ARTEMIS-529 support dual auth
A new feature whereby 2-way SSL connections can be authenticated differently than non-SSL connections.
This commit is contained in:
parent
70562ad7ec
commit
7715b5ee12
|
@ -25,7 +25,7 @@ public class JaasSecurityHandler implements SecurityHandler {
|
||||||
@Override
|
@Override
|
||||||
public ActiveMQSecurityManager createSecurityManager(SecurityDTO security) throws Exception {
|
public ActiveMQSecurityManager createSecurityManager(SecurityDTO security) throws Exception {
|
||||||
JaasSecurityDTO jaasSecurity = (JaasSecurityDTO) security;
|
JaasSecurityDTO jaasSecurity = (JaasSecurityDTO) security;
|
||||||
ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager(jaasSecurity.domain);
|
ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager(jaasSecurity.domain, jaasSecurity.certificateDomain);
|
||||||
return securityManager;
|
return securityManager;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -27,4 +27,7 @@ public class JaasSecurityDTO extends SecurityDTO {
|
||||||
|
|
||||||
@XmlAttribute(name = "domain", required = true)
|
@XmlAttribute(name = "domain", required = true)
|
||||||
public String domain;
|
public String domain;
|
||||||
|
|
||||||
|
@XmlAttribute(name = "certificate-domain", required = false)
|
||||||
|
public String certificateDomain;
|
||||||
}
|
}
|
||||||
|
|
|
@ -50,7 +50,9 @@ public class ActiveMQJAASSecurityManager implements ActiveMQSecurityManager2 {
|
||||||
private static final String WILDCARD = "*";
|
private static final String WILDCARD = "*";
|
||||||
|
|
||||||
private String configurationName;
|
private String configurationName;
|
||||||
|
private String certificateConfigurationName;
|
||||||
private SecurityConfiguration configuration;
|
private SecurityConfiguration configuration;
|
||||||
|
private SecurityConfiguration certificateConfiguration;
|
||||||
private String rolePrincipalClass = "org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal";
|
private String rolePrincipalClass = "org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal";
|
||||||
|
|
||||||
public ActiveMQJAASSecurityManager() {
|
public ActiveMQJAASSecurityManager() {
|
||||||
|
@ -60,11 +62,23 @@ public class ActiveMQJAASSecurityManager implements ActiveMQSecurityManager2 {
|
||||||
this.configurationName = configurationName;
|
this.configurationName = configurationName;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public ActiveMQJAASSecurityManager(String configurationName, String certificateConfigurationName) {
|
||||||
|
this.configurationName = configurationName;
|
||||||
|
this.certificateConfigurationName = certificateConfigurationName;
|
||||||
|
}
|
||||||
|
|
||||||
public ActiveMQJAASSecurityManager(String configurationName, SecurityConfiguration configuration) {
|
public ActiveMQJAASSecurityManager(String configurationName, SecurityConfiguration configuration) {
|
||||||
this.configurationName = configurationName;
|
this.configurationName = configurationName;
|
||||||
this.configuration = configuration;
|
this.configuration = configuration;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public ActiveMQJAASSecurityManager(String configurationName, String certificateConfigurationName, SecurityConfiguration configuration, SecurityConfiguration certificateConfiguration) {
|
||||||
|
this.configurationName = configurationName;
|
||||||
|
this.configuration = configuration;
|
||||||
|
this.certificateConfigurationName = certificateConfigurationName;
|
||||||
|
this.certificateConfiguration = certificateConfiguration;
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public boolean validateUser(String user, String password) {
|
public boolean validateUser(String user, String password) {
|
||||||
return validateUser(user, password, null);
|
return validateUser(user, password, null);
|
||||||
|
@ -144,7 +158,13 @@ public class ActiveMQJAASSecurityManager implements ActiveMQSecurityManager2 {
|
||||||
}
|
}
|
||||||
|
|
||||||
private Subject getAuthenticatedSubject(final String user, final String password, final X509Certificate[] certificates) throws LoginException {
|
private Subject getAuthenticatedSubject(final String user, final String password, final X509Certificate[] certificates) throws LoginException {
|
||||||
LoginContext lc = new LoginContext(configurationName, null, new JaasCallbackHandler(user, password, certificates), configuration);
|
LoginContext lc;
|
||||||
|
if (certificateConfigurationName != null && certificateConfigurationName.length() > 0 && certificates != null) {
|
||||||
|
lc = new LoginContext(certificateConfigurationName, null, new JaasCallbackHandler(user, password, certificates), certificateConfiguration);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
lc = new LoginContext(configurationName, null, new JaasCallbackHandler(user, password, certificates), configuration);
|
||||||
|
}
|
||||||
lc.login();
|
lc.login();
|
||||||
return lc.getSubject();
|
return lc.getSubject();
|
||||||
}
|
}
|
||||||
|
@ -172,6 +192,14 @@ public class ActiveMQJAASSecurityManager implements ActiveMQSecurityManager2 {
|
||||||
this.configuration = configuration;
|
this.configuration = configuration;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public void setCertificateConfigurationName(final String certificateConfigurationName) {
|
||||||
|
this.certificateConfigurationName = certificateConfigurationName;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setCertificateConfiguration(SecurityConfiguration certificateConfiguration) {
|
||||||
|
this.certificateConfiguration = certificateConfiguration;
|
||||||
|
}
|
||||||
|
|
||||||
public SecurityConfiguration getConfiguration() {
|
public SecurityConfiguration getConfiguration() {
|
||||||
if (configuration == null) {
|
if (configuration == null) {
|
||||||
configuration = new SecurityConfiguration();
|
configuration = new SecurityConfiguration();
|
||||||
|
@ -180,6 +208,14 @@ public class ActiveMQJAASSecurityManager implements ActiveMQSecurityManager2 {
|
||||||
return configuration;
|
return configuration;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public SecurityConfiguration getCertificateConfiguration() {
|
||||||
|
if (certificateConfiguration == null) {
|
||||||
|
certificateConfiguration = new SecurityConfiguration();
|
||||||
|
}
|
||||||
|
|
||||||
|
return certificateConfiguration;
|
||||||
|
}
|
||||||
|
|
||||||
public String getRolePrincipalClass() {
|
public String getRolePrincipalClass() {
|
||||||
return rolePrincipalClass;
|
return rolePrincipalClass;
|
||||||
}
|
}
|
||||||
|
|
|
@ -238,10 +238,9 @@ As mentioned, there are a few places where a translation was performed to achiev
|
||||||
|
|
||||||
## Secure Sockets Layer (SSL) Transport
|
## Secure Sockets Layer (SSL) Transport
|
||||||
|
|
||||||
When messaging clients are connected to servers, or servers are
|
When messaging clients are connected to servers, or servers are connected to other servers (e.g. via bridges) over an
|
||||||
connected to other servers (e.g. via bridges) over an untrusted network
|
untrusted network then Apache ActiveMQ Artemis allows that traffic to be encrypted using the Secure Sockets Layer (SSL)
|
||||||
then Apache ActiveMQ Artemis allows that traffic to be encrypted using the Secure
|
transport.
