ARTEMIS-3038: unwind effect of defunct changes from ARTEMIS-1264
Follows earlier test removal in a3de3d4c75
This commit is contained in:
parent
15c2dbb1c3
commit
a5b5a504e0
|
@ -56,7 +56,6 @@ public class FederationDownstreamConfiguration extends FederationStreamConfigura
|
||||||
//The federated server that creates the upstream back will rely on its config from the acceptor for TLS
|
//The federated server that creates the upstream back will rely on its config from the acceptor for TLS
|
||||||
stripParam(params, TransportConstants.SSL_ENABLED_PROP_NAME);
|
stripParam(params, TransportConstants.SSL_ENABLED_PROP_NAME);
|
||||||
stripParam(params, TransportConstants.SSL_PROVIDER);
|
stripParam(params, TransportConstants.SSL_PROVIDER);
|
||||||
stripParam(params, TransportConstants.SSL_KRB5_CONFIG_PROP_NAME);
|
|
||||||
stripParam(params, TransportConstants.KEYSTORE_PATH_PROP_NAME);
|
stripParam(params, TransportConstants.KEYSTORE_PATH_PROP_NAME);
|
||||||
stripParam(params, TransportConstants.KEYSTORE_PASSWORD_PROP_NAME);
|
stripParam(params, TransportConstants.KEYSTORE_PASSWORD_PROP_NAME);
|
||||||
stripParam(params, TransportConstants.KEYSTORE_PROVIDER_PROP_NAME);
|
stripParam(params, TransportConstants.KEYSTORE_PROVIDER_PROP_NAME);
|
||||||
|
|
|
@ -20,8 +20,6 @@ import javax.net.ssl.SNIHostName;
|
||||||
import javax.net.ssl.SSLContext;
|
import javax.net.ssl.SSLContext;
|
||||||
import javax.net.ssl.SSLEngine;
|
import javax.net.ssl.SSLEngine;
|
||||||
import javax.net.ssl.SSLParameters;
|
import javax.net.ssl.SSLParameters;
|
||||||
import javax.security.auth.Subject;
|
|
||||||
import javax.security.auth.login.LoginContext;
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.net.ConnectException;
|
import java.net.ConnectException;
|
||||||
import java.net.InetAddress;
|
import java.net.InetAddress;
|
||||||
|
@ -33,7 +31,6 @@ import java.net.UnknownHostException;
|
||||||
import java.nio.charset.StandardCharsets;
|
import java.nio.charset.StandardCharsets;
|
||||||
import java.security.MessageDigest;
|
import java.security.MessageDigest;
|
||||||
import java.security.NoSuchAlgorithmException;
|
import java.security.NoSuchAlgorithmException;
|
||||||
import java.security.PrivilegedExceptionAction;
|
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
import java.util.Collections;
|
import java.util.Collections;
|
||||||
import java.util.HashMap;
|
import java.util.HashMap;
|
||||||
|
@ -265,8 +262,6 @@ public class NettyConnector extends AbstractConnector {
|
||||||
|
|
||||||
private String sniHost;
|
private String sniHost;
|
||||||
|
|
||||||
private String kerb5Config;
|
|
||||||
|
|
||||||
private boolean useDefaultSslContext;
|
private boolean useDefaultSslContext;
|
||||||
|
|
||||||
private boolean tcpNoDelay;
|
private boolean tcpNoDelay;
|
||||||
|
@ -433,8 +428,6 @@ public class NettyConnector extends AbstractConnector {
|
||||||
|
|
||||||
sniHost = ConfigurationHelper.getStringProperty(TransportConstants.SNIHOST_PROP_NAME, TransportConstants.DEFAULT_SNIHOST_CONFIG, configuration);
|
sniHost = ConfigurationHelper.getStringProperty(TransportConstants.SNIHOST_PROP_NAME, TransportConstants.DEFAULT_SNIHOST_CONFIG, configuration);
|
