ARTEMIS-3038: unwind effect of defunct changes from ARTEMIS-1264
Follows earlier test removal in a3de3d4c75
This commit is contained in:
parent
15c2dbb1c3
commit
a5b5a504e0
|
@ -56,7 +56,6 @@ public class FederationDownstreamConfiguration extends FederationStreamConfigura
|
|||
//The federated server that creates the upstream back will rely on its config from the acceptor for TLS
|
||||
stripParam(params, TransportConstants.SSL_ENABLED_PROP_NAME);
|
||||
stripParam(params, TransportConstants.SSL_PROVIDER);
|
||||
stripParam(params, TransportConstants.SSL_KRB5_CONFIG_PROP_NAME);
|
||||
stripParam(params, TransportConstants.KEYSTORE_PATH_PROP_NAME);
|
||||
stripParam(params, TransportConstants.KEYSTORE_PASSWORD_PROP_NAME);
|
||||
stripParam(params, TransportConstants.KEYSTORE_PROVIDER_PROP_NAME);
|
||||
|
|
|
@ -20,8 +20,6 @@ import javax.net.ssl.SNIHostName;
|
|||
import javax.net.ssl.SSLContext;
|
||||
import javax.net.ssl.SSLEngine;
|
||||
import javax.net.ssl.SSLParameters;
|
||||
import javax.security.auth.Subject;
|
||||
import javax.security.auth.login.LoginContext;
|
||||
import java.io.IOException;
|
||||
import java.net.ConnectException;
|
||||
import java.net.InetAddress;
|
||||
|
@ -33,7 +31,6 @@ import java.net.UnknownHostException;
|
|||
import java.nio.charset.StandardCharsets;
|
||||
import java.security.MessageDigest;
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
import java.security.PrivilegedExceptionAction;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collections;
|
||||
import java.util.HashMap;
|
||||
|
@ -265,8 +262,6 @@ public class NettyConnector extends AbstractConnector {
|
|||
|
||||
private String sniHost;
|
||||
|
||||
private String kerb5Config;
|
||||
|
||||
private boolean useDefaultSslContext;
|
||||
|
||||
private boolean tcpNoDelay;
|
||||
|
@ -433,8 +428,6 @@ public class NettyConnector extends AbstractConnector {
|
|||
|
||||
sniHost = ConfigurationHelper.getStringProperty(TransportConstants.SNIHOST_PROP_NAME, TransportConstants.DEFAULT_SNIHOST_CONFIG, configuration);
|
||||
|
||||
kerb5Config = ConfigurationHelper.getStringProperty(TransportConstants.SSL_KRB5_CONFIG_PROP_NAME, TransportConstants.DEFAULT_SSL_KRB5_CONFIG, configuration);
|
||||
|
||||
useDefaultSslContext = ConfigurationHelper.getBooleanProperty(TransportConstants.USE_DEFAULT_SSL_CONTEXT_PROP_NAME, TransportConstants.DEFAULT_USE_DEFAULT_SSL_CONTEXT, configuration);
|
||||
|
||||
trustManagerFactoryPlugin = ConfigurationHelper.getStringProperty(TransportConstants.TRUST_MANAGER_FACTORY_PLUGIN_PROP_NAME, TransportConstants.DEFAULT_TRUST_MANAGER_FACTORY_PLUGIN, configuration);
|
||||
|
@ -759,51 +752,23 @@ public class NettyConnector extends AbstractConnector {
|
|||
final SSLContext context = SSLContextFactoryProvider.getSSLContextFactory()
|
||||
.getSSLContext(sslContextConfig, configuration);
|
||||
|
||||
Subject subject = null;
|
||||
if (kerb5Config != null) {
|
||||
LoginContext loginContext = new LoginContext(kerb5Config);
|
||||
loginContext.login();
|
||||
subject = loginContext.getSubject();
|
||||
verifyHost = true;
|
||||
}
|
||||
|
||||
SSLEngine engine = Subject.doAs(subject, new PrivilegedExceptionAction<SSLEngine>() {
|
||||
@Override
|
||||
public SSLEngine run() {
|
||||
if (host != null && port != -1) {
|
||||
return context.createSSLEngine(host, port);
|
||||
} else {
|
||||
return context.createSSLEngine();
|
||||
}
|
||||
}
|
||||
});
|
||||
return engine;
|
||||
}
|
||||
|
||||