|
||||||
Sockets Layer (SSL) transport.
|
|
||||||
|
|
||||||
For more information on configuring the SSL transport, please see [Configuring the Transport](configuring-transports.md).
|
For more information on configuring the SSL transport, please see [Configuring the Transport](configuring-transports.md).
|
||||||
|
|
||||||
|
@ -250,12 +249,11 @@ For more information on configuring the SSL transport, please see [Configuring t
|
||||||
Apache ActiveMQ Artemis ships with two security manager implementations:
|
Apache ActiveMQ Artemis ships with two security manager implementations:
|
||||||
|
|
||||||
- The legacy, deprecated `ActiveMQSecurityManager` that reads user credentials, i.e. user names, passwords and role
|
- The legacy, deprecated `ActiveMQSecurityManager` that reads user credentials, i.e. user names, passwords and role
|
||||||
information from properties files on the classpath called `artemis-users.properties` and `artemis-roles.properties`.
|
information from properties files on the classpath called `artemis-users.properties` and `artemis-roles.properties`.
|
||||||
This is the default security manager.
|
|
||||||
|
|
||||||
- The flexible, pluggable `ActiveMQJAASSecurityManager` which supports any standard JAAS login module. Artemis ships
|
- The flexible, pluggable `ActiveMQJAASSecurityManager` which supports any standard JAAS login module. Artemis ships
|
||||||
with several login modules which will be discussed further down.
|
with several login modules which will be discussed further down. This is the default security manager.
|
||||||
|
|
||||||
### JAAS Security Manager
|
### JAAS Security Manager
|
||||||
|
|
||||||
When using JAAS much of the configuration depends on which login module is used. However, there are a few commonalities
|
When using JAAS much of the configuration depends on which login module is used. However, there are a few commonalities
|
||||||
|
@ -278,17 +276,46 @@ The `login.config` file is a standard JAAS configuration file. You can read more
|
||||||
[Oracle's website](https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/LoginConfigFile.html).
|
[Oracle's website](https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/LoginConfigFile.html).
|
||||||
In short, the file defines:
|
In short, the file defines:
|
||||||
|
|
||||||
- an alias for a configuration (e.g. `PropertiesLogin`)
|
- an alias for an entry (e.g. `PropertiesLogin`)
|
||||||
|
|
||||||
- the implementation class (e.g. `org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule`)
|
- the implementation class for the login module (e.g. `org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule`)
|
||||||
|
|
||||||
- a flag which indicates whether the success of the LoginModule is `required`, `requisite`, `sufficient`, or `optional`
|
- a flag which indicates whether the success of the login module is `required`, `requisite`, `sufficient`, or `optional`
|
||||||
|
(see more details on these flags in the [JavaDoc](http://docs.oracle.com/javase/8/docs/api/javax/security/auth/login/Configuration.html)
|
||||||
|
|
||||||
- a list of configuration options specific to the login module implementation
|
- a list of configuration options specific to the login module implementation
|
||||||
|
|
||||||
By default, the location and name of `login.config` is specified on the Artemis command-line which is set by
|
By default, the location and name of `login.config` is specified on the Artemis command-line which is set by
|
||||||
`etc/artemis.profile` on linux and `etc\artemis.profile.cmd` on Windows.
|
`etc/artemis.profile` on linux and `etc\artemis.profile.cmd` on Windows.
|
||||||
|
|
||||||
|
#### Dual Authentication
|
||||||
|
|
||||||
|
The JAAS Security Manager also supports another configuration parameter - `certificate-domain`. This is useful when you
|
||||||
|
want to authenticate clients connecting with SSL connections based on their SSL certificates (e.g. using the `CertificateLoginModule`
|
||||||
|
discussed below) but you still want to authenticate clients connecting with non-SSL connections with, e.g., username and
|
||||||
|
password. Here's an example of what would go in `bootstrap.xml`:
|
||||||
|
|
||||||
|
<jaas-security domain="PropertiesLogin" certificate-domain="CertLogin"/>
|
||||||
|
|
||||||
|
And here's the corresponding `login.config`:
|
||||||
|
|
||||||
|
PropertiesLogin {
|
||||||
|
org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule required
|
||||||
|
debug=false
|
||||||
|
org.apache.activemq.jaas.properties.user="artemis-users.properties"
|
||||||
|
org.apache.activemq.jaas.properties.role="artemis-roles.properties";
|
||||||
|
};
|
||||||
|
|
||||||
|
CertLogin {
|
||||||
|
org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule required
|
||||||
|
debug=true
|
||||||
|
org.apache.activemq.jaas.textfiledn.user="cert-users.properties"
|
||||||
|
org.apache.activemq.jaas.textfiledn.role="cert-roles.properties";
|
||||||
|
};
|
||||||
|
|
||||||
|
When the broker is configured this way then any client connecting with SSL and a client certificate will be authenticated
|
||||||
|
using `CertLogin` and any client connecting without SSL will be authenticated using `PropertiesLogin`.
|
||||||
|
|
||||||
### JAAS Login Modules
|
### JAAS Login Modules
|
||||||
|
|
||||||
#### GuestLoginModule
|
#### GuestLoginModule
|
||||||
|
|
|
@ -86,6 +86,7 @@ under the License.
