[ARTEMIS-1310] [ARTEMIS-1264] consolidate configuration to require login configuration scope

artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/TransportConfigurationUtil.java

@@ -27,9 +27,6 @@ import org.apache.activemq.artemis.core.remoting.impl.netty.NettyConnectorFactor
 import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants;
 import org.apache.activemq.artemis.utils.ClassloadingUtil;
 
-import javax.security.auth.login.AppConfigurationEntry;
-import javax.security.auth.login.Configuration;
-
 /**
  * Stores static mappings of class names to ConnectorFactory instances to act as a central repo for ConnectorFactory
  * objects.
@@ -99,28 +96,4 @@ public class TransportConfigurationUtil {
       return false;
    }
 
-   public static Configuration kerb5Config(String principal, boolean initiator) {
-      final Map<String, String> krb5LoginModuleOptions = new HashMap<>();
-      krb5LoginModuleOptions.put("isInitiator", String.valueOf(initiator));
-      krb5LoginModuleOptions.put("principal", principal);
-      krb5LoginModuleOptions.put("useKeyTab", "true");
-      krb5LoginModuleOptions.put("storeKey", "true");
-      krb5LoginModuleOptions.put("doNotPrompt", "true");
-      krb5LoginModuleOptions.put("renewTGT", "true");
-      krb5LoginModuleOptions.put("refreshKrb5Config", "true");
-      krb5LoginModuleOptions.put("useTicketCache", "true");
-      String ticketCache = System.getenv("KRB5CCNAME");
-      if (ticketCache != null) {
-         krb5LoginModuleOptions.put("ticketCache", ticketCache);
-      }
-      return new Configuration() {
-         @Override
-         public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
-            return new AppConfigurationEntry[]{
-               new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
-                       AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
-                       krb5LoginModuleOptions)};
-         }
-      };
-   }
-}
+}

artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java

@@ -98,7 +98,6 @@ import org.apache.activemq.artemis.api.core.ActiveMQException;
 import org.apache.activemq.artemis.core.client.ActiveMQClientLogger;
 import org.apache.activemq.artemis.core.client.ActiveMQClientMessageBundle;
 import org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQClientProtocolManager;
-import org.apache.activemq.artemis.core.remoting.impl.TransportConfigurationUtil;
 import org.apache.activemq.artemis.core.remoting.impl.ssl.SSLSupport;
 import org.apache.activemq.artemis.core.server.ActiveMQComponent;
 import org.apache.activemq.artemis.spi.core.remoting.AbstractConnector;
@@ -523,18 +522,8 @@ public class NettyConnector extends AbstractConnector {
             if (sslEnabled && !useServlet) {
 
                Subject subject = null;
-               if (kerb5Config != null && kerb5Config.length() > 0) {
-
-                  LoginContext loginContext = null;
-                  if (Character.isUpperCase(kerb5Config.charAt(0))) {
-                     // use as login.config scope
-                     loginContext = new LoginContext(kerb5Config);
-                  } else {
-                     // inline keytab config using kerb5Config as principal
-                     loginContext = new LoginContext("", null, null,
-                             TransportConfigurationUtil.kerb5Config(kerb5Config, true));
-                  }
-
+               if (kerb5Config != null) {
+                  LoginContext loginContext = new LoginContext(kerb5Config);
                   loginContext.login();
                   subject = loginContext.getSubject();
                   verifyHost = true;

artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java

@@ -71,7 +71,6 @@ import org.apache.activemq.artemis.api.core.management.CoreNotificationType;
 import org.apache.activemq.artemis.core.client.impl.ClientSessionFactoryImpl;
 import org.apache.activemq.artemis.core.protocol.ProtocolHandler;
 import org.apache.activemq.artemis.core.remoting.impl.AbstractAcceptor;
-import org.apache.activemq.artemis.core.remoting.impl.TransportConfigurationUtil;
 import org.apache.activemq.artemis.core.remoting.impl.ssl.SSLSupport;
 import org.apache.activemq.artemis.core.security.ActiveMQPrincipal;
 import org.apache.activemq.artemis.core.server.ActiveMQComponent;
@@ -442,17 +441,9 @@ public class NettyAcceptor extends AbstractAcceptor {
          throw ise;
       }
       Subject subject = null;
-      if (kerb5Config != null && kerb5Config.length() > 0) {
-         LoginContext loginContext = null;
-         if (Character.isUpperCase(kerb5Config.charAt(0))) {
-            // use as login.config scope
-            loginContext = new LoginContext(kerb5Config);
-         } else {
-            loginContext = new LoginContext("", null, null,
-                    TransportConfigurationUtil.kerb5Config(kerb5Config, false));
-         }
+      if (kerb5Config != null) {
+         LoginContext loginContext = new LoginContext(kerb5Config);
          loginContext.login();
-
          subject = loginContext.getSubject();
       }
 

tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslGssapiTest.java

@@ -16,15 +16,6 @@
  */
 package org.apache.activemq.artemis.tests.integration.amqp;
 
