ARTEMIS-3038: unwind effect of defunct changes from ARTEMIS-1264

Follows earlier test removal in a3de3d4c75
This commit is contained in:
Robbie Gemmell 2021-10-05 17:17:35 +01:00
parent 15c2dbb1c3
commit a5b5a504e0
6 changed files with 19 additions and 115 deletions

View File

@ -56,7 +56,6 @@ public class FederationDownstreamConfiguration extends FederationStreamConfigura
//The federated server that creates the upstream back will rely on its config from the acceptor for TLS //The federated server that creates the upstream back will rely on its config from the acceptor for TLS
stripParam(params, TransportConstants.SSL_ENABLED_PROP_NAME); stripParam(params, TransportConstants.SSL_ENABLED_PROP_NAME);
stripParam(params, TransportConstants.SSL_PROVIDER); stripParam(params, TransportConstants.SSL_PROVIDER);
stripParam(params, TransportConstants.SSL_KRB5_CONFIG_PROP_NAME);
stripParam(params, TransportConstants.KEYSTORE_PATH_PROP_NAME); stripParam(params, TransportConstants.KEYSTORE_PATH_PROP_NAME);
stripParam(params, TransportConstants.KEYSTORE_PASSWORD_PROP_NAME); stripParam(params, TransportConstants.KEYSTORE_PASSWORD_PROP_NAME);
stripParam(params, TransportConstants.KEYSTORE_PROVIDER_PROP_NAME); stripParam(params, TransportConstants.KEYSTORE_PROVIDER_PROP_NAME);

View File

@ -20,8 +20,6 @@ import javax.net.ssl.SNIHostName;
import javax.net.ssl.SSLContext; import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters; import javax.net.ssl.SSLParameters;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import java.io.IOException; import java.io.IOException;
import java.net.ConnectException; import java.net.ConnectException;
import java.net.InetAddress; import java.net.InetAddress;
@ -33,7 +31,6 @@ import java.net.UnknownHostException;
import java.nio.charset.StandardCharsets; import java.nio.charset.StandardCharsets;
import java.security.MessageDigest; import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException;
import java.security.PrivilegedExceptionAction;
import java.util.Arrays; import java.util.Arrays;
import java.util.Collections; import java.util.Collections;
import java.util.HashMap; import java.util.HashMap;
@ -265,8 +262,6 @@ public class NettyConnector extends AbstractConnector {
private String sniHost; private String sniHost;
private String kerb5Config;
private boolean useDefaultSslContext; private boolean useDefaultSslContext;
private boolean tcpNoDelay; private boolean tcpNoDelay;
@ -433,8 +428,6 @@ public class NettyConnector extends AbstractConnector {
sniHost = ConfigurationHelper.getStringProperty(TransportConstants.SNIHOST_PROP_NAME, TransportConstants.DEFAULT_SNIHOST_CONFIG, configuration); sniHost = ConfigurationHelper.getStringProperty(TransportConstants.SNIHOST_PROP_NAME, TransportConstants.DEFAULT_SNIHOST_CONFIG, configuration);
kerb5Config = ConfigurationHelper.getStringProperty(TransportConstants.SSL_KRB5_CONFIG_PROP_NAME, TransportConstants.DEFAULT_SSL_KRB5_CONFIG, configuration);
useDefaultSslContext = ConfigurationHelper.getBooleanProperty(TransportConstants.USE_DEFAULT_SSL_CONTEXT_PROP_NAME, TransportConstants.DEFAULT_USE_DEFAULT_SSL_CONTEXT, configuration); useDefaultSslContext = ConfigurationHelper.getBooleanProperty(TransportConstants.USE_DEFAULT_SSL_CONTEXT_PROP_NAME, TransportConstants.DEFAULT_USE_DEFAULT_SSL_CONTEXT, configuration);
trustManagerFactoryPlugin = ConfigurationHelper.getStringProperty(TransportConstants.TRUST_MANAGER_FACTORY_PLUGIN_PROP_NAME, TransportConstants.DEFAULT_TRUST_MANAGER_FACTORY_PLUGIN, configuration); trustManagerFactoryPlugin = ConfigurationHelper.getStringProperty(TransportConstants.TRUST_MANAGER_FACTORY_PLUGIN_PROP_NAME, TransportConstants.DEFAULT_TRUST_MANAGER_FACTORY_PLUGIN, configuration);
@ -759,50 +752,22 @@ public class NettyConnector extends AbstractConnector {
final SSLContext context = SSLContextFactoryProvider.getSSLContextFactory() final SSLContext context = SSLContextFactoryProvider.getSSLContextFactory()
.getSSLContext(sslContextConfig, configuration); .getSSLContext(sslContextConfig, configuration);
Subject subject = null; if (host != null && port != -1) {
if (kerb5Config != null) { return context.createSSLEngine(host, port);
LoginContext loginContext = new LoginContext(kerb5Config); } else {
loginContext.login(); return context.createSSLEngine();
subject = loginContext.getSubject();
verifyHost = true;
} }
SSLEngine engine = Subject.doAs(subject, new PrivilegedExceptionAction<SSLEngine>() {
@Override
public SSLEngine run() {
if (host != null && port != -1) {
return context.createSSLEngine(host, port);
} else {
return context.createSSLEngine();
}
}
});
return engine;
} }
private SSLEngine loadOpenSslEngine(final ByteBufAllocator alloc, final SSLContextConfig sslContextConfig) throws Exception { private SSLEngine loadOpenSslEngine(final ByteBufAllocator alloc, final SSLContextConfig sslContextConfig) throws Exception {
final SslContext context = OpenSSLContextFactoryProvider.getOpenSSLContextFactory() final SslContext context = OpenSSLContextFactoryProvider.getOpenSSLContextFactory()
.getClientSslContext(sslContextConfig, configuration); .getClientSslContext(sslContextConfig, configuration);
Subject subject = null; if (host != null && port != -1) {
if (kerb5Config != null) { return context.newEngine(alloc, host, port);
LoginContext loginContext = new LoginContext(kerb5Config); } else {
loginContext.login(); return context.newEngine(alloc);
subject = loginContext.getSubject();
verifyHost = true;
} }
SSLEngine engine = Subject.doAs(subject, new PrivilegedExceptionAction<SSLEngine>() {
@Override
public SSLEngine run() {
if (host != null && port != -1) {
return context.newEngine(alloc, host, port);
} else {
return context.newEngine(alloc);
}
}
});
return engine;
} }
@Override @Override