|
||||||
<module>send-acknowledgements</module>
|
<module>send-acknowledgements</module>
|
||||||
<module>spring-integration</module>
|
<module>spring-integration</module>
|
||||||
<module>ssl-enabled</module>
|
<module>ssl-enabled</module>
|
||||||
|
<module>ssl-enabled-dual-authentication</module>
|
||||||
<module>static-selector</module>
|
<module>static-selector</module>
|
||||||
<module>temp-queue</module>
|
<module>temp-queue</module>
|
||||||
<module>topic</module>
|
<module>topic</module>
|
||||||
|
@ -147,6 +148,7 @@ under the License.
|
||||||
<module>send-acknowledgements</module>
|
<module>send-acknowledgements</module>
|
||||||
<module>spring-integration</module>
|
<module>spring-integration</module>
|
||||||
<module>ssl-enabled</module>
|
<module>ssl-enabled</module>
|
||||||
|
<module>ssl-enabled-dual-authentication</module>
|
||||||
<module>static-selector</module>
|
<module>static-selector</module>
|
||||||
|
|
||||||
<!--this needs to be run standalone as it needs manual intervention-->
|
<!--this needs to be run standalone as it needs manual intervention-->
|
||||||
|
|
|
@ -0,0 +1,110 @@
|
||||||
|
<?xml version='1.0'?>
|
||||||
|
<!--
|
||||||
|
Licensed to the Apache Software Foundation (ASF) under one
|
||||||
|
or more contributor license agreements. See the NOTICE file
|
||||||
|
distributed with this work for additional information
|
||||||
|
regarding copyright ownership. The ASF licenses this file
|
||||||
|
to you under the Apache License, Version 2.0 (the
|
||||||
|
"License"); you may not use this file except in compliance
|
||||||
|
with the License. You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing,
|
||||||
|
software distributed under the License is distributed on an
|
||||||
|
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||||
|
KIND, either express or implied. See the License for the
|
||||||
|
specific language governing permissions and limitations
|
||||||
|
under the License.
|
||||||
|
-->
|
||||||
|
|
||||||
|
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
|
||||||
|
<modelVersion>4.0.0</modelVersion>
|
||||||
|
|
||||||
|
<parent>
|
||||||
|
<groupId>org.apache.activemq.examples.broker</groupId>
|
||||||
|
<artifactId>jms-examples</artifactId>
|
||||||
|
<version>1.3.0-SNAPSHOT</version>
|
||||||
|
</parent>
|
||||||
|
|
||||||
|
<artifactId>ssl-enabled-dual-authentication</artifactId>
|
||||||
|
<packaging>jar</packaging>
|
||||||
|
<name>ActiveMQ Artemis JMS SSL Enabled Dual Authentication Example</name>
|
||||||
|
|
||||||
|
<properties>
|
||||||
|
<activemq.basedir>${project.basedir}/../../../..</activemq.basedir>
|
||||||
|
</properties>
|
||||||
|
|
||||||
|
<dependencies>
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.apache.activemq</groupId>
|
||||||
|
<artifactId>artemis-jms-client</artifactId>
|
||||||
|
<version>${project.version}</version>
|
||||||
|
</dependency>
|
||||||
|
</dependencies>
|
||||||
|
|
||||||
|
<build>
|
||||||
|
<plugins>
|
||||||
|
<plugin>
|
||||||
|
<groupId>org.apache.activemq</groupId>
|
||||||
|
<artifactId>artemis-maven-plugin</artifactId>
|
||||||
|
<executions>
|
||||||
|
<execution>
|
||||||
|
<id>create</id>
|
||||||
|
<goals>
|
||||||
|
<goal>create</goal>
|
||||||
|
</goals>
|
||||||
|
<configuration>
|
||||||
|
<ignore>${noServer}</ignore>
|
||||||
|
</configuration>
|
||||||
|
</execution>
|
||||||
|
<execution>
|
||||||
|
<id>start</id>
|
||||||
|
<goals>
|
||||||
|
<goal>cli</goal>
|
||||||
|
</goals>
|
||||||
|
<configuration>
|
||||||
|
<ignore>${noServer}</ignore>
|
||||||
|
<spawn>true</spawn>
|
||||||
|
<testURI>tcp://localhost:61616</testURI>
|
||||||
|
<testUser>consumer</testUser>
|
||||||
|
<testPassword>activemq</testPassword>
|
||||||
|
<args>
|
||||||
|
<param>run</param>
|
||||||
|
</args>
|
||||||
|
</configuration>
|
||||||
|
</execution>
|
||||||
|
<execution>
|
||||||
|
<id>runClient</id>
|
||||||
|
<goals>
|
||||||
|
<goal>runClient</goal>
|
||||||
|
</goals>
|
||||||
|
<configuration>
|
||||||
|
<clientClass>org.apache.activemq.artemis.jms.example.SSLDualAuthenticationExample</clientClass>
|
||||||
|
</configuration>
|
||||||
|
</execution>
|
||||||
|
<execution>
|
||||||
|
<id>stop</id>
|
||||||
|
<goals>
|
||||||
|
<goal>cli</goal>
|
||||||
|
</goals>
|
||||||
|
<configuration>
|
||||||
|
<ignore>${noServer}</ignore>
|
||||||
|
<args>
|
||||||
|
<param>stop</param>
|
||||||
|
</args>
|
||||||
|
</configuration>
|
||||||
|
</execution>
|
||||||
|
</executions>
|
||||||
|
<dependencies>
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.apache.activemq.examples.broker</groupId>
|
||||||
|
<artifactId>ssl-enabled-dual-authentication</artifactId>
|
||||||
|
<version>${project.version}</version>
|
||||||
|
</dependency>
|
||||||
|
</dependencies>
|
||||||
|
</plugin>
|
||||||
|
</plugins>
|
||||||
|
</build>
|
||||||
|
|
||||||
|
</project>
|
|
@ -0,0 +1,75 @@
|
||||||
|
<!--
|
||||||
|
Licensed to the Apache Software Foundation (ASF) under one
|
||||||
|
or more contributor license agreements. See the NOTICE file
|
||||||
|
distributed with this work for additional information
|
||||||
|
regarding copyright ownership. The ASF licenses this file
|
||||||
|
to you under the Apache License, Version 2.0 (the
|
||||||
|
"License"); you may not use this file except in compliance
|
||||||
|
with the License. You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing,
|
||||||
|
software distributed under the License is distributed on an
|
||||||
|
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||||
|
KIND, either express or implied. See the License for the
|
||||||
|
specific language governing permissions and limitations
|
||||||
|
under the License.