-import org.apache.activemq.artemis.core.security.Role;
-import org.apache.activemq.artemis.core.server.ActiveMQServer;
-import org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager;
-import org.apache.activemq.artemis.utils.RandomUtil;
-import org.apache.hadoop.minikdc.MiniKdc;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-
 import javax.jms.Connection;
 import javax.jms.MessageConsumer;
 import javax.jms.MessageProducer;
@@ -37,6 +28,15 @@ import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
 
+import org.apache.activemq.artemis.core.security.Role;
+import org.apache.activemq.artemis.core.server.ActiveMQServer;
+import org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager;
+import org.apache.activemq.artemis.utils.RandomUtil;
+import org.apache.hadoop.minikdc.MiniKdc;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
 public class JMSSaslGssapiTest extends JMSClientTestSupport {
 
    static {
@@ -85,7 +85,7 @@ public class JMSSaslGssapiTest extends JMSClientTestSupport {
    protected void configureBrokerSecurity(ActiveMQServer server) {
       server.getConfiguration().setSecurityEnabled(isSecurityEnabled());
       ActiveMQJAASSecurityManager securityManager = (ActiveMQJAASSecurityManager) server.getSecurityManager();
-      securityManager.setConfigurationName("Krb5SslPlus");
+      securityManager.setConfigurationName("Krb5Plus");
       securityManager.setConfiguration(null);
 
       final String roleName = "ALLOW_ALL";

tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverOneWaySSLKerb5Test.java

@@ -88,7 +88,7 @@ public class CoreClientOverOneWaySSLKerb5Test extends ActiveMQTestBase {
       tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
       tc.getParams().put(TransportConstants.ENABLED_CIPHER_SUITES_PROP_NAME, getSuitableCipherSuite());
       tc.getParams().put(TransportConstants.SNIHOST_PROP_NAME, SNI_HOST); // static service name rather than dynamic machine name
-      tc.getParams().put(TransportConstants.SSL_KRB5_CONFIG_PROP_NAME, "client"); // lower case used as principal with default keytab
+      tc.getParams().put(TransportConstants.SSL_KRB5_CONFIG_PROP_NAME, "core-tls-krb5-client");
       final ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
 
       ClientSessionFactory sf = null;
@@ -171,7 +171,7 @@ public class CoreClientOverOneWaySSLKerb5Test extends ActiveMQTestBase {
 
       params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
       params.put(TransportConstants.ENABLED_CIPHER_SUITES_PROP_NAME, getSuitableCipherSuite());
-      params.put(TransportConstants.SSL_KRB5_CONFIG_PROP_NAME, SERVICE_PRINCIPAL);
+      params.put(TransportConstants.SSL_KRB5_CONFIG_PROP_NAME, "core-tls-krb5-server");
 
       ConfigurationImpl config = createBasicConfig().addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params, "nettySSL"));
       config.setPopulateValidatedUser(true); // so we can verify the kerb5 id is present
@@ -179,7 +179,7 @@ public class CoreClientOverOneWaySSLKerb5Test extends ActiveMQTestBase {
 
       config.addAcceptorConfiguration(new TransportConfiguration(INVM_ACCEPTOR_FACTORY));
 
-      ActiveMQSecurityManager securityManager = new ActiveMQJAASSecurityManager("Krb5SslPlus");
+      ActiveMQSecurityManager securityManager = new ActiveMQJAASSecurityManager("Krb5Plus");
       server = addServer(ActiveMQServers.newActiveMQServer(config, ManagementFactory.getPlatformMBeanServer(), securityManager, false));
       HierarchicalRepository<Set<Role>> securityRepository = server.getSecurityRepository();
 

tests/integration-tests/src/test/resources/login.config

@@ -138,7 +138,7 @@ DualAuthenticationPropertiesLogin {
         org.apache.activemq.jaas.properties.role="dual-authentication-roles.properties";
 };
 
-Krb5SslPlus {
+Krb5Plus {
 
     org.apache.activemq.artemis.spi.core.security.jaas.Krb5LoginModule optional
         debug=true;
@@ -149,6 +149,21 @@ Krb5SslPlus {
         org.apache.activemq.jaas.properties.role="dual-authentication-roles.properties";
 };
 
+core-tls-krb5-server {
+    com.sun.security.auth.module.Krb5LoginModule required
+    isInitiator=false
+    storeKey=true
+    useKeyTab=true
+    principal="host/sni.host"
+    debug=true;
+};
+
+core-tls-krb5-client {
+    com.sun.security.auth.module.Krb5LoginModule required
+    principal="client"
+    useKeyTab=true;
+};
+
 amqp-sasl-gssapi {
     com.sun.security.auth.module.Krb5LoginModule required
     isInitiator=false