diff --git a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/TransportConfigurationUtil.java b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/TransportConfigurationUtil.java index 97a4bd2088..c6d8a5f47c 100644 --- a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/TransportConfigurationUtil.java +++ b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/TransportConfigurationUtil.java @@ -27,9 +27,6 @@ import org.apache.activemq.artemis.core.remoting.impl.netty.NettyConnectorFactor import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants; import org.apache.activemq.artemis.utils.ClassloadingUtil; -import javax.security.auth.login.AppConfigurationEntry; -import javax.security.auth.login.Configuration; - /** * Stores static mappings of class names to ConnectorFactory instances to act as a central repo for ConnectorFactory * objects. @@ -99,28 +96,4 @@ public class TransportConfigurationUtil { return false; } - public static Configuration kerb5Config(String principal, boolean initiator) { - final Map krb5LoginModuleOptions = new HashMap<>(); - krb5LoginModuleOptions.put("isInitiator", String.valueOf(initiator)); - krb5LoginModuleOptions.put("principal", principal); - krb5LoginModuleOptions.put("useKeyTab", "true"); - krb5LoginModuleOptions.put("storeKey", "true"); - krb5LoginModuleOptions.put("doNotPrompt", "true"); - krb5LoginModuleOptions.put("renewTGT", "true"); - krb5LoginModuleOptions.put("refreshKrb5Config", "true"); - krb5LoginModuleOptions.put("useTicketCache", "true"); - String ticketCache = System.getenv("KRB5CCNAME"); - if (ticketCache != null) { - krb5LoginModuleOptions.put("ticketCache", ticketCache); - } - return new Configuration() { - @Override - public AppConfigurationEntry[] getAppConfigurationEntry(String name) { - return new AppConfigurationEntry[]{ - new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", - AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, - krb5LoginModuleOptions)}; - } - }; - } -} +} \ No newline at end of file diff --git a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java index 18824907fb..8e48cf9705 100644 --- a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java +++ b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java @@ -98,7 +98,6 @@ import org.apache.activemq.artemis.api.core.ActiveMQException; import org.apache.activemq.artemis.core.client.ActiveMQClientLogger; import org.apache.activemq.artemis.core.client.ActiveMQClientMessageBundle; import org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQClientProtocolManager; -import org.apache.activemq.artemis.core.remoting.impl.TransportConfigurationUtil; import org.apache.activemq.artemis.core.remoting.impl.ssl.SSLSupport; import org.apache.activemq.artemis.core.server.ActiveMQComponent; import org.apache.activemq.artemis.spi.core.remoting.AbstractConnector; @@ -523,18 +522,8 @@ public class NettyConnector extends AbstractConnector { if (sslEnabled && !useServlet) { Subject subject = null; - if (kerb5Config != null && kerb5Config.length() > 0) { - - LoginContext loginContext = null; - if (Character.isUpperCase(kerb5Config.charAt(0))) { - // use as login.config scope - loginContext = new LoginContext(kerb5Config); - } else { - // inline keytab config using kerb5Config as principal - loginContext = new LoginContext("", null, null, - TransportConfigurationUtil.kerb5Config(kerb5Config, true)); - } - + if (kerb5Config != null) { + LoginContext loginContext = new LoginContext(kerb5Config); loginContext.login(); subject = loginContext.getSubject(); verifyHost = true; diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java b/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java index d626fadfbe..b41fc70ea0 100644 --- a/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java +++ b/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java @@ -71,7 +71,6 @@ import org.apache.activemq.artemis.api.core.management.CoreNotificationType; import org.apache.activemq.artemis.core.client.impl.ClientSessionFactoryImpl; import org.apache.activemq.artemis.core.protocol.ProtocolHandler; import org.apache.activemq.artemis.core.remoting.impl.AbstractAcceptor; -import org.apache.activemq.artemis.core.remoting.impl.TransportConfigurationUtil; import org.apache.activemq.artemis.core.remoting.impl.ssl.SSLSupport; import org.apache.activemq.artemis.core.security.ActiveMQPrincipal; import org.apache.activemq.artemis.core.server.ActiveMQComponent; @@ -442,17 +441,9 @@ public class NettyAcceptor extends AbstractAcceptor { throw ise; } Subject subject = null; - if (kerb5Config != null && kerb5Config.length() > 0) { - LoginContext loginContext = null; - if (Character.isUpperCase(kerb5Config.charAt(0))) { - // use as login.config scope - loginContext = new LoginContext(kerb5Config); - } else { - loginContext = new LoginContext("", null, null, - TransportConfigurationUtil.kerb5Config(kerb5Config, false)); - } + if (kerb5Config != null) { + LoginContext loginContext = new LoginContext(kerb5Config); loginContext.login(); - subject = loginContext.getSubject(); } diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslGssapiTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslGssapiTest.java index a4f94768e3..17d70a5a88 100644 --- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslGssapiTest.java +++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslGssapiTest.java @@ -16,15 +16,6 @@ */ package org.apache.activemq.artemis.tests.integration.amqp; -import org.apache.activemq.artemis.core.security.Role; -import org.apache.activemq.artemis.core.server.ActiveMQServer; -import org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager; -import org.apache.activemq.artemis.utils.RandomUtil; -import org.apache.hadoop.minikdc.MiniKdc; -import org.junit.After; -import org.junit.Before; -import org.junit.Test; - import javax.jms.Connection; import javax.jms.MessageConsumer; import javax.jms.MessageProducer; @@ -37,6 +28,15 @@ import java.util.HashSet; import java.util.Map; import java.util.Set; +import org.apache.activemq.artemis.core.security.Role; +import org.apache.activemq.artemis.core.server.ActiveMQServer; +import org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager; +import org.apache.activemq.artemis.utils.RandomUtil; +import org.apache.hadoop.minikdc.MiniKdc; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; + public class JMSSaslGssapiTest extends JMSClientTestSupport { static { @@ -85,7 +85,7 @@ public class JMSSaslGssapiTest extends JMSClientTestSupport { protected void configureBrokerSecurity(ActiveMQServer server) { server.getConfiguration().setSecurityEnabled(isSecurityEnabled()); ActiveMQJAASSecurityManager securityManager = (ActiveMQJAASSecurityManager) server.getSecurityManager(); - securityManager.setConfigurationName("Krb5SslPlus"); + securityManager.setConfigurationName("Krb5Plus"); securityManager.setConfiguration(null); final String roleName = "ALLOW_ALL"; diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverOneWaySSLKerb5Test.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverOneWaySSLKerb5Test.java index 1dd238f4f2..a9f5c8816e 100644 --- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverOneWaySSLKerb5Test.java +++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverOneWaySSLKerb5Test.java @@ -88,7 +88,7 @@ public class CoreClientOverOneWaySSLKerb5Test extends ActiveMQTestBase { tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true); tc.getParams().put(TransportConstants.ENABLED_CIPHER_SUITES_PROP_NAME, getSuitableCipherSuite()); tc.getParams().put(TransportConstants.SNIHOST_PROP_NAME, SNI_HOST); // static service name rather than dynamic machine name - tc.getParams().put(TransportConstants.SSL_KRB5_CONFIG_PROP_NAME, "client"); // lower case used as principal with default keytab + tc.getParams().put(TransportConstants.SSL_KRB5_CONFIG_PROP_NAME, "core-tls-krb5-client"); final ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc)); ClientSessionFactory sf = null; @@ -171,7 +171,7 @@ public class CoreClientOverOneWaySSLKerb5Test extends ActiveMQTestBase { params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true); params.put(TransportConstants.ENABLED_CIPHER_SUITES_PROP_NAME, getSuitableCipherSuite()); - params.put(TransportConstants.SSL_KRB5_CONFIG_PROP_NAME, SERVICE_PRINCIPAL); + params.put(TransportConstants.SSL_KRB5_CONFIG_PROP_NAME, "core-tls-krb5-server"); ConfigurationImpl config = createBasicConfig().addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params, "nettySSL")); config.setPopulateValidatedUser(true); // so we can verify the kerb5 id is present @@ -179,7 +179,7 @@ public class CoreClientOverOneWaySSLKerb5Test extends ActiveMQTestBase { config.addAcceptorConfiguration(new TransportConfiguration(INVM_ACCEPTOR_FACTORY)); - ActiveMQSecurityManager securityManager = new ActiveMQJAASSecurityManager("Krb5SslPlus"); + ActiveMQSecurityManager securityManager = new ActiveMQJAASSecurityManager("Krb5Plus"); server = addServer(ActiveMQServers.newActiveMQServer(config, ManagementFactory.getPlatformMBeanServer(), securityManager, false)); HierarchicalRepository> securityRepository = server.getSecurityRepository(); diff --git a/tests/integration-tests/src/test/resources/login.config b/tests/integration-tests/src/test/resources/login.config index 5c0e2ebc9f..a834627e45 100644 --- a/tests/integration-tests/src/test/resources/login.config +++ b/tests/integration-tests/src/test/resources/login.config @@ -138,7 +138,7 @@ DualAuthenticationPropertiesLogin { org.apache.activemq.jaas.properties.role="dual-authentication-roles.properties"; }; -Krb5SslPlus { +Krb5Plus { org.apache.activemq.artemis.spi.core.security.jaas.Krb5LoginModule optional debug=true; @@ -149,6 +149,21 @@ Krb5SslPlus { org.apache.activemq.jaas.properties.role="dual-authentication-roles.properties"; }; +core-tls-krb5-server { + com.sun.security.auth.module.Krb5LoginModule required + isInitiator=false + storeKey=true + useKeyTab=true + principal="host/sni.host" + debug=true; +}; + +core-tls-krb5-client { + com.sun.security.auth.module.Krb5LoginModule required + principal="client" + useKeyTab=true; +}; + amqp-sasl-gssapi { com.sun.security.auth.module.Krb5LoginModule required isInitiator=false