||||||
|
|
||||||
kerb5Config = ConfigurationHelper.getStringProperty(TransportConstants.SSL_KRB5_CONFIG_PROP_NAME, TransportConstants.DEFAULT_SSL_KRB5_CONFIG, configuration);
|
|
||||||
|
|
||||||
useDefaultSslContext = ConfigurationHelper.getBooleanProperty(TransportConstants.USE_DEFAULT_SSL_CONTEXT_PROP_NAME, TransportConstants.DEFAULT_USE_DEFAULT_SSL_CONTEXT, configuration);
|
useDefaultSslContext = ConfigurationHelper.getBooleanProperty(TransportConstants.USE_DEFAULT_SSL_CONTEXT_PROP_NAME, TransportConstants.DEFAULT_USE_DEFAULT_SSL_CONTEXT, configuration);
|
||||||
|
|
||||||
trustManagerFactoryPlugin = ConfigurationHelper.getStringProperty(TransportConstants.TRUST_MANAGER_FACTORY_PLUGIN_PROP_NAME, TransportConstants.DEFAULT_TRUST_MANAGER_FACTORY_PLUGIN, configuration);
|
trustManagerFactoryPlugin = ConfigurationHelper.getStringProperty(TransportConstants.TRUST_MANAGER_FACTORY_PLUGIN_PROP_NAME, TransportConstants.DEFAULT_TRUST_MANAGER_FACTORY_PLUGIN, configuration);
|
||||||
|
@ -759,50 +752,22 @@ public class NettyConnector extends AbstractConnector {
|
||||||
final SSLContext context = SSLContextFactoryProvider.getSSLContextFactory()
|
final SSLContext context = SSLContextFactoryProvider.getSSLContextFactory()
|
||||||
.getSSLContext(sslContextConfig, configuration);
|
.getSSLContext(sslContextConfig, configuration);
|
||||||
|
|
||||||
Subject subject = null;
|
if (host != null && port != -1) {
|
||||||
if (kerb5Config != null) {
|
return context.createSSLEngine(host, port);
|
||||||
LoginContext loginContext = new LoginContext(kerb5Config);
|
} else {
|
||||||
loginContext.login();
|
return context.createSSLEngine();
|
||||||
subject = loginContext.getSubject();
|
|
||||||
verifyHost = true;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
SSLEngine engine = Subject.doAs(subject, new PrivilegedExceptionAction<SSLEngine>() {
|
|
||||||
@Override
|
|
||||||
public SSLEngine run() {
|
|
||||||
if (host != null && port != -1) {
|
|
||||||
return context.createSSLEngine(host, port);
|
|
||||||
} else {
|
|
||||||
return context.createSSLEngine();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
});
|
|
||||||
return engine;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private SSLEngine loadOpenSslEngine(final ByteBufAllocator alloc, final SSLContextConfig sslContextConfig) throws Exception {
|
private SSLEngine loadOpenSslEngine(final ByteBufAllocator alloc, final SSLContextConfig sslContextConfig) throws Exception {
|
||||||
final SslContext context = OpenSSLContextFactoryProvider.getOpenSSLContextFactory()
|
final SslContext context = OpenSSLContextFactoryProvider.getOpenSSLContextFactory()
|
||||||
.getClientSslContext(sslContextConfig, configuration);
|
.getClientSslContext(sslContextConfig, configuration);
|
||||||
|
|
||||||
Subject subject = null;
|
if (host != null && port != -1) {
|
||||||
if (kerb5Config != null) {
|
return context.newEngine(alloc, host, port);
|
||||||
LoginContext loginContext = new LoginContext(kerb5Config);
|
} else {
|
||||||
loginContext.login();
|
return context.newEngine(alloc);
|
||||||
subject = loginContext.getSubject();
|
|
||||||
verifyHost = true;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
