorePath=${data.dir}/../etc/server-side-truststore.jks;trustStorePassword=secureexample&lt;/acceptor&gt;
</code>
</pre>
</p>
<p>In the server-side URL, the server-side-keystore.jks is the key store file holding the server's certificate. The server-side-truststore.jks is the file holding the certificates which the server trusts. Notice also the "sslEnabled" and "needClientAuth" parameters which enable SSL and require clients to present their own certificate respectively. Here's the URL the client uses to connect over SSL:</p>
<p>
<pre class="prettyprint">
<code>
tcp://localhost:5500?sslEnabled=true&trustStorePath=activemq/server0/client-side-truststore.jks&trustStorePassword=secureexample&keyStorePath=activemq/server0/client-side-keystore.jks&keyStorePassword=secureexample
</code>
</pre>
</p>
<p>In the client-side URL, the client-side-keystore.jks is the key store file holding the client's certificate. The client-side-truststore.jks is the file holding the certificates which the client trusts. The "sslEnabled" parameter is present here as well just as it is on the server.</p>
<p>The various keystore files are generated using the following commands:</p>
<p>
<pre class="prettyprint">
<code>
keytool -genkey -keystore server-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
keytool -export -keystore server-side-keystore.jks -file server-side-cert.cer -storepass secureexample
keytool -import -keystore client-side-truststore.jks -file server-side-cert.cer -storepass secureexample -keypass secureexample -noprompt
keytool -genkey -keystore client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
keytool -export -keystore client-side-keystore.jks -file client-side-cert.cer -storepass secureexample
keytool -import -keystore server-side-truststore.jks -file client-side-cert.cer -storepass secureexample -keypass secureexample -noprompt
</code>
</pre>
</p>
</body>
</html>

99
examples/features/standard/ssl-enabled-dual-authentication/src/main/java/org/apache/activemq/artemis/jms/example/SSLDualAuthenticationExample.java Normal file
View File

@ -0,0 +1,99 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.activemq.artemis.jms.example;
import javax.jms.Connection;
import javax.jms.ConnectionFactory;
import javax.jms.MessageConsumer;
import javax.jms.MessageProducer;
import javax.jms.Queue;
import javax.jms.Session;
import javax.jms.TextMessage;
import javax.naming.InitialContext;
/**
* A simple JMS Queue example that uses dual broker authentication mechanisms for SSL and non-SSL connections.
*/
public class SSLDualAuthenticationExample {
public static void main(final String[] args) throws Exception {
Connection producerConnection = null;
Connection consumerConnection = null;
InitialContext initialContext = null;
try {
// Step 1. Create an initial context to perform the JNDI lookup.
initialContext = new InitialContext();
// Step 2. Perfom a lookup on the queue
Queue queue = (Queue) initialContext.lookup("queue/exampleQueue");
// Step 3. Perform a lookup on the producer's SSL Connection Factory
ConnectionFactory producerConnectionFactory = (ConnectionFactory) initialContext.lookup("SslConnectionFactory");
// Step 4. Perform a lookup on the consumer's Connection Factory
ConnectionFactory consumerConnectionFactory = (ConnectionFactory) initialContext.lookup("ConnectionFactory");
// Step 5.Create a JMS Connection for the producer
producerConnection = producerConnectionFactory.createConnection();
// Step 6.Create a JMS Connection for the consumer
consumerConnection = consumerConnectionFactory.createConnection("consumer", "activemq");
// Step 7. Create a JMS Session for the producer
Session producerSession = producerConnection.createSession(false, Session.AUTO_ACKNOWLEDGE);
// Step 8. Create a JMS Session for the consumer
Session consumerSession = consumerConnection.createSession(false, Session.AUTO_ACKNOWLEDGE);
// Step 9. Create a JMS Message Producer
MessageProducer producer = producerSession.createProducer(queue);
// Step 10. Create a Text Message
TextMessage message = producerSession.createTextMessage("This is a text message");
System.out.println("Sent message: " + message.getText());
// Step 11. Send the Message
producer.send(message);
// Step 12. Create a JMS Message Consumer
MessageConsumer messageConsumer = consumerSession.createConsumer(queue);
// Step 13. Start the Connection
consumerConnection.start();
// Step 14. Receive the message
TextMessage messageReceived = (TextMessage) messageConsumer.receive(5000);
System.out.println("Received message: " + messageReceived.getText());
initialContext.close();
}
finally {
// Step 15. Be sure to close our JMS resources!
if (initialContext != null) {
initialContext.close();
}
if (producerConnection != null) {
producerConnection.close();
}
if (consumerConnection != null) {
consumerConnection.close();
}
}
}
}