View File

@ -33,8 +33,6 @@ public class TransportConstants {
public static final String SSL_ENABLED_PROP_NAME = "sslEnabled"; public static final String SSL_ENABLED_PROP_NAME = "sslEnabled";
public static final String SSL_KRB5_CONFIG_PROP_NAME = "sslKrb5Config";
public static final String HTTP_ENABLED_PROP_NAME = "httpEnabled"; public static final String HTTP_ENABLED_PROP_NAME = "httpEnabled";
public static final String HTTP_CLIENT_IDLE_PROP_NAME = "httpClientIdleTime"; public static final String HTTP_CLIENT_IDLE_PROP_NAME = "httpClientIdleTime";
@ -196,8 +194,6 @@ public class TransportConstants {
public static final boolean DEFAULT_SSL_ENABLED = false; public static final boolean DEFAULT_SSL_ENABLED = false;
public static final String DEFAULT_SSL_KRB5_CONFIG = null;
public static final String DEFAULT_SNIHOST_CONFIG = null; public static final String DEFAULT_SNIHOST_CONFIG = null;
public static final boolean DEFAULT_USE_GLOBAL_WORKER_POOL = true; public static final boolean DEFAULT_USE_GLOBAL_WORKER_POOL = true;

View File

@ -21,13 +21,10 @@ import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLHandshakeException; import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.SSLParameters; import javax.net.ssl.SSLParameters;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import java.net.InetSocketAddress; import java.net.InetSocketAddress;
import java.net.SocketAddress; import java.net.SocketAddress;
import java.security.AccessController; import java.security.AccessController;
import java.security.PrivilegedAction; import java.security.PrivilegedAction;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Arrays; import java.util.Arrays;
import java.util.HashSet; import java.util.HashSet;
@ -189,8 +186,6 @@ public class NettyAcceptor extends AbstractAcceptor {
private final String trustManagerFactoryPlugin; private final String trustManagerFactoryPlugin;
private final String kerb5Config;
private String sniHost; private String sniHost;
private final boolean tcpNoDelay; private final boolean tcpNoDelay;
@ -269,8 +264,6 @@ public class NettyAcceptor extends AbstractAcceptor {
sslEnabled = ConfigurationHelper.getBooleanProperty(TransportConstants.SSL_ENABLED_PROP_NAME, TransportConstants.DEFAULT_SSL_ENABLED, configuration); sslEnabled = ConfigurationHelper.getBooleanProperty(TransportConstants.SSL_ENABLED_PROP_NAME, TransportConstants.DEFAULT_SSL_ENABLED, configuration);
kerb5Config = ConfigurationHelper.getStringProperty(TransportConstants.SSL_KRB5_CONFIG_PROP_NAME, TransportConstants.DEFAULT_SSL_KRB5_CONFIG, configuration);
remotingThreads = ConfigurationHelper.getIntProperty(TransportConstants.NIO_REMOTING_THREADS_PROPNAME, -1, configuration); remotingThreads = ConfigurationHelper.getIntProperty(TransportConstants.NIO_REMOTING_THREADS_PROPNAME, -1, configuration);
remotingThreads = ConfigurationHelper.getIntProperty(TransportConstants.REMOTING_THREADS_PROPNAME, remotingThreads, configuration); remotingThreads = ConfigurationHelper.getIntProperty(TransportConstants.REMOTING_THREADS_PROPNAME, remotingThreads, configuration);
@ -674,55 +667,31 @@ public class NettyAcceptor extends AbstractAcceptor {
private SSLEngine loadJdkSslEngine(String peerHost, int peerPort) throws Exception { private SSLEngine loadJdkSslEngine(String peerHost, int peerPort) throws Exception {
final SSLContext context = (SSLContext) providerAgnosticSslContext; final SSLContext context = (SSLContext) providerAgnosticSslContext;
Subject subject = null;
if (kerb5Config != null) {
LoginContext loginContext = new LoginContext(kerb5Config);
loginContext.login();
subject = loginContext.getSubject();
}
SSLEngine engine = Subject.doAs(subject, new PrivilegedExceptionAction<SSLEngine>() { if (peerHost != null && peerPort != 0) {