private SSLEngine loadOpenSslEngine(final ByteBufAllocator alloc, final SSLContextConfig sslContextConfig) throws Exception {
|
||||
final SslContext context = OpenSSLContextFactoryProvider.getOpenSSLContextFactory()
|
||||
.getClientSslContext(sslContextConfig, configuration);
|
||||
|
||||
Subject subject = null;
|
||||
if (kerb5Config != null) {
|
||||
LoginContext loginContext = new LoginContext(kerb5Config);
|
||||
loginContext.login();
|
||||
subject = loginContext.getSubject();
|
||||
verifyHost = true;
|
||||
}
|
||||
|
||||
SSLEngine engine = Subject.doAs(subject, new PrivilegedExceptionAction<SSLEngine>() {
|
||||
@Override
|
||||
public SSLEngine run() {
|
||||
if (host != null && port != -1) {
|
||||
return context.newEngine(alloc, host, port);
|
||||
} else {
|
||||
return context.newEngine(alloc);
|
||||
}
|
||||
}
|
||||
});
|
||||
return engine;
|
||||
}
|
||||
|
||||
@Override
|
||||
public synchronized void close() {
|
||||
|
|
|
@ -33,8 +33,6 @@ public class TransportConstants {
|
|||
|
||||
public static final String SSL_ENABLED_PROP_NAME = "sslEnabled";
|
||||
|
||||
public static final String SSL_KRB5_CONFIG_PROP_NAME = "sslKrb5Config";
|
||||
|
||||
public static final String HTTP_ENABLED_PROP_NAME = "httpEnabled";
|
||||
|
||||
public static final String HTTP_CLIENT_IDLE_PROP_NAME = "httpClientIdleTime";
|
||||
|
@ -196,8 +194,6 @@ public class TransportConstants {
|
|||
|
||||
public static final boolean DEFAULT_SSL_ENABLED = false;
|
||||
|
||||
public static final String DEFAULT_SSL_KRB5_CONFIG = null;
|
||||
|
||||
public static final String DEFAULT_SNIHOST_CONFIG = null;
|
||||
|
||||
public static final boolean DEFAULT_USE_GLOBAL_WORKER_POOL = true;
|
||||
|
|
|
@ -21,13 +21,10 @@ import javax.net.ssl.SSLContext;
|
|||
import javax.net.ssl.SSLEngine;
|
||||
import javax.net.ssl.SSLHandshakeException;
|
||||
import javax.net.ssl.SSLParameters;
|
||||
import javax.security.auth.Subject;
|
||||
import javax.security.auth.login.LoginContext;
|
||||
import java.net.InetSocketAddress;
|
||||
import java.net.SocketAddress;
|
||||
import java.security.AccessController;
|
||||
import java.security.PrivilegedAction;
|
||||
import java.security.PrivilegedExceptionAction;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.HashSet;
|
||||
|
@ -189,8 +186,6 @@ public class NettyAcceptor extends AbstractAcceptor {
|
|||
|
||||
private final String trustManagerFactoryPlugin;
|
||||
|
||||
private final String kerb5Config;
|
||||
|
||||
private String sniHost;
|
||||
|
||||
private final boolean tcpNoDelay;
|
||||
|
@ -269,8 +264,6 @@ public class NettyAcceptor extends AbstractAcceptor {
|
|||
|
||||
sslEnabled = ConfigurationHelper.getBooleanProperty(TransportConstants.SSL_ENABLED_PROP_NAME, TransportConstants.DEFAULT_SSL_ENABLED, configuration);
|
||||
|
||||
kerb5Config = ConfigurationHelper.getStringProperty(TransportConstants.SSL_KRB5_CONFIG_PROP_NAME, TransportConstants.DEFAULT_SSL_KRB5_CONFIG, configuration);
|
||||
|
||||
remotingThreads = ConfigurationHelper.getIntProperty(TransportConstants.NIO_REMOTING_THREADS_PROPNAME, -1, configuration);
|
||||
remotingThreads = ConfigurationHelper.getIntProperty(TransportConstants.REMOTING_THREADS_PROPNAME, remotingThreads, configuration);
|
||||
|
||||
|
@ -674,56 +667,32 @@ public class NettyAcceptor extends AbstractAcceptor {
|
|||
|
||||
private SSLEngine loadJdkSslEngine(String peerHost, int peerPort) throws Exception {
|
||||
final SSLContext context = (SSLContext) providerAgnosticSslContext;
|
||||
Subject subject = null;
|
||||