|
||||||
|
-->
|
||||||
|
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<title>ActiveMQ Artemis JMS SSL Example</title>
|
||||||
|
<link rel="stylesheet" type="text/css" href="../../../common/common.css" />
|
||||||
|
<link rel="stylesheet" type="text/css" href="../../../common/prettify.css" />
|
||||||
|
<script type="text/javascript" src="../../../common/prettify.js"></script>
|
||||||
|
</head>
|
||||||
|
<body onload="prettyPrint()">
|
||||||
|
<h1>JMS SSL Dual Authentication Example</h1>
|
||||||
|
|
||||||
|
<pre>To run the example, simply type <b>mvn verify</b> from this directory, <br>or <b>mvn -PnoServer verify</b> if you want to start and create the server manually.</pre>
|
||||||
|
|
||||||
|
<p>This example shows you how to configure 2-way SSL along with 2 different authentications mechanisms so that SSL and non-SSL clients can send and consume messages to/from ActiveMQ Artemis.
|
||||||
|
The non-SSL authentication mechanism simply uses username and password. The SSL authentication mechanism uses the client's certificate.</p>
|
||||||
|
|
||||||
|
<p>To configure 2-way SSL you need to configure the acceptor as follows:</p>
|
||||||
|
|
||||||
|
<p>
|
||||||
|
<pre class="prettyprint">
|
||||||
|
<code>
|
||||||
|
<!-- Acceptor -->
|
||||||
|
|
||||||
|
<acceptor name="netty-ssl-acceptor">tcp://localhost:5500?sslEnabled=true;needClientAuth=true;keyStorePath=${data.dir}/../etc/server-side-keystore.jks;keyStorePassword=secureexample;trustStorePath=${data.dir}/../etc/server-side-truststore.jks;trustStorePassword=secureexample</acceptor>
|
||||||
|
</code>
|
||||||
|
</pre>
|
||||||
|
</p>
|
||||||
|
|
||||||
|
<p>In the server-side URL, the server-side-keystore.jks is the key store file holding the server's certificate. The server-side-truststore.jks is the file holding the certificates which the server trusts. Notice also the "sslEnabled" and "needClientAuth" parameters which enable SSL and require clients to present their own certificate respectively. Here's the URL the client uses to connect over SSL:</p>
|
||||||
|
|
||||||
|
<p>
|
||||||
|
<pre class="prettyprint">
|
||||||
|
<code>
|
||||||
|
tcp://localhost:5500?sslEnabled=true&trustStorePath=activemq/server0/client-side-truststore.jks&trustStorePassword=secureexample&keyStorePath=activemq/server0/client-side-keystore.jks&keyStorePassword=secureexample
|
||||||
|
</code>
|
||||||
|
</pre>
|
||||||
|
</p>
|
||||||
|
|
||||||
|
<p>In the client-side URL, the client-side-keystore.jks is the key store file holding the client's certificate. The client-side-truststore.jks is the file holding the certificates which the client trusts. The "sslEnabled" parameter is present here as well just as it is on the server.</p>
|
||||||
|
|
||||||
|
<p>The various keystore files are generated using the following commands:</p>
|
||||||
|
|
||||||
|
<p>
|
||||||
|
<pre class="prettyprint">
|
||||||
|
<code>
|
||||||
|
keytool -genkey -keystore server-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
|
||||||
|
keytool -export -keystore server-side-keystore.jks -file server-side-cert.cer -storepass secureexample
|
||||||
|
keytool -import -keystore client-side-truststore.jks -file server-side-cert.cer -storepass secureexample -keypass secureexample -noprompt
|
||||||
|
keytool -genkey -keystore client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
|
||||||
|
keytool -export -keystore client-side-keystore.jks -file client-side-cert.cer -storepass secureexample
|
||||||
|
keytool -import -keystore server-side-truststore.jks -file client-side-cert.cer -storepass secureexample -keypass secureexample -noprompt
|
||||||
|
</code>
|
||||||
|
</pre>
|
||||||
|
</p>
|
||||||
|
|
||||||
|
</body>
|
||||||
|
</html>
|
|
@ -0,0 +1,99 @@
|
||||||
|
/*
|
||||||
|
* Licensed to the Apache Software Foundation (ASF) under one or more
|
||||||
|
* contributor license agreements. See the NOTICE file distributed with
|
||||||
|
* this work for additional information regarding copyright ownership.
|
||||||
|
* The ASF licenses this file to You under the Apache License, Version 2.0
|
||||||
|
* (the "License"); you may not use this file except in compliance with
|
||||||
|
* the License. You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package org.apache.activemq.artemis.jms.example;
|
||||||
|
|
||||||
|
import javax.jms.Connection;
|
||||||
|
import javax.jms.ConnectionFactory;
|
||||||
|
import javax.jms.MessageConsumer;
|
||||||
|
import javax.jms.MessageProducer;
|
||||||
|
import javax.jms.Queue;
|
||||||
|
import javax.jms.Session;
|
||||||
|
import javax.jms.TextMessage;
|
||||||
|
import javax.naming.InitialContext;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* A simple JMS Queue example that uses dual broker authentication mechanisms for SSL and non-SSL connections.
|
||||||
|
*/
|
||||||
|
public class SSLDualAuthenticationExample {
|
||||||
|
|
||||||
|
public static void main(final String[] args) throws Exception {
|
||||||
|
Connection producerConnection = null;
|
||||||
|
Connection consumerConnection = null;
|
||||||
|
InitialContext initialContext = null;
|
||||||
|
try {
|
||||||
|
// Step 1. Create an initial context to perform the JNDI lookup.