@Override return context.createSSLEngine(peerHost, peerPort);
public SSLEngine run() { } else {
if (peerHost != null && peerPort != 0) { return context.createSSLEngine();
return context.createSSLEngine(peerHost, peerPort); }
} else {
return context.createSSLEngine();
}
}
});
return engine;
} }
private void checkSSLConfiguration() throws IllegalArgumentException { private void checkSSLConfiguration() throws IllegalArgumentException {
if (configuration.containsKey(TransportConstants.SSL_CONTEXT_PROP_NAME)) { if (configuration.containsKey(TransportConstants.SSL_CONTEXT_PROP_NAME)) {
return; return;
} }
if (kerb5Config == null && keyStorePath == null && TransportConstants.DEFAULT_KEYSTORE_PROVIDER.equals(keyStoreProvider)) { if (keyStorePath == null && TransportConstants.DEFAULT_KEYSTORE_PROVIDER.equals(keyStoreProvider)) {
throw new IllegalArgumentException("If \"" + TransportConstants.SSL_ENABLED_PROP_NAME + "\" is true then \"" + TransportConstants.KEYSTORE_PATH_PROP_NAME + "\" must be non-null unless an alternative \"" + TransportConstants.KEYSTORE_PROVIDER_PROP_NAME + "\" has been specified."); throw new IllegalArgumentException("If \"" + TransportConstants.SSL_ENABLED_PROP_NAME + "\" is true then \"" + TransportConstants.KEYSTORE_PATH_PROP_NAME + "\" must be non-null unless an alternative \"" + TransportConstants.KEYSTORE_PROVIDER_PROP_NAME + "\" has been specified.");
} }
} }
private SSLEngine loadOpenSslEngine(ByteBufAllocator alloc, String peerHost, int peerPort) throws Exception { private SSLEngine loadOpenSslEngine(ByteBufAllocator alloc, String peerHost, int peerPort) throws Exception {
final SslContext context = (SslContext) providerAgnosticSslContext; final SslContext context = (SslContext) providerAgnosticSslContext;
Subject subject = null;
if (kerb5Config != null) {
LoginContext loginContext = new LoginContext(kerb5Config);
loginContext.login();
subject = loginContext.getSubject();
}
SSLEngine engine = Subject.doAs(subject, new PrivilegedExceptionAction<SSLEngine>() { if (peerHost != null && peerPort != 0) {
@Override return context.newEngine(alloc, peerHost, peerPort);
public SSLEngine run() { } else {
if (peerHost != null && peerPort != 0) { return context.newEngine(alloc);
return context.newEngine(alloc, peerHost, peerPort); }
} else {
return context.newEngine(alloc);
}
}
});
return engine;
} }
private void startServerChannels() { private void startServerChannels() {

View File

@ -1159,16 +1159,6 @@ amqp-sasl-gssapi {
}; };
``` ```
##### TLS Kerberos Cipher Suites
The legacy [rfc2712](https://www.ietf.org/rfc/rfc2712.txt) defines TLS Kerberos
cipher suites that can be used by TLS to negotiate Kerberos authentication. The
cypher suites offered by rfc2712 are dated and insecure and rfc2712 has been
superseded by SASL GSSAPI. However, for clients that don't support SASL (core
client), using TLS can provide Kerberos authentication over an *unsecure*
channel.
### Role Mapping ### Role Mapping
On the server, a Kerberos or SCRAM-SHA JAAS authenticated Principal must be added to the On the server, a Kerberos or SCRAM-SHA JAAS authenticated Principal must be added to the

View File

@ -282,21 +282,6 @@ Krb5PlusLdapMemberOfNoRoleName {
; ;
}; };
core-tls-krb5-server {
com.sun.security.auth.module.Krb5LoginModule required
isInitiator=false
storeKey=true
useKeyTab=true
principal="host/sni.host"
debug=true;
};
core-tls-krb5-client {
com.sun.security.auth.module.Krb5LoginModule required
principal="client"
useKeyTab=true;
};
amqp-sasl-gssapi { amqp-sasl-gssapi {
com.sun.security.auth.module.Krb5LoginModule required com.sun.security.auth.module.Krb5LoginModule required
isInitiator=false isInitiator=false