17
examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/artemis-roles.properties Normal file
View File

@ -0,0 +1,17 @@
## ---------------------------------------------------------------------------
## Licensed to the Apache Software Foundation (ASF) under one or more
## contributor license agreements. See the NOTICE file distributed with
## this work for additional information regarding copyright ownership.
## The ASF licenses this file to You under the Apache License, Version 2.0
## (the "License"); you may not use this file except in compliance with
## the License. You may obtain a copy of the License at
##
## http://www.apache.org/licenses/LICENSE-2.0
##
## Unless required by applicable law or agreed to in writing, software
## distributed under the License is distributed on an "AS IS" BASIS,
## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
## See the License for the specific language governing permissions and
## limitations under the License.
## ---------------------------------------------------------------------------
consumers=consumer

17
examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/artemis-users.properties Normal file
View File

@ -0,0 +1,17 @@
## ---------------------------------------------------------------------------
## Licensed to the Apache Software Foundation (ASF) under one or more
## contributor license agreements. See the NOTICE file distributed with
## this work for additional information regarding copyright ownership.
## The ASF licenses this file to You under the Apache License, Version 2.0
## (the "License"); you may not use this file except in compliance with
## the License. You may obtain a copy of the License at
##
## http://www.apache.org/licenses/LICENSE-2.0
##
## Unless required by applicable law or agreed to in writing, software
## distributed under the License is distributed on an "AS IS" BASIS,
## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
## See the License for the specific language governing permissions and
## limitations under the License.
## ---------------------------------------------------------------------------
consumer=activemq

28
examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/bootstrap.xml Normal file
View File

@ -0,0 +1,28 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!--
~ Licensed to the Apache Software Foundation (ASF) under one or more
~ contributor license agreements. See the NOTICE file distributed with
~ this work for additional information regarding copyright ownership.
~ The ASF licenses this file to You under the Apache License, Version 2.0
~ (the "License"); you may not use this file except in compliance with
~ the License. You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing, software
~ distributed under the License is distributed on an "AS IS" BASIS,
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~ See the License for the specific language governing permissions and
~ limitations under the License.
-->
<broker xmlns="http://activemq.org/schema">
<jaas-security domain="activemq" certificate-domain="activemq-cert"/>
<server configuration="file:${artemis.instance}/etc/broker.xml"/>
</broker>

57
examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/broker.xml Normal file
View File

@ -0,0 +1,57 @@
<?xml version='1.0'?>
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="urn:activemq"
xsi:schemaLocation="urn:activemq /schema/artemis-server.xsd">
<jms xmlns="urn:activemq:jms">
<!--the queue used by the example-->
<queue name="exampleQueue"/>
</jms>
<core xmlns="urn:activemq:core">
<bindings-directory>./data/messaging/bindings</bindings-directory>
<journal-directory>./data/messaging/journal</journal-directory>
<large-messages-directory>./data/messaging/largemessages</large-messages-directory>
<paging-directory>./data/messaging/paging</paging-directory>
<!-- Acceptors -->
<acceptors>
<acceptor name="netty-acceptor">tcp://localhost:61616</acceptor>
<acceptor name="netty-ssl-acceptor">tcp://localhost:5500?sslEnabled=true;needClientAuth=true;keyStorePath=${data.dir}/../etc/server-side-keystore.jks;keyStorePassword=secureexample;trustStorePath=${data.dir}/../etc/server-side-truststore.jks;trustStorePassword=secureexample</acceptor>
</acceptors>
<!-- Other config -->
<security-settings>
<!--security for example queue-->
<security-setting match="jms.queue.exampleQueue">
<permission type="consume" roles="consumers"/>
<permission type="send" roles="producers"/>
</security-setting>
</security-settings>
</core>
</configuration>

18
examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/cert-roles.properties Normal file
View File

@ -0,0 +1,18 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
producers=producer

18
examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/cert-users.properties Normal file
View File

@ -0,0 +1,18 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
producer=CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, ST=AMQ, C=AMQ

BIN
examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/client-side-keystore.jks Normal file
View File

Binary file not shown.

BIN
examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/client-side-truststore.jks Normal file
View File

Binary file not shown.