|
||||||
|
initialContext = new InitialContext();
|
||||||
|
|
||||||
|
// Step 2. Perfom a lookup on the queue
|
||||||
|
Queue queue = (Queue) initialContext.lookup("queue/exampleQueue");
|
||||||
|
|
||||||
|
// Step 3. Perform a lookup on the producer's SSL Connection Factory
|
||||||
|
ConnectionFactory producerConnectionFactory = (ConnectionFactory) initialContext.lookup("SslConnectionFactory");
|
||||||
|
|
||||||
|
// Step 4. Perform a lookup on the consumer's Connection Factory
|
||||||
|
ConnectionFactory consumerConnectionFactory = (ConnectionFactory) initialContext.lookup("ConnectionFactory");
|
||||||
|
|
||||||
|
// Step 5.Create a JMS Connection for the producer
|
||||||
|
producerConnection = producerConnectionFactory.createConnection();
|
||||||
|
|
||||||
|
// Step 6.Create a JMS Connection for the consumer
|
||||||
|
consumerConnection = consumerConnectionFactory.createConnection("consumer", "activemq");
|
||||||
|
|
||||||
|
// Step 7. Create a JMS Session for the producer
|
||||||
|
Session producerSession = producerConnection.createSession(false, Session.AUTO_ACKNOWLEDGE);
|
||||||
|
|
||||||
|
// Step 8. Create a JMS Session for the consumer
|
||||||
|
Session consumerSession = consumerConnection.createSession(false, Session.AUTO_ACKNOWLEDGE);
|
||||||
|
|
||||||
|
// Step 9. Create a JMS Message Producer
|
||||||
|
MessageProducer producer = producerSession.createProducer(queue);
|
||||||
|
|
||||||
|
// Step 10. Create a Text Message
|
||||||
|
TextMessage message = producerSession.createTextMessage("This is a text message");
|
||||||
|
|
||||||
|
System.out.println("Sent message: " + message.getText());
|
||||||
|
|
||||||
|
// Step 11. Send the Message
|
||||||
|
producer.send(message);
|
||||||
|
|
||||||
|
// Step 12. Create a JMS Message Consumer
|
||||||
|
MessageConsumer messageConsumer = consumerSession.createConsumer(queue);
|
||||||
|
|
||||||
|
// Step 13. Start the Connection
|
||||||
|
consumerConnection.start();
|
||||||
|
|
||||||
|
// Step 14. Receive the message
|
||||||
|
TextMessage messageReceived = (TextMessage) messageConsumer.receive(5000);
|
||||||
|
|
||||||
|
System.out.println("Received message: " + messageReceived.getText());
|
||||||
|
|
||||||
|
initialContext.close();
|
||||||
|
}
|
||||||
|
finally {
|
||||||
|
// Step 15. Be sure to close our JMS resources!
|
||||||
|
if (initialContext != null) {
|
||||||
|
initialContext.close();
|
||||||
|
}
|
||||||
|
if (producerConnection != null) {
|
||||||
|
producerConnection.close();
|
||||||
|
}
|
||||||
|
if (consumerConnection != null) {
|
||||||
|
consumerConnection.close();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,17 @@
|
||||||
|
## ---------------------------------------------------------------------------
|
||||||
|
## Licensed to the Apache Software Foundation (ASF) under one or more
|
||||||
|
## contributor license agreements. See the NOTICE file distributed with
|
||||||
|
## this work for additional information regarding copyright ownership.
|
||||||
|
## The ASF licenses this file to You under the Apache License, Version 2.0
|
||||||
|
## (the "License"); you may not use this file except in compliance with
|
||||||
|
## the License. You may obtain a copy of the License at
|
||||||
|
##
|
||||||
|
## http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
##
|
||||||
|
## Unless required by applicable law or agreed to in writing, software
|
||||||
|
## distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
## See the License for the specific language governing permissions and
|
||||||
|
## limitations under the License.
|
||||||
|
## ---------------------------------------------------------------------------
|
||||||
|
consumers=consumer
|
|
@ -0,0 +1,17 @@
|
||||||
|
## ---------------------------------------------------------------------------
|
||||||
|
## Licensed to the Apache Software Foundation (ASF) under one or more
|
||||||
|
## contributor license agreements. See the NOTICE file distributed with
|
||||||
|
## this work for additional information regarding copyright ownership.
|
||||||
|
## The ASF licenses this file to You under the Apache License, Version 2.0
|
||||||
|
## (the "License"); you may not use this file except in compliance with
|
||||||
|
## the License. You may obtain a copy of the License at
|
||||||
|
##
|
||||||
|
## http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
##
|
||||||
|
## Unless required by applicable law or agreed to in writing, software
|
||||||
|
## distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
## See the License for the specific language governing permissions and
|
||||||
|
## limitations under the License.
|
||||||
|
## ---------------------------------------------------------------------------
|
||||||
|
consumer=activemq
|
|
@ -0,0 +1,28 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
|
||||||
|
<!--
|
||||||
|
~ Licensed to the Apache Software Foundation (ASF) under one or more
|
||||||
|
~ contributor license agreements. See the NOTICE file distributed with
|
||||||
|
~ this work for additional information regarding copyright ownership.
|
||||||
|
~ The ASF licenses this file to You under the Apache License, Version 2.0
|
||||||
|
~ (the "License"); you may not use this file except in compliance with
|
||||||
|
~ the License. You may obtain a copy of the License at
|
||||||
|
~
|
||||||
|
~ http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
~
|
||||||
|
~ Unless required by applicable law or agreed to in writing, software
|
||||||
|
~ distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
~ See the License for the specific language governing permissions and
|
||||||
|
~ limitations under the License.
|
||||||
|
-->
|
||||||
|
|
||||||
|
<broker xmlns="http://activemq.org/schema">
|
||||||
|
|
||||||
|
<jaas-security domain="activemq" certificate-domain="activemq-cert"/>
|
||||||
|
|
||||||
|
<server configuration="file:${artemis.instance}/etc/broker.xml"/>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
</broker>
|
||||||
|
|
|
@ -0,0 +1,57 @@
|
||||||
|
<?xml version='1.0'?>
|
||||||
|
<!--
|
||||||
|
Licensed to the Apache Software Foundation (ASF) under one
|
||||||
|
or more contributor license agreements. See the NOTICE file
|
||||||
|
distributed with this work for additional information
|
||||||
|
regarding copyright ownership. The ASF licenses this file
|
||||||
|
to you under the Apache License, Version 2.0 (the
|
||||||
|
"License"); you may not use this file except in compliance
|
||||||
|
with the License. You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing,
|
||||||
|
software distributed under the License is distributed on an
|
||||||
|
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||||
|
KIND, either express or implied. See the License for the
|
||||||
|
specific language governing permissions and limitations
|
||||||
|
under the License.