SSLEngine engine = Subject.doAs(subject, new PrivilegedExceptionAction<SSLEngine>() {
|
|
||||||
@Override
|
|
||||||
public SSLEngine run() {
|
|
||||||
if (host != null && port != -1) {
|
|
||||||
return context.newEngine(alloc, host, port);
|
|
||||||
} else {
|
|
||||||
return context.newEngine(alloc);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
});
|
|
||||||
return engine;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
|
|
@ -33,8 +33,6 @@ public class TransportConstants {
|
||||||
|
|
||||||
public static final String SSL_ENABLED_PROP_NAME = "sslEnabled";
|
public static final String SSL_ENABLED_PROP_NAME = "sslEnabled";
|
||||||
|
|
||||||
public static final String SSL_KRB5_CONFIG_PROP_NAME = "sslKrb5Config";
|
|
||||||
|
|
||||||
public static final String HTTP_ENABLED_PROP_NAME = "httpEnabled";
|
public static final String HTTP_ENABLED_PROP_NAME = "httpEnabled";
|
||||||
|
|
||||||
public static final String HTTP_CLIENT_IDLE_PROP_NAME = "httpClientIdleTime";
|
public static final String HTTP_CLIENT_IDLE_PROP_NAME = "httpClientIdleTime";
|
||||||
|
@ -196,8 +194,6 @@ public class TransportConstants {
|
||||||
|
|
||||||
public static final boolean DEFAULT_SSL_ENABLED = false;
|
public static final boolean DEFAULT_SSL_ENABLED = false;
|
||||||
|
|
||||||
public static final String DEFAULT_SSL_KRB5_CONFIG = null;
|
|
||||||
|
|
||||||
public static final String DEFAULT_SNIHOST_CONFIG = null;
|
public static final String DEFAULT_SNIHOST_CONFIG = null;
|
||||||
|
|
||||||
public static final boolean DEFAULT_USE_GLOBAL_WORKER_POOL = true;
|
public static final boolean DEFAULT_USE_GLOBAL_WORKER_POOL = true;
|
||||||
|
|
|
@ -21,13 +21,10 @@ import javax.net.ssl.SSLContext;
|
||||||
import javax.net.ssl.SSLEngine;
|
import javax.net.ssl.SSLEngine;
|
||||||
import javax.net.ssl.SSLHandshakeException;
|
import javax.net.ssl.SSLHandshakeException;
|
||||||
import javax.net.ssl.SSLParameters;
|
import javax.net.ssl.SSLParameters;
|
||||||
import javax.security.auth.Subject;
|
|
||||||
import javax.security.auth.login.LoginContext;
|
|
||||||
import java.net.InetSocketAddress;
|
import java.net.InetSocketAddress;
|
||||||
import java.net.SocketAddress;
|
import java.net.SocketAddress;
|
||||||
import java.security.AccessController;
|
import java.security.AccessController;
|
||||||
import java.security.PrivilegedAction;
|
import java.security.PrivilegedAction;
|
||||||
import java.security.PrivilegedExceptionAction;
|
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
import java.util.HashSet;
|
import java.util.HashSet;
|
||||||
|
@ -189,8 +186,6 @@ public class NettyAcceptor extends AbstractAcceptor {
|
||||||
|
|
||||||
private final String trustManagerFactoryPlugin;
|
private final String trustManagerFactoryPlugin;
|
||||||
|
|
||||||
private final String kerb5Config;
|
|
||||||
|
|
||||||
private String sniHost;
|
private String sniHost;
|
||||||
|
|
||||||
private final boolean tcpNoDelay;
|
private final boolean tcpNoDelay;
|
||||||
|
@ -269,8 +264,6 @@ public class NettyAcceptor extends AbstractAcceptor {
|
||||||
|
|
||||||
sslEnabled = ConfigurationHelper.getBooleanProperty(TransportConstants.SSL_ENABLED_PROP_NAME, TransportConstants.DEFAULT_SSL_ENABLED, configuration);