30
examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/login.config Normal file
View File

@ -0,0 +1,30 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
activemq {
org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule required
debug=false
org.apache.activemq.jaas.properties.user="artemis-users.properties"
org.apache.activemq.jaas.properties.role="artemis-roles.properties";
};
activemq-cert {
org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule required
debug=true
org.apache.activemq.jaas.textfiledn.user="cert-users.properties"
org.apache.activemq.jaas.textfiledn.role="cert-roles.properties";
};

BIN
examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/server-side-keystore.jks Normal file
View File

Binary file not shown.

BIN
examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/server-side-truststore.jks Normal file
View File

Binary file not shown.

21
examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/jndi.properties Normal file
View File

@ -0,0 +1,21 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
java.naming.factory.initial=org.apache.activemq.artemis.jndi.ActiveMQInitialContextFactory
connectionFactory.SslConnectionFactory=tcp://localhost:5500?sslEnabled=true&trustStorePath=activemq/server0/client-side-truststore.jks&trustStorePassword=secureexample&keyStorePath=activemq/server0/client-side-keystore.jks&keyStorePassword=secureexample
connectionFactory.ConnectionFactory=tcp://localhost:61616
queue.queue/exampleQueue=exampleQueue

6
tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWaySSLTest.java
View File

@ -70,15 +70,15 @@ public class CoreClientOverTwoWaySSLTest extends ActiveMQTestBase {
public static final SimpleString QUEUE = new SimpleString("QueueOverSSL");
/**
* These artifacts are required for testing 2-way SSL in addition to the artifacts for 1-way SSL
* These artifacts are required for testing 2-way SSL in addition to the artifacts for 1-way SSL from {@link CoreClientOverOneWaySSLTest}
*
* Commands to create the JKS artifacts:
* keytool -genkey -keystore client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ"
* keytool -genkey -keystore client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
* keytool -export -keystore client-side-keystore.jks -file activemq-jks.cer -storepass secureexample
* keytool -import -keystore server-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
*
* Commands to create the JCEKS artifacts:
* keytool -genkey -keystore client-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ"
* keytool -genkey -keystore client-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
* keytool -export -keystore client-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample
* keytool -import -keystore server-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt
*/

142
tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/DualAuthenticationTest.java Normal file
View File