|
||||||
|
-->
|
||||||
|
|
||||||
|
<configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||||
|
xmlns="urn:activemq"
|
||||||
|
xsi:schemaLocation="urn:activemq /schema/artemis-server.xsd">
|
||||||
|
|
||||||
|
<jms xmlns="urn:activemq:jms">
|
||||||
|
<!--the queue used by the example-->
|
||||||
|
<queue name="exampleQueue"/>
|
||||||
|
</jms>
|
||||||
|
|
||||||
|
<core xmlns="urn:activemq:core">
|
||||||
|
|
||||||
|
<bindings-directory>./data/messaging/bindings</bindings-directory>
|
||||||
|
|
||||||
|
<journal-directory>./data/messaging/journal</journal-directory>
|
||||||
|
|
||||||
|
<large-messages-directory>./data/messaging/largemessages</large-messages-directory>
|
||||||
|
|
||||||
|
<paging-directory>./data/messaging/paging</paging-directory>
|
||||||
|
|
||||||
|
<!-- Acceptors -->
|
||||||
|
<acceptors>
|
||||||
|
<acceptor name="netty-acceptor">tcp://localhost:61616</acceptor>
|
||||||
|
<acceptor name="netty-ssl-acceptor">tcp://localhost:5500?sslEnabled=true;needClientAuth=true;keyStorePath=${data.dir}/../etc/server-side-keystore.jks;keyStorePassword=secureexample;trustStorePath=${data.dir}/../etc/server-side-truststore.jks;trustStorePassword=secureexample</acceptor>
|
||||||
|
</acceptors>
|
||||||
|
|
||||||
|
<!-- Other config -->
|
||||||
|
|
||||||
|
<security-settings>
|
||||||
|
<!--security for example queue-->
|
||||||
|
<security-setting match="jms.queue.exampleQueue">
|
||||||
|
<permission type="consume" roles="consumers"/>
|
||||||
|
<permission type="send" roles="producers"/>
|
||||||
|
</security-setting>
|
||||||
|
</security-settings>
|
||||||
|
|
||||||
|
</core>
|
||||||
|
</configuration>
|
|
@ -0,0 +1,18 @@
|
||||||
|
#
|
||||||
|
# Licensed to the Apache Software Foundation (ASF) under one or more
|
||||||
|
# contributor license agreements. See the NOTICE file distributed with
|
||||||
|
# this work for additional information regarding copyright ownership.
|
||||||
|
# The ASF licenses this file to You under the Apache License, Version 2.0
|
||||||
|
# (the "License"); you may not use this file except in compliance with
|
||||||
|
# the License. You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
#
|
||||||
|
|
||||||
|
producers=producer
|
|
@ -0,0 +1,18 @@
|
||||||
|
#
|
||||||
|
# Licensed to the Apache Software Foundation (ASF) under one or more
|
||||||
|
# contributor license agreements. See the NOTICE file distributed with
|
||||||
|
# this work for additional information regarding copyright ownership.
|
||||||
|
# The ASF licenses this file to You under the Apache License, Version 2.0
|
||||||
|
# (the "License"); you may not use this file except in compliance with
|
||||||
|
# the License. You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
#
|
||||||
|
|
||||||
|
producer=CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, ST=AMQ, C=AMQ
|
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,30 @@
|
||||||
|
/*
|
||||||
|
* Licensed to the Apache Software Foundation (ASF) under one or more
|
||||||
|
* contributor license agreements. See the NOTICE file distributed with
|
||||||
|
* this work for additional information regarding copyright ownership.
|
||||||
|
* The ASF licenses this file to You under the Apache License, Version 2.0
|
||||||
|
* (the "License"); you may not use this file except in compliance with
|
||||||
|
* the License. You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
activemq {
|
||||||
|
org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule required
|
||||||
|
debug=false
|
||||||
|
org.apache.activemq.jaas.properties.user="artemis-users.properties"
|
||||||
|
org.apache.activemq.jaas.properties.role="artemis-roles.properties";
|
||||||
|
};
|
||||||
|
|
||||||
|
activemq-cert {
|
||||||
|
org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule required
|
||||||
|
debug=true
|
||||||
|
org.apache.activemq.jaas.textfiledn.user="cert-users.properties"
|
||||||
|
org.apache.activemq.jaas.textfiledn.role="cert-roles.properties";
|
||||||
|
};
|
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,21 @@
|
||||||
|
# Licensed to the Apache Software Foundation (ASF) under one
|
||||||
|
# or more contributor license agreements. See the NOTICE file
|
||||||
|
# distributed with this work for additional information
|
||||||
|
# regarding copyright ownership. The ASF licenses this file
|
||||||
|
# to you under the Apache License, Version 2.0 (the
|
||||||
|
# "License"); you may not use this file except in compliance
|
||||||
|
# with the License. You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing,
|
||||||
|
# software distributed under the License is distributed on an
|
||||||
|
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||||
|
# KIND, either express or implied. See the License for the
|
||||||
|
# specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
java.naming.factory.initial=org.apache.activemq.artemis.jndi.ActiveMQInitialContextFactory
|
||||||
|
connectionFactory.SslConnectionFactory=tcp://localhost:5500?sslEnabled=true&trustStorePath=activemq/server0/client-side-truststore.jks&trustStorePassword=secureexample&keyStorePath=activemq/server0/client-side-keystore.jks&keyStorePassword=secureexample
|
||||||
|
connectionFactory.ConnectionFactory=tcp://localhost:61616
|
||||||
|
queue.queue/exampleQueue=exampleQueue
|
|
@ -70,15 +70,15 @@ public class CoreClientOverTwoWaySSLTest extends ActiveMQTestBase {
|
||||||
public static final SimpleString QUEUE = new SimpleString("QueueOverSSL");
|
public static final SimpleString QUEUE = new SimpleString("QueueOverSSL");
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* These artifacts are required for testing 2-way SSL in addition to the artifacts for 1-way SSL
|
* These artifacts are required for testing 2-way SSL in addition to the artifacts for 1-way SSL from {@link CoreClientOverOneWaySSLTest}
|
||||||
*
|
*
|
||||||
* Commands to create the JKS artifacts:
|
* Commands to create the JKS artifacts:
|
||||||
* keytool -genkey -keystore client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ"
|
* keytool -genkey -keystore client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
|
||||||
* keytool -export -keystore client-side-keystore.jks -file activemq-jks.cer -storepass secureexample
|
* keytool -export -keystore client-side-keystore.jks -file activemq-jks.cer -storepass secureexample
|
||||||
* keytool -import -keystore server-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
|
* keytool -import -keystore server-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
|
||||||
*
|
*
|
||||||
* Commands to create the JCEKS artifacts:
|
* Commands to create the JCEKS artifacts:
|
||||||
* keytool -genkey -keystore client-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ"
|
* keytool -genkey -keystore client-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
|
||||||
* keytool -export -keystore client-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample
|
* keytool -export -keystore client-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample
|
||||||
* keytool -import -keystore server-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt
|
* keytool -import -keystore server-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt
|
||||||
*/
|
*/
|
||||||
|
|
|
@ -0,0 +1,142 @@
|
||||||
|
/*
|
||||||
|
* Licensed to the Apache Software Foundation (ASF) under one or more
|
||||||
|
* contributor license agreements. See the NOTICE file distributed with
|
||||||
|
* this work for additional information regarding copyright ownership.