|
sslEnabled = ConfigurationHelper.getBooleanProperty(TransportConstants.SSL_ENABLED_PROP_NAME, TransportConstants.DEFAULT_SSL_ENABLED, configuration);
|
||||||
|
|
||||||
kerb5Config = ConfigurationHelper.getStringProperty(TransportConstants.SSL_KRB5_CONFIG_PROP_NAME, TransportConstants.DEFAULT_SSL_KRB5_CONFIG, configuration);
|
|
||||||
|
|
||||||
remotingThreads = ConfigurationHelper.getIntProperty(TransportConstants.NIO_REMOTING_THREADS_PROPNAME, -1, configuration);
|
remotingThreads = ConfigurationHelper.getIntProperty(TransportConstants.NIO_REMOTING_THREADS_PROPNAME, -1, configuration);
|
||||||
remotingThreads = ConfigurationHelper.getIntProperty(TransportConstants.REMOTING_THREADS_PROPNAME, remotingThreads, configuration);
|
remotingThreads = ConfigurationHelper.getIntProperty(TransportConstants.REMOTING_THREADS_PROPNAME, remotingThreads, configuration);
|
||||||
|
|
||||||
|
@ -674,55 +667,31 @@ public class NettyAcceptor extends AbstractAcceptor {
|
||||||
|
|
||||||
private SSLEngine loadJdkSslEngine(String peerHost, int peerPort) throws Exception {
|
private SSLEngine loadJdkSslEngine(String peerHost, int peerPort) throws Exception {
|
||||||
final SSLContext context = (SSLContext) providerAgnosticSslContext;
|
final SSLContext context = (SSLContext) providerAgnosticSslContext;
|
||||||
Subject subject = null;
|
|
||||||
if (kerb5Config != null) {
|
|
||||||
LoginContext loginContext = new LoginContext(kerb5Config);
|
|
||||||
loginContext.login();
|
|
||||||
subject = loginContext.getSubject();
|
|
||||||
}
|
|
||||||
|
|
||||||
SSLEngine engine = Subject.doAs(subject, new PrivilegedExceptionAction<SSLEngine>() {
|
if (peerHost != null && peerPort != 0) {
|
||||||
@Override
|
return context.createSSLEngine(peerHost, peerPort);
|
||||||
public SSLEngine run() {
|
} else {
|
||||||
if (peerHost != null && peerPort != 0) {
|
return context.createSSLEngine();
|
||||||
return context.createSSLEngine(peerHost, peerPort);
|
}
|
||||||
} else {
|
|
||||||
return context.createSSLEngine();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
});
|
|
||||||
return engine;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private void checkSSLConfiguration() throws IllegalArgumentException {
|
private void checkSSLConfiguration() throws IllegalArgumentException {
|
||||||
if (configuration.containsKey(TransportConstants.SSL_CONTEXT_PROP_NAME)) {
|
if (configuration.containsKey(TransportConstants.SSL_CONTEXT_PROP_NAME)) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
if (kerb5Config == null && keyStorePath == null && TransportConstants.DEFAULT_KEYSTORE_PROVIDER.equals(keyStoreProvider)) {
|
if (keyStorePath == null && TransportConstants.DEFAULT_KEYSTORE_PROVIDER.equals(keyStoreProvider)) {
|
||||||
throw new IllegalArgumentException("If \"" + TransportConstants.SSL_ENABLED_PROP_NAME + "\" is true then \"" + TransportConstants.KEYSTORE_PATH_PROP_NAME + "\" must be non-null unless an alternative \"" + TransportConstants.KEYSTORE_PROVIDER_PROP_NAME + "\" has been specified.");
|