@ -0,0 +1,142 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.activemq.artemis.tests.integration.ssl;
import java.lang.management.ManagementFactory;
import java.net.URL;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import org.apache.activemq.artemis.api.core.Message;
import org.apache.activemq.artemis.api.core.SimpleString;
import org.apache.activemq.artemis.api.core.TransportConfiguration;
import org.apache.activemq.artemis.api.core.client.ActiveMQClient;
import org.apache.activemq.artemis.api.core.client.ClientConsumer;
import org.apache.activemq.artemis.api.core.client.ClientMessage;
import org.apache.activemq.artemis.api.core.client.ClientProducer;
import org.apache.activemq.artemis.api.core.client.ClientSession;
import org.apache.activemq.artemis.api.core.client.ClientSessionFactory;
import org.apache.activemq.artemis.api.core.client.ServerLocator;
import org.apache.activemq.artemis.core.config.impl.ConfigurationImpl;
import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants;
import org.apache.activemq.artemis.core.security.Role;
import org.apache.activemq.artemis.core.server.ActiveMQServer;
import org.apache.activemq.artemis.core.server.ActiveMQServers;
import org.apache.activemq.artemis.core.settings.HierarchicalRepository;
import org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager;
import org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager;
import org.apache.activemq.artemis.tests.integration.security.SecurityTest;
import org.apache.activemq.artemis.tests.util.ActiveMQTestBase;
import org.apache.activemq.artemis.utils.RandomUtil;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
/**
* See {@link CoreClientOverTwoWaySSLTest} for details about the keystores required for this test.
*/
public class DualAuthenticationTest extends ActiveMQTestBase {
public static final SimpleString QUEUE = new SimpleString("QueueOverSSL");
static {
String path = System.getProperty("java.security.auth.login.config");
if (path == null) {
URL resource = SecurityTest.class.getClassLoader().getResource("login.config");
if (resource != null) {
path = resource.getFile();
System.setProperty("java.security.auth.login.config", path);
}
}
}
private String SERVER_SIDE_KEYSTORE = "server-side-keystore.jks";
private String SERVER_SIDE_TRUSTSTORE = "server-side-truststore.jks";
private String CLIENT_SIDE_TRUSTSTORE = "client-side-truststore.jks";
private String CLIENT_SIDE_KEYSTORE = "client-side-keystore.jks";
private final String PASSWORD = "secureexample";
private ActiveMQServer server;
private TransportConfiguration tc;
@Test
public void testDualAuthentication() throws Exception {
String text = RandomUtil.randomString();
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, CLIENT_SIDE_KEYSTORE);
tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, PASSWORD);
tc.getParams().put(TransportConstants.PORT_PROP_NAME, "61617");
ServerLocator producerLocator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
ClientSessionFactory producerSessionFactory = createSessionFactory(producerLocator);
ClientSession producerSession = producerSessionFactory.createSession(false, true, true);
producerSession.createQueue(DualAuthenticationTest.QUEUE, DualAuthenticationTest.QUEUE, false);
ClientProducer producer = producerSession.createProducer(DualAuthenticationTest.QUEUE);
ClientMessage message = createTextMessage(producerSession, text);
producer.send(message);
ServerLocator consumerLocator = addServerLocator(ActiveMQClient.createServerLocator("tcp://localhost:61616"));
ClientSessionFactory consumerSessionFactory = createSessionFactory(consumerLocator);
ClientSession consumerSession = consumerSessionFactory.createSession("consumer", "consumerPassword", false, true, true, consumerLocator.isPreAcknowledge(), consumerLocator.getAckBatchSize());
ClientConsumer consumer = consumerSession.createConsumer(DualAuthenticationTest.QUEUE);
consumerSession.start();
Message m = consumer.receive(1000);
Assert.assertNotNull(m);
Assert.assertEquals(text, m.getBodyBuffer().readString());
}
@Override
@Before
public void setUp() throws Exception {
super.setUp();
Map<String, Object> params = new HashMap<>();
params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, SERVER_SIDE_KEYSTORE);
params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, PASSWORD);
params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, SERVER_SIDE_TRUSTSTORE);
params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
params.put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true);
params.put(TransportConstants.PORT_PROP_NAME, "61617");
ConfigurationImpl config = createBasicConfig();
config.addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params));
config.addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY));
config.setSecurityEnabled(true);
ActiveMQSecurityManager securityManager = new ActiveMQJAASSecurityManager("DualAuthenticationPropertiesLogin", "DualAuthenticationCertLogin");
server = addServer(ActiveMQServers.newActiveMQServer(config, ManagementFactory.getPlatformMBeanServer(), securityManager, false));
HierarchicalRepository<Set<Role>> securityRepository = server.getSecurityRepository();
Role sendRole = new Role("producers", true, false, true, false, true, false, false);
Role receiveRole = new Role("consumers", false, true, false, false, false, false, false);
Set<Role> roles = new HashSet<>();
roles.add(sendRole);
roles.add(receiveRole);
securityRepository.addMatch(DualAuthenticationTest.QUEUE.toString(), roles);
server.start();
waitForServerToStart(server);
tc = new TransportConfiguration(NETTY_CONNECTOR_FACTORY);
}
}

18
tests/integration-tests/src/test/resources/dual-authentication-cert-roles.properties Normal file
View File

@ -0,0 +1,18 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
producers=producer

18
tests/integration-tests/src/test/resources/dual-authentication-cert-users.properties Normal file
View File

@ -0,0 +1,18 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
producer=CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, ST=AMQ, C=AMQ

18
tests/integration-tests/src/test/resources/dual-authentication-roles.properties Normal file
View File

@ -0,0 +1,18 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
consumers=consumer

18
tests/integration-tests/src/test/resources/dual-authentication-users.properties Normal file
View File

@ -0,0 +1,18 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
consumer=consumerPassword

14
tests/integration-tests/src/test/resources/login.config
View File

@ -123,3 +123,17 @@ CertLogin {
org.apache.activemq.jaas.textfiledn.user="cert-users.properties"
org.apache.activemq.jaas.textfiledn.role="cert-roles.properties";
};
DualAuthenticationCertLogin {
org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule required
debug=true
org.apache.activemq.jaas.textfiledn.user="dual-authentication-cert-users.properties"
org.apache.activemq.jaas.textfiledn.role="dual-authentication-cert-roles.properties";
};
DualAuthenticationPropertiesLogin {
org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule required
debug=true
org.apache.activemq.jaas.properties.user="dual-authentication-users.properties"
org.apache.activemq.jaas.properties.role="dual-authentication-roles.properties";
};