|
||||||
|
* The ASF licenses this file to You under the Apache License, Version 2.0
|
||||||
|
* (the "License"); you may not use this file except in compliance with
|
||||||
|
* the License. You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package org.apache.activemq.artemis.tests.integration.ssl;
|
||||||
|
|
||||||
|
import java.lang.management.ManagementFactory;
|
||||||
|
import java.net.URL;
|
||||||
|
import java.util.HashMap;
|
||||||
|
import java.util.HashSet;
|
||||||
|
import java.util.Map;
|
||||||
|
import java.util.Set;
|
||||||
|
|
||||||
|
import org.apache.activemq.artemis.api.core.Message;
|
||||||
|
import org.apache.activemq.artemis.api.core.SimpleString;
|
||||||
|
import org.apache.activemq.artemis.api.core.TransportConfiguration;
|
||||||
|
import org.apache.activemq.artemis.api.core.client.ActiveMQClient;
|
||||||
|
import org.apache.activemq.artemis.api.core.client.ClientConsumer;
|
||||||
|
import org.apache.activemq.artemis.api.core.client.ClientMessage;
|
||||||
|
import org.apache.activemq.artemis.api.core.client.ClientProducer;
|
||||||
|
import org.apache.activemq.artemis.api.core.client.ClientSession;
|
||||||
|
import org.apache.activemq.artemis.api.core.client.ClientSessionFactory;
|
||||||
|
import org.apache.activemq.artemis.api.core.client.ServerLocator;
|
||||||
|
import org.apache.activemq.artemis.core.config.impl.ConfigurationImpl;
|
||||||
|
import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants;
|
||||||
|
import org.apache.activemq.artemis.core.security.Role;
|
||||||
|
import org.apache.activemq.artemis.core.server.ActiveMQServer;
|
||||||
|
import org.apache.activemq.artemis.core.server.ActiveMQServers;
|
||||||
|
import org.apache.activemq.artemis.core.settings.HierarchicalRepository;
|
||||||
|
import org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager;
|
||||||
|
import org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager;
|
||||||
|
import org.apache.activemq.artemis.tests.integration.security.SecurityTest;
|
||||||
|
import org.apache.activemq.artemis.tests.util.ActiveMQTestBase;
|
||||||
|
import org.apache.activemq.artemis.utils.RandomUtil;
|
||||||
|
import org.junit.Assert;
|
||||||
|
import org.junit.Before;
|
||||||
|
import org.junit.Test;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* See {@link CoreClientOverTwoWaySSLTest} for details about the keystores required for this test.
|
||||||
|
*/
|
||||||
|
public class DualAuthenticationTest extends ActiveMQTestBase {
|
||||||
|
|
||||||
|
public static final SimpleString QUEUE = new SimpleString("QueueOverSSL");
|
||||||
|
|
||||||
|
static {
|
||||||
|
String path = System.getProperty("java.security.auth.login.config");
|
||||||
|
if (path == null) {
|
||||||
|
URL resource = SecurityTest.class.getClassLoader().getResource("login.config");
|
||||||
|
if (resource != null) {
|
||||||
|
path = resource.getFile();
|
||||||
|
System.setProperty("java.security.auth.login.config", path);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private String SERVER_SIDE_KEYSTORE = "server-side-keystore.jks";
|
||||||
|
private String SERVER_SIDE_TRUSTSTORE = "server-side-truststore.jks";
|
||||||
|
private String CLIENT_SIDE_TRUSTSTORE = "client-side-truststore.jks";
|
||||||
|
private String CLIENT_SIDE_KEYSTORE = "client-side-keystore.jks";
|
||||||
|
private final String PASSWORD = "secureexample";
|
||||||
|
|
||||||
|
private ActiveMQServer server;
|
||||||
|
|
||||||
|
private TransportConfiguration tc;
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testDualAuthentication() throws Exception {
|
||||||
|
String text = RandomUtil.randomString();
|
||||||
|
|
||||||
|
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
|
||||||
|
tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
|
||||||
|
tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
|
||||||
|
tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, CLIENT_SIDE_KEYSTORE);
|
||||||
|
tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, PASSWORD);
|
||||||
|
tc.getParams().put(TransportConstants.PORT_PROP_NAME, "61617");
|
||||||
|
|
||||||
|
ServerLocator producerLocator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
|
||||||
|
ClientSessionFactory producerSessionFactory = createSessionFactory(producerLocator);
|
||||||
|
ClientSession producerSession = producerSessionFactory.createSession(false, true, true);
|
||||||
|
producerSession.createQueue(DualAuthenticationTest.QUEUE, DualAuthenticationTest.QUEUE, false);
|
||||||
|
ClientProducer producer = producerSession.createProducer(DualAuthenticationTest.QUEUE);
|
||||||
|
|
||||||
|
ClientMessage message = createTextMessage(producerSession, text);
|
||||||
|
producer.send(message);
|
||||||
|
|
||||||
|
ServerLocator consumerLocator = addServerLocator(ActiveMQClient.createServerLocator("tcp://localhost:61616"));
|
||||||
|
ClientSessionFactory consumerSessionFactory = createSessionFactory(consumerLocator);
|
||||||
|
ClientSession consumerSession = consumerSessionFactory.createSession("consumer", "consumerPassword", false, true, true, consumerLocator.isPreAcknowledge(), consumerLocator.getAckBatchSize());
|
||||||
|
ClientConsumer consumer = consumerSession.createConsumer(DualAuthenticationTest.QUEUE);
|
||||||
|
consumerSession.start();
|
||||||
|
|
||||||
|
Message m = consumer.receive(1000);
|
||||||
|
Assert.assertNotNull(m);
|
||||||
|
Assert.assertEquals(text, m.getBodyBuffer().readString());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
