Commit Graph

62 Commits

Author SHA1 Message Date
Howard Gao 3ab5dcfc28 NO JIRA - fixing doc typo 2020-11-05 10:28:41 -05:00
Justin Bertram 75e12b5e1d ARTEMIS-2947 Implement SecurityManager that supports replication 2020-10-19 10:07:57 -04:00
Justin Bertram 9a90248f49 ARTEMIS-2889 better support for JMS topics with legacy LDAP plugin 2020-09-16 10:14:57 -04:00
gtully ec1c5a96c7 ARTEMIS-2895 - ensure propagated credentials are visible for bind and removed for subsequent mapping operations 2020-09-07 16:32:57 +01:00
Justin Bertram 90853409a0 ARTEMIS-2886 optimize security auth
Both authentication and authorization will hit the underlying security
repository (e.g. files, LDAP, etc.). For example, creating a JMS
connection and a consumer will result in 2 hits with the *same*
authentication request. This can cause unwanted (and unnecessary)
resource utilization, especially in the case of networked configuration
like LDAP.

There is already a rudimentary cache for authorization, but it is
cleared *totally* every 10 seconds by default (controlled via the
security-invalidation-interval setting), and it must be populated
initially which still results in duplicate auth requests.

This commit optimizes authentication and authorization via the following
changes:

 - Replace our home-grown cache with Google Guava's cache. This provides
simple caching with both time-based and size-based LRU eviction. See more
at https://github.com/google/guava/wiki/CachesExplained. I also thought
about using Caffeine, but we already have a dependency on Guava and the
cache implementions look to be negligibly different for this use-case.
 - Add caching for authentication. Both successful and unsuccessful
authentication attempts will be cached to spare the underlying security
repository as much as possible. Authenticated Subjects will be cached
and re-used whenever possible.
 - Authorization will used Subjects cached during authentication. If the
required Subject is not in the cache it will be fetched from the
underlying security repo.
 - Caching can be disabled by setting the security-invalidation-interval
to 0.
 - Cache sizes are configurable.
 - Management operations exist to inspect cache sizes at runtime.
2020-08-26 13:36:24 -05:00
Justin Bertram d86067a65b ARTEMIS-2872 support FQQN syntax for security-settings 2020-08-22 18:24:40 -05:00
Justin Bertram 6709883d0e ARTEMIS-2738 implement per-acceptor security domains 2020-04-28 21:45:38 -04:00
Justin Bertram fb60795b59 NO-JIRA fix user command parameter docs 2020-02-05 08:36:34 -06:00
Justin Bertram 1ad8b3c059 ARTEMIS-2590 support com.sun.jndi.ldap.read.timeout in LDAPLoginModule 2020-01-08 12:38:27 -05:00
Justin Bertram c06404406c ARTEMIS-2574 allow security manager config via XML
The test-suite has long used the broker's ability to configure the
security manager. This commit implements this functionality via XML
configuration.
2019-12-12 15:48:43 -05:00
Joshua Smith d7d11a0c6f ARTEMIS-2535 Add ignorePartialResultException option to LDAPLoginModule
Active Directory servers are unable to handle referrals automatically.
This causes a PartialResultException to be thrown if a referral is
encountered beneath the base search DN, even if the LDAPLoginModule is
set to ignore referrals.

This option may be set to 'true' to ignore these exceptions, allowing
login to proceed with the query results received before the exception
was encountered.