if (kerb5Config != null) {
|
||||
LoginContext loginContext = new LoginContext(kerb5Config);
|
||||
loginContext.login();
|
||||
subject = loginContext.getSubject();
|
||||
}
|
||||
|
||||
SSLEngine engine = Subject.doAs(subject, new PrivilegedExceptionAction<SSLEngine>() {
|
||||
@Override
|
||||
public SSLEngine run() {
|
||||
if (peerHost != null && peerPort != 0) {
|
||||
return context.createSSLEngine(peerHost, peerPort);
|
||||
} else {
|
||||
return context.createSSLEngine();
|
||||
}
|
||||
}
|
||||
});
|
||||
return engine;
|
||||
}
|
||||
|
||||
private void checkSSLConfiguration() throws IllegalArgumentException {
|
||||
if (configuration.containsKey(TransportConstants.SSL_CONTEXT_PROP_NAME)) {
|
||||
return;
|
||||
}
|
||||
if (kerb5Config == null && keyStorePath == null && TransportConstants.DEFAULT_KEYSTORE_PROVIDER.equals(keyStoreProvider)) {
|
||||
if (keyStorePath == null && TransportConstants.DEFAULT_KEYSTORE_PROVIDER.equals(keyStoreProvider)) {
|
||||
throw new IllegalArgumentException("If \"" + TransportConstants.SSL_ENABLED_PROP_NAME + "\" is true then \"" + TransportConstants.KEYSTORE_PATH_PROP_NAME + "\" must be non-null unless an alternative \"" + TransportConstants.KEYSTORE_PROVIDER_PROP_NAME + "\" has been specified.");
|
||||
}
|
||||
}
|
||||
|
||||
private SSLEngine loadOpenSslEngine(ByteBufAllocator alloc, String peerHost, int peerPort) throws Exception {
|
||||
final SslContext context = (SslContext) providerAgnosticSslContext;
|
||||
Subject subject = null;
|
||||
if (kerb5Config != null) {
|
||||
LoginContext loginContext = new LoginContext(kerb5Config);
|
||||
loginContext.login();
|
||||
subject = loginContext.getSubject();
|
||||
}
|
||||
|
||||
SSLEngine engine = Subject.doAs(subject, new PrivilegedExceptionAction<SSLEngine>() {
|
||||
@Override
|
||||
public SSLEngine run() {
|
||||
if (peerHost != null && peerPort != 0) {
|
||||
return context.newEngine(alloc, peerHost, peerPort);
|
||||
} else {
|
||||
return context.newEngine(alloc);
|
||||
}
|
||||
}
|
||||
});
|
||||
return engine;
|
||||
}
|
||||
|
||||
private void startServerChannels() {
|
||||
String[] hosts = TransportConfiguration.splitHosts(host);
|
||||
|
|
|
@ -1159,16 +1159,6 @@ amqp-sasl-gssapi {
|
|||
};
|
||||
```
|
||||
|
||||
##### TLS Kerberos Cipher Suites
|
||||
|
||||
The legacy [rfc2712](https://www.ietf.org/rfc/rfc2712.txt) defines TLS Kerberos
|
||||
cipher suites that can be used by TLS to negotiate Kerberos authentication. The
|
||||
cypher suites offered by rfc2712 are dated and insecure and rfc2712 has been
|
||||
superseded by SASL GSSAPI. However, for clients that don't support SASL (core
|
||||
client), using TLS can provide Kerberos authentication over an *unsecure*
|
||||
channel.
|
||||
|
||||
|
||||
### Role Mapping
|
||||
|
||||
On the server, a Kerberos or SCRAM-SHA JAAS authenticated Principal must be added to the
|
||||
|
|
|
@ -282,21 +282,6 @@ Krb5PlusLdapMemberOfNoRoleName {
|
|||
;
|
||||
};
|
||||
|
||||
core-tls-krb5-server {
|
||||
com.sun.security.auth.module.Krb5LoginModule required
|
||||
isInitiator=false
|
||||
storeKey=true
|
||||
useKeyTab=true
|
||||
principal="host/sni.host"
|
||||
debug=true;
|
||||
};
|
||||
|
||||
core-tls-krb5-client {
|
||||
com.sun.security.auth.module.Krb5LoginModule required
|
||||
principal="client"
|
||||
useKeyTab=true;
|
||||
};
|
||||
|
||||
amqp-sasl-gssapi {
|
||||
com.sun.security.auth.module.Krb5LoginModule required
|
||||
isInitiator=false
|
||||
|
|
Loading…
Reference in New Issue