From a5b5a504e0426daa1f2598582ea3252f8bca4cf8 Mon Sep 17 00:00:00 2001 From: Robbie Gemmell Date: Tue, 5 Oct 2021 17:17:35 +0100 Subject: [PATCH] ARTEMIS-3038: unwind effect of defunct changes from ARTEMIS-1264 Follows earlier test removal in a3de3d4c75ba1482706e8c42a5c9b0f9811901eb --- .../FederationDownstreamConfiguration.java | 1 - .../remoting/impl/netty/NettyConnector.java | 51 +++--------------- .../impl/netty/TransportConstants.java | 4 -- .../remoting/impl/netty/NettyAcceptor.java | 53 ++++--------------- docs/user-manual/en/security.md | 10 ---- .../src/test/resources/login.config | 15 ------ 6 files changed, 19 insertions(+), 115 deletions(-) diff --git a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/config/federation/FederationDownstreamConfiguration.java b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/config/federation/FederationDownstreamConfiguration.java index 17905e1bca..a7dd1e09e4 100644 --- a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/config/federation/FederationDownstreamConfiguration.java +++ b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/config/federation/FederationDownstreamConfiguration.java @@ -56,7 +56,6 @@ public class FederationDownstreamConfiguration extends FederationStreamConfigura //The federated server that creates the upstream back will rely on its config from the acceptor for TLS stripParam(params, TransportConstants.SSL_ENABLED_PROP_NAME); stripParam(params, TransportConstants.SSL_PROVIDER); - stripParam(params, TransportConstants.SSL_KRB5_CONFIG_PROP_NAME); stripParam(params, TransportConstants.KEYSTORE_PATH_PROP_NAME); stripParam(params, TransportConstants.KEYSTORE_PASSWORD_PROP_NAME); stripParam(params, TransportConstants.KEYSTORE_PROVIDER_PROP_NAME); diff --git a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java index dde607f991..f04b750147 100644 --- a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java +++ b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java @@ -20,8 +20,6 @@ import javax.net.ssl.SNIHostName; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLParameters; -import javax.security.auth.Subject; -import javax.security.auth.login.LoginContext; import java.io.IOException; import java.net.ConnectException; import java.net.InetAddress; @@ -33,7 +31,6 @@ import java.net.UnknownHostException; import java.nio.charset.StandardCharsets; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; -import java.security.PrivilegedExceptionAction; import java.util.Arrays; import java.util.Collections; import java.util.HashMap; @@ -265,8 +262,6 @@ public class NettyConnector extends AbstractConnector { private String sniHost; - private String kerb5Config; - private boolean useDefaultSslContext; private boolean tcpNoDelay; @@ -433,8 +428,6 @@ public class NettyConnector extends AbstractConnector { sniHost = ConfigurationHelper.getStringProperty(TransportConstants.SNIHOST_PROP_NAME, TransportConstants.DEFAULT_SNIHOST_CONFIG, configuration); - kerb5Config = ConfigurationHelper.getStringProperty(TransportConstants.SSL_KRB5_CONFIG_PROP_NAME, TransportConstants.DEFAULT_SSL_KRB5_CONFIG, configuration); - useDefaultSslContext = ConfigurationHelper.getBooleanProperty(TransportConstants.USE_DEFAULT_SSL_CONTEXT_PROP_NAME, TransportConstants.DEFAULT_USE_DEFAULT_SSL_CONTEXT, configuration); trustManagerFactoryPlugin = ConfigurationHelper.getStringProperty(TransportConstants.TRUST_MANAGER_FACTORY_PLUGIN_PROP_NAME, TransportConstants.DEFAULT_TRUST_MANAGER_FACTORY_PLUGIN, configuration); @@ -759,50 +752,22 @@ public class NettyConnector extends AbstractConnector { final SSLContext context = SSLContextFactoryProvider.getSSLContextFactory() .getSSLContext(sslContextConfig, configuration); - Subject subject = null; - if (kerb5Config != null) { - LoginContext loginContext = new LoginContext(kerb5Config); - loginContext.login(); - subject = loginContext.getSubject(); - verifyHost = true; + if (host != null && port != -1) { + return context.createSSLEngine(host, port); + } else { + return context.createSSLEngine(); } - - SSLEngine engine = Subject.doAs(subject, new PrivilegedExceptionAction() { - @Override - public SSLEngine run() { - if (host != null && port != -1) { - return context.createSSLEngine(host, port); - } else { - return context.createSSLEngine(); - } - } - }); - return engine; } private SSLEngine loadOpenSslEngine(final ByteBufAllocator alloc, final SSLContextConfig sslContextConfig) throws Exception { final SslContext context = OpenSSLContextFactoryProvider.getOpenSSLContextFactory() .getClientSslContext(sslContextConfig, configuration); - Subject subject = null; - if (kerb5Config != null) { - LoginContext loginContext = new LoginContext(kerb5Config); - loginContext.login(); - subject = loginContext.getSubject(); - verifyHost = true; + if (host != null && port != -1) { + return context.newEngine(alloc, host, port); + } else { + return context.newEngine(alloc); } - - SSLEngine engine = Subject.doAs(subject, new PrivilegedExceptionAction() { - @Override - public SSLEngine run() { - if (host != null && port != -1) { - return context.newEngine(alloc, host, port); - } else { - return context.newEngine(alloc); - } - } - }); - return engine; } @Override diff --git a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/TransportConstants.java b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/TransportConstants.java index 37a4e80bb6..43bc67bf24 100644 --- a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/TransportConstants.java +++ b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/TransportConstants.java @@ -33,8 +33,6 @@ public class TransportConstants { public static final String SSL_ENABLED_PROP_NAME = "sslEnabled"; - public static final String SSL_KRB5_CONFIG_PROP_NAME = "sslKrb5Config"; - public static final String HTTP_ENABLED_PROP_NAME = "httpEnabled"; public static final String HTTP_CLIENT_IDLE_PROP_NAME = "httpClientIdleTime"; @@ -196,8 +194,6 @@ public class TransportConstants { public static final boolean DEFAULT_SSL_ENABLED = false; - public static final String DEFAULT_SSL_KRB5_CONFIG = null; - public static final String DEFAULT_SNIHOST_CONFIG = null; public static final boolean DEFAULT_USE_GLOBAL_WORKER_POOL = true; diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java b/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java index eca729ae21..b9d692b628 100644 --- a/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java +++ b/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java @@ -21,13 +21,10 @@ import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLHandshakeException; import javax.net.ssl.SSLParameters; -import javax.security.auth.Subject; -import javax.security.auth.login.LoginContext; import java.net.InetSocketAddress; import java.net.SocketAddress; import java.security.AccessController; import java.security.PrivilegedAction; -import java.security.PrivilegedExceptionAction; import java.util.ArrayList; import java.util.Arrays; import java.util.HashSet; @@ -189,8 +186,6 @@ public class NettyAcceptor extends AbstractAcceptor { private final String trustManagerFactoryPlugin; - private final String kerb5Config; - private String sniHost; private final boolean tcpNoDelay; @@ -269,8 +264,6 @@ public class NettyAcceptor extends AbstractAcceptor { sslEnabled = ConfigurationHelper.getBooleanProperty(TransportConstants.SSL_ENABLED_PROP_NAME, TransportConstants.DEFAULT_SSL_ENABLED, configuration); - kerb5Config = ConfigurationHelper.getStringProperty(TransportConstants.SSL_KRB5_CONFIG_PROP_NAME, TransportConstants.DEFAULT_SSL_KRB5_CONFIG, configuration); - remotingThreads = ConfigurationHelper.getIntProperty(TransportConstants.NIO_REMOTING_THREADS_PROPNAME, -1, configuration); remotingThreads = ConfigurationHelper.getIntProperty(TransportConstants.REMOTING_THREADS_PROPNAME, remotingThreads, configuration); @@ -674,55 +667,31 @@ public class NettyAcceptor extends AbstractAcceptor { private SSLEngine loadJdkSslEngine(String peerHost, int peerPort) throws Exception { final SSLContext context = (SSLContext) providerAgnosticSslContext; - Subject subject = null; - if (kerb5Config != null) { - LoginContext loginContext = new LoginContext(kerb5Config); - loginContext.login(); - subject = loginContext.getSubject(); - } - SSLEngine engine = Subject.doAs(subject, new PrivilegedExceptionAction() { - @Override - public SSLEngine run() { - if (peerHost != null && peerPort != 0) { - return context.createSSLEngine(peerHost, peerPort); - } else { - return context.createSSLEngine(); - } - } - }); - return engine; + if (peerHost != null && peerPort != 0) { + return context.createSSLEngine(peerHost, peerPort); + } else { + return context.createSSLEngine(); + } } private void checkSSLConfiguration() throws IllegalArgumentException { if (configuration.containsKey(TransportConstants.SSL_CONTEXT_PROP_NAME)) { return; } - if (kerb5Config == null && keyStorePath == null && TransportConstants.DEFAULT_KEYSTORE_PROVIDER.equals(keyStoreProvider)) { + if (keyStorePath == null && TransportConstants.DEFAULT_KEYSTORE_PROVIDER.equals(keyStoreProvider)) { throw new IllegalArgumentException("If \"" + TransportConstants.SSL_ENABLED_PROP_NAME + "\" is true then \"" + TransportConstants.KEYSTORE_PATH_PROP_NAME + "\" must be non-null unless an alternative \"" + TransportConstants.KEYSTORE_PROVIDER_PROP_NAME + "\" has been specified."); } } private SSLEngine loadOpenSslEngine(ByteBufAllocator alloc, String peerHost, int peerPort) throws Exception { final SslContext context = (SslContext) providerAgnosticSslContext; - Subject subject = null; - if (kerb5Config != null) { - LoginContext loginContext = new LoginContext(kerb5Config); - loginContext.login(); - subject = loginContext.getSubject(); - } - SSLEngine engine = Subject.doAs(subject, new PrivilegedExceptionAction() { - @Override - public SSLEngine run() { - if (peerHost != null && peerPort != 0) { - return context.newEngine(alloc, peerHost, peerPort); - } else { - return context.newEngine(alloc); - } - } - }); - return engine; + if (peerHost != null && peerPort != 0) { + return context.newEngine(alloc, peerHost, peerPort); + } else { + return context.newEngine(alloc); + } } private void startServerChannels() { diff --git a/docs/user-manual/en/security.md b/docs/user-manual/en/security.md index fb0f7454b2..88478ad87c 100644 --- a/docs/user-manual/en/security.md +++ b/docs/user-manual/en/security.md @@ -1159,16 +1159,6 @@ amqp-sasl-gssapi { }; ``` -##### TLS Kerberos Cipher Suites - -The legacy [rfc2712](https://www.ietf.org/rfc/rfc2712.txt) defines TLS Kerberos -cipher suites that can be used by TLS to negotiate Kerberos authentication. The -cypher suites offered by rfc2712 are dated and insecure and rfc2712 has been -superseded by SASL GSSAPI. However, for clients that don't support SASL (core -client), using TLS can provide Kerberos authentication over an *unsecure* -channel. - - ### Role Mapping On the server, a Kerberos or SCRAM-SHA JAAS authenticated Principal must be added to the diff --git a/tests/integration-tests/src/test/resources/login.config b/tests/integration-tests/src/test/resources/login.config index 6ff980c183..b1af8253bf 100644 --- a/tests/integration-tests/src/test/resources/login.config +++ b/tests/integration-tests/src/test/resources/login.config @@ -282,21 +282,6 @@ Krb5PlusLdapMemberOfNoRoleName { ; }; -core-tls-krb5-server { - com.sun.security.auth.module.Krb5LoginModule required - isInitiator=false - storeKey=true - useKeyTab=true - principal="host/sni.host" - debug=true; -}; - -core-tls-krb5-client { - com.sun.security.auth.module.Krb5LoginModule required - principal="client" - useKeyTab=true; -}; - amqp-sasl-gssapi { com.sun.security.auth.module.Krb5LoginModule required isInitiator=false