Note: there are no tests for this change as I could not reproduce the
issue with the ApacheDS test server. The issue is specific to directory
servers that don't support the ManageDsaIT control such as Active
Directory.
2019-10-30 13:47:50 -07:00
Sascha Dirbach 8043828e84 ARTEMIS-2521 add documentation for role-mapping 2019-10-16 18:18:04 +02:00
gtully b20c2593e9 ARTEMIS-2433 add ExternalCertificateLoginModule to surface a SASL EXTERNAL identity (subjectDN) to JAAS. 2019-08-25 23:57:20 -04:00
Justin Bertram d379cda374 ARTEMIS-2447 allow mapping admin to manage in LDAP plugin 2019-08-06 15:27:18 -05:00
Justin Bertram d125a78841 ARTEMIS-2396 improve password masking doc 2019-06-26 18:05:00 -04:00
Justin Bertram 4a1fc61fcc ARTEMIS-2243 user/role ops for PropertiesLoginModule via mgmnt 2019-02-07 10:16:01 -05:00
Ville Skyttä 3400c0d76e NO-JIRA Grammar and spelling fixes 2018-10-08 20:45:59 -04:00
Justin Bertram 7b4be5008d ARTEMIS-1974 document LDAP role expansion 2018-07-12 12:42:01 -04:00
gtully d54e5a7868 ARTEMIS-1971 Support connection pooling in LDAPLoginModule 2018-07-06 13:53:29 -05:00
Justin Bertram 2b5d8f3b80 ARTEMIS-1912 big doc refactor
- Split protocols into individual chapters
- Reorganize summary to flow more logically
- Fill in missing parameters in configuration index
- Normalize spaces for ordered and unordered lists
- Re-wrap lots of text for readability
- Fix incorrect XML snippets
- Normalize table formatting
- Improve internal links with anchors
- Update content to reflect new address model
- Resized architecture images to avoid excessive white-space
- Update some JavaDoc
- Update some schema elements
- Disambiguate AIO & ASYNCIO where necessary
- Use URIs instead of Objects in code examples
2018-06-07 11:26:36 -04:00
Lionel Cons 1e81361a88 ARTEMIS-1740: Add support for regex based certificate authentication 2018-04-12 12:55:20 -04:00
gtully 72ec6c8e0b [ARTEMIS-1758] support SASL EXTERNAL with TextCertLoginModule
- rework proton handler to use saslListener
2018-03-22 10:09:58 -04:00
Justin Bertram 86c9e7267b NO-JIRA review docs for content, style, & format 2018-03-08 22:47:10 -05:00
Justin Bertram 2123f85ea9 ARTEMIS-1717 create/delete address permissions ignored in broker.xml 2018-03-01 14:02:57 -06:00
Jiri Danek 472e429540 NO-JIRA fix warnings from w3c/link-checker in docs
also update URLs and `s/http/https` in docs wherever possible
2018-01-10 13:07:40 +01:00
Justin Bertram 84bedaf2e4 ARTEMIS-1547 support referrals in LDAP login module 2017-12-10 21:50:47 +00:00
Andy Taylor 804e12c7ce ARTEMIS-1491 - removed duplicate Jolokia instance
https://issues.apache.org/jira/browse/ARTEMIS-1491
2017-10-31 09:33:10 -05:00
gtully d402756e09 ARTEMIS-1373 - ensure roleName is in the doc config example 2017-09-07 16:14:55 +01:00
gtully 99b2e4c0fb ARTEMIS-1373 - support memberOf type query for role mapping and respect roleName attribute AMQ-3064 2017-09-07 14:11:48 +01:00
gtully 125bd41f9d ARTEMIS-1372 ARTEMIS-1373 documentation updates 2017-09-06 10:22:28 +01:00
Justin Bertram 714655a051 NO-JIRA improve password masking doc & code
Move password masking documentation into its own chapter and tweak it a
bit for clarity and comprehensiveness.
2017-09-05 16:40:38 -04:00
Justin Bertram bb7251ba08 ARTEMIS-1380 simplify docs with URL syntax 2017-08-31 12:04:08 -04:00
Justin Bertram 90b7f075d0 NO-JIRA clean up docs
Remove some out-dated material, fix a few links, & clean up a few
random bits.
2017-08-28 21:38:03 -05:00
gtully 840ff8d237 [ARTEMIS-1310] addition of protocol to sample acceptor url to krb5 doc 2017-08-10 14:07:26 +01:00
gtully a4fc94880a [ARTEMIS-1310] addition of sample acceptor url to krb5 doc 2017-08-10 13:37:57 +01:00
gtully 5909a24cd3 [ARTEMIS-1310] addition of sample config scope to krb5 doc 2017-08-09 17:21:39 +01:00
gtully db62ed92f7 [ARTEMIS-1310] require mechanism to be explicitly enabled 2017-08-08 13:28:50 -04:00
gtully ca7197b5c3 [ARTEMIS-1310] add amqp sasl gssapi mechanism support
delegate to the jdk saslServer. Allow acceptor configuration of supported mechanismis; saslMechanisms=<a,b>
and allow login config scope for krb5 to be configured via saslLoginConfigScope=x
2017-08-08 13:28:50 -04:00
zhabba 58e79eb5e4 Update security.md
Actual number of permissions is eight, not seven.
2016-12-13 15:31:24 +01:00
Paul Gallagher e4d58ce596 Upgrade Jolokia version 2016-10-24 12:28:49 +01:00
Howard Gao 2fb8341f8d ARTEMIS-604 - Add checks for object messages in REST and AMQP
- Rest interface fix
  - Doc fixes (Rest->REST)
  - JSON management and AMQP outbound
2016-08-09 11:22:48 +01:00
Howard Gao 0535218cfc ARTEMIS-604 - Message Serialization Improvement
- JMS and RA fixes
2016-08-09 11:22:48 +01:00
jbertram e9db9c286d ARTEMIS-628 add BROWSE role 2016-07-12 16:21:57 -05:00
jbertram 765b225924 ARTEMIS-584 add validated user to msg
Implements a new feature to aid in security auditing by adding the name
of the validated user to the messages it sends.
2016-07-06 09:37:29 -05:00
Howard Gao 3522979bda More on ARTEMIS-594: support HTTPS access to hawtio
Remove the keystore.jks in distribution
  Add documentation
  Add cli options
2016-06-30 09:56:58 +08:00
jbertram e1b6393f70 ARTEMIS-579 document reload for JAAS modules 2016-06-20 13:41:09 -05:00
jbertram 7715b5ee12 ARTEMIS-529 support dual auth
A new feature whereby 2-way SSL connections can be authenticated differently
than non-SSL connections.
2016-06-17 11:07:03 -05:00
jbertram d94c044e90 ARTEMIS-349 LDAP plugin listener
This feature required a bit of refactoring to the plugin interface itself as
well as a restriction on the configuration so that either only one plugin could
be specified or an ulimited number of security-setting matches. This was done
to prevent messy situations where a plugin could update settings from the XML
or even another plugin if there were overlapping matches.
2016-01-19 09:45:52 -05:00
jbertram 9c0cc6085c fix security doc 2016-01-05 10:44:30 -05:00
jbertram 0c407922a8 ARTEMIS-261 cert-based auth 2015-11-04 15:56:33 -05:00