From 0d05af661405f9f765182c7570ddf6a518870f6b Mon Sep 17 00:00:00 2001 From: Bosanac Dejan Date: Mon, 17 May 2010 16:04:23 +0000 Subject: [PATCH] https://issues.apache.org/activemq/browse/AMQ-2456 - JaasDualAuthentcationPlugin/Broker git-svn-id: https://svn.apache.org/repos/asf/activemq/trunk@945227 13f79535-47bb-0310-9956-ffa450edef68 --- .../JaasDualAuthenticationBroker.java | 122 ++++++++++ .../JaasDualAuthenticationPlugin.java | 51 +++++ .../JaasDualAuthenticationBrokerTest.java | 209 ++++++++++++++++++ .../security/StubDualJaasConfiguration.java | 43 ++++ 4 files changed, 425 insertions(+) create mode 100644 activemq-core/src/main/java/org/apache/activemq/security/JaasDualAuthenticationBroker.java create mode 100644 activemq-core/src/main/java/org/apache/activemq/security/JaasDualAuthenticationPlugin.java create mode 100644 activemq-core/src/test/java/org/apache/activemq/security/JaasDualAuthenticationBrokerTest.java create mode 100644 activemq-core/src/test/java/org/apache/activemq/security/StubDualJaasConfiguration.java diff --git a/activemq-core/src/main/java/org/apache/activemq/security/JaasDualAuthenticationBroker.java b/activemq-core/src/main/java/org/apache/activemq/security/JaasDualAuthenticationBroker.java new file mode 100644 index 0000000000..b76879e6b2 --- /dev/null +++ b/activemq-core/src/main/java/org/apache/activemq/security/JaasDualAuthenticationBroker.java @@ -0,0 +1,122 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.activemq.security; + +import org.apache.activemq.broker.*; +import org.apache.activemq.broker.jmx.ManagedTransportConnector; +import org.apache.activemq.command.ConnectionInfo; + +import org.apache.activemq.transport.tcp.SslTransportServer; + +/** + * A JAAS Authentication Broker that uses different JAAS domain configurations + * depending if the connection is over an SSL enabled Connector or not. + * + * This allows you to, for instance, do DN based authentication for SSL connections + * and use a mixture of username/passwords and simple guest authentication for + * non-SSL connections. + *

+ * An example login.config to do do this is: + * 

+ * activemq-domain {
+ *   org.apache.activemq.jaas.PropertiesLoginModule sufficient
+ *       debug=true
+ *       org.apache.activemq.jaas.properties.user="users.properties"
+ *       org.apache.activemq.jaas.properties.group="groups.properties";
+ *   org.apache.activemq.jaas.GuestLoginModule sufficient
+ *       debug=true
+ *       org.apache.activemq.jaas.guest.user="guest"
+ *       org.apache.activemq.jaas.guest.group="guests";
+ * };
+ *
+ * activemq-ssl-domain {
+ *   org.apache.activemq.jaas.TextFileCertificateLoginModule required