@Before
|
||||||
|
public void setUp() throws Exception {
|
||||||
|
super.setUp();
|
||||||
|
Map<String, Object> params = new HashMap<>();
|
||||||
|
params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
|
||||||
|
params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, SERVER_SIDE_KEYSTORE);
|
||||||
|
params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, PASSWORD);
|
||||||
|
params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, SERVER_SIDE_TRUSTSTORE);
|
||||||
|
params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
|
||||||
|
params.put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true);
|
||||||
|
params.put(TransportConstants.PORT_PROP_NAME, "61617");
|
||||||
|
ConfigurationImpl config = createBasicConfig();
|
||||||
|
config.addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params));
|
||||||
|
config.addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY));
|
||||||
|
config.setSecurityEnabled(true);
|
||||||
|
|
||||||
|
ActiveMQSecurityManager securityManager = new ActiveMQJAASSecurityManager("DualAuthenticationPropertiesLogin", "DualAuthenticationCertLogin");
|
||||||
|
server = addServer(ActiveMQServers.newActiveMQServer(config, ManagementFactory.getPlatformMBeanServer(), securityManager, false));
|
||||||
|
|
||||||
|
HierarchicalRepository<Set<Role>> securityRepository = server.getSecurityRepository();
|
||||||
|
Role sendRole = new Role("producers", true, false, true, false, true, false, false);
|
||||||
|
Role receiveRole = new Role("consumers", false, true, false, false, false, false, false);
|
||||||
|
Set<Role> roles = new HashSet<>();
|
||||||
|
roles.add(sendRole);
|
||||||
|
roles.add(receiveRole);
|
||||||
|
securityRepository.addMatch(DualAuthenticationTest.QUEUE.toString(), roles);
|
||||||
|
|
||||||
|
server.start();
|
||||||
|
waitForServerToStart(server);
|
||||||
|
tc = new TransportConfiguration(NETTY_CONNECTOR_FACTORY);
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,18 @@
|
||||||
|
#
|
||||||
|
# Licensed to the Apache Software Foundation (ASF) under one or more
|
||||||
|
# contributor license agreements. See the NOTICE file distributed with
|
||||||
|
# this work for additional information regarding copyright ownership.
|
||||||
|
# The ASF licenses this file to You under the Apache License, Version 2.0
|
||||||
|
# (the "License"); you may not use this file except in compliance with
|
||||||
|
# the License. You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
#
|
||||||
|
|
||||||
|
producers=producer
|
|
@ -0,0 +1,18 @@
|
||||||
|
#
|
||||||
|
# Licensed to the Apache Software Foundation (ASF) under one or more
|
||||||
|
# contributor license agreements. See the NOTICE file distributed with
|
||||||
|
# this work for additional information regarding copyright ownership.
|
||||||
|
# The ASF licenses this file to You under the Apache License, Version 2.0
|
||||||
|
# (the "License"); you may not use this file except in compliance with
|
||||||
|
# the License. You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
#
|
||||||
|
|
||||||
|
producer=CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, ST=AMQ, C=AMQ
|
|
@ -0,0 +1,18 @@
|
||||||
|
#
|
||||||
|
# Licensed to the Apache Software Foundation (ASF) under one or more
|
||||||
|
# contributor license agreements. See the NOTICE file distributed with
|
||||||
|
# this work for additional information regarding copyright ownership.
|
||||||
|
# The ASF licenses this file to You under the Apache License, Version 2.0
|
||||||
|
# (the "License"); you may not use this file except in compliance with
|
||||||
|
# the License. You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
#
|
||||||
|
|
||||||
|
consumers=consumer
|
|
@ -0,0 +1,18 @@
|
||||||
|
#
|
||||||
|
# Licensed to the Apache Software Foundation (ASF) under one or more
|
||||||
|
# contributor license agreements. See the NOTICE file distributed with
|
||||||
|
# this work for additional information regarding copyright ownership.
|
||||||
|
# The ASF licenses this file to You under the Apache License, Version 2.0
|
||||||
|
# (the "License"); you may not use this file except in compliance with
|
||||||
|
# the License. You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
#
|
||||||
|
|
||||||
|
consumer=consumerPassword
|
|
@ -123,3 +123,17 @@ CertLogin {
|
||||||
org.apache.activemq.jaas.textfiledn.user="cert-users.properties"
|
org.apache.activemq.jaas.textfiledn.user="cert-users.properties"
|
||||||
org.apache.activemq.jaas.textfiledn.role="cert-roles.properties";
|
org.apache.activemq.jaas.textfiledn.role="cert-roles.properties";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
DualAuthenticationCertLogin {
|
||||||
|
org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule required
|
||||||
|
debug=true
|
||||||
|
org.apache.activemq.jaas.textfiledn.user="dual-authentication-cert-users.properties"
|
||||||
|
org.apache.activemq.jaas.textfiledn.role="dual-authentication-cert-roles.properties";
|
||||||
|
};
|
||||||
|
|
||||||
|
DualAuthenticationPropertiesLogin {
|
||||||
|
org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule required
|
||||||
|
debug=true
|
||||||
|
org.apache.activemq.jaas.properties.user="dual-authentication-users.properties"
|
||||||
|
org.apache.activemq.jaas.properties.role="dual-authentication-roles.properties";
|
||||||
|
};
|
||||||
|
|
Loading…
Reference in New Issue