Apache
/
activemq-artemis
mirror of https://github.com/apache/activemq-artemis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[ARTEMIS-1310] require mechanism to be explicitly enabled

This commit is contained in:
gtully 2017-08-02 15:05:50 +01:00 committed by Clebert Suconic
parent 9fedb47c40
commit db62ed92f7
2 changed files with 16 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
artemis-protocols/artemis-amqp-protocol/src/main/java/org/apache/activemq/artemis/protocol/amqp/sasl/MechanismFinder.java
View File

@ -19,7 +19,7 @@ package org.apache.activemq.artemis.protocol.amqp.sasl;
public class MechanismFinder {
public static String[] KNOWN_MECHANISMS = new String[]{PlainSASL.NAME, GSSAPIServerSASL.NAME, AnonymousServerSASL.NAME};
public static String[] KNOWN_MECHANISMS = new String[]{PlainSASL.NAME, AnonymousServerSASL.NAME};
public static String[] getKnownMechanisms() {
return KNOWN_MECHANISMS;

24
docs/user-manual/en/security.md
View File

@ -651,19 +651,25 @@ The simplest way to make the login configuration available to JAAS is to add the
### Kerberos Authentication
The [https://docs.oracle.com/javase/7/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html]
can be used with JAAS on both the client and server to authenticate with Kerberos.
The [Krb5LoginModule](https://docs.oracle.com/javase/7/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html)
can be used with JAAS to authenticate using the Kerberos protocol.
Using SASL over AMQP, Kerberos authentication is supported using the `GSSAPI` SASL mechanism. By default the server will use a
JAAS login configuration scope named `amqp-sasl-gssapi` to obtain it acceptor Kerberos credentials. The config scope can be
specified explicitly on the amqp acceptor url using the parameter: `saslLoginConfigScope=<some other scope>`.
Using SASL over [AMQP](using-AMQP.md), Kerberos authentication is supported using the `GSSAPI` SASL mechanism. With SASL doing Kerberos
authentication, TLS can be used to provide integrity and confidentially to the communications channel in the normal way.
The `GSSAPI` SASL mechanism must be enabled on the amqp acceptor by adding it to the `saslMechanisms` list url parameter:
`saslMechanisms="GSSAPI<,PLAIN, etc>`.
On the server, the Kerberos authenticated peer Principal can be extracted from the calling context as a UserPrincipal
using a dedicated login module:
By default the server will use a JAAS login configuration scope named `amqp-sasl-gssapi` to obtain acceptor Kerberos
credentials. An alternative configuration scope can be specified on the amqp acceptor url using the parameter: `saslLoginConfigScope=<some other scope>`.
org.apache.activemq.artemis.spi.core.security.jaas.Krb5LoginModule
On the server, the Kerberos authenticated Peer Principal can be associated with a JAAS Subject as an Apache ActiveMQ Artemis UserPrincipal
using the Apache ActiveMQ Artemis Krb5LoginModule login module. The [PropertiesLoginModule](#propertiesloginmodule) can be used to map
the peer principal to a role.
Note: the Kerberos Peer Principal does not exist as an Apache ActiveMQ Artemis user.
The legacy [http://www.ietf.org/rfc/rfc2712.txt] defines TLS Kerberos cipher suites that can be used by TLS to negotiate
org.apache.activemq.artemis.spi.core.security.jaas.Krb5LoginModule optional;
The legacy [rfc2712](http://www.ietf.org/rfc/rfc2712.txt) defines TLS Kerberos cipher suites that can be used by TLS to negotiate
Kerberos authentication. The cypher suites offered by rfc2712 are dated and insecure and rfc2712 has been superseded by
SASL GSSAPI. However, for clients that don't support SASL (core client), using TLS can provide Kerberos authentication
over an *unsecure* channel.