throw new IllegalArgumentException("If \"" + TransportConstants.SSL_ENABLED_PROP_NAME + "\" is true then \"" + TransportConstants.KEYSTORE_PATH_PROP_NAME + "\" must be non-null unless an alternative \"" + TransportConstants.KEYSTORE_PROVIDER_PROP_NAME + "\" has been specified.");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private SSLEngine loadOpenSslEngine(ByteBufAllocator alloc, String peerHost, int peerPort) throws Exception {
|
private SSLEngine loadOpenSslEngine(ByteBufAllocator alloc, String peerHost, int peerPort) throws Exception {
|
||||||
final SslContext context = (SslContext) providerAgnosticSslContext;
|
final SslContext context = (SslContext) providerAgnosticSslContext;
|
||||||
Subject subject = null;
|
|
||||||
if (kerb5Config != null) {
|
|
||||||
LoginContext loginContext = new LoginContext(kerb5Config);
|
|
||||||
loginContext.login();
|
|
||||||
subject = loginContext.getSubject();
|
|
||||||
}
|
|
||||||
|
|
||||||
SSLEngine engine = Subject.doAs(subject, new PrivilegedExceptionAction<SSLEngine>() {
|
if (peerHost != null && peerPort != 0) {
|
||||||
@Override
|
return context.newEngine(alloc, peerHost, peerPort);
|
||||||
public SSLEngine run() {
|
} else {
|
||||||
if (peerHost != null && peerPort != 0) {
|
return context.newEngine(alloc);
|
||||||
return context.newEngine(alloc, peerHost, peerPort);
|
}
|
||||||
} else {
|
|
||||||
return context.newEngine(alloc);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
});
|
|
||||||
return engine;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private void startServerChannels() {
|
private void startServerChannels() {
|
||||||
|
|
|
@ -1159,16 +1159,6 @@ amqp-sasl-gssapi {
|
||||||
};
|
};
|
||||||
```
|
```
|
||||||
|
|
||||||
##### TLS Kerberos Cipher Suites
|
|
||||||
|
|
||||||
The legacy [rfc2712](https://www.ietf.org/rfc/rfc2712.txt) defines TLS Kerberos
|
|
||||||
cipher suites that can be used by TLS to negotiate Kerberos authentication. The
|
|
||||||
cypher suites offered by rfc2712 are dated and insecure and rfc2712 has been
|
|
||||||
superseded by SASL GSSAPI. However, for clients that don't support SASL (core
|
|
||||||
client), using TLS can provide Kerberos authentication over an *unsecure*
|
|
||||||
channel.
|
|
||||||
|
|
||||||
|
|
||||||
### Role Mapping
|
### Role Mapping
|
||||||
|
|
||||||
On the server, a Kerberos or SCRAM-SHA JAAS authenticated Principal must be added to the
|
On the server, a Kerberos or SCRAM-SHA JAAS authenticated Principal must be added to the
|
||||||
|
|
|
@ -282,21 +282,6 @@ Krb5PlusLdapMemberOfNoRoleName {
|
||||||
;
|
;
|
||||||
};
|
};
|
||||||
|
|
||||||
core-tls-krb5-server {
|
|
||||||
com.sun.security.auth.module.Krb5LoginModule required
|
|
||||||
isInitiator=false
|
|
||||||
storeKey=true
|
|
||||||
useKeyTab=true
|
|
||||||
principal="host/sni.host"
|
|
||||||
debug=true;
|
|
||||||
};
|
|
||||||
|
|
||||||
core-tls-krb5-client {
|
|
||||||
com.sun.security.auth.module.Krb5LoginModule required
|
|
||||||
principal="client"
|
|
||||||
useKeyTab=true;
|
|
||||||
};
|
|
||||||
|
|
||||||
amqp-sasl-gssapi {
|
amqp-sasl-gssapi {
|
||||||
com.sun.security.auth.module.Krb5LoginModule required
|
com.sun.security.auth.module.Krb5LoginModule required
|
||||||
isInitiator=false
|
isInitiator=false
|
||||||
|
|
Loading…
Reference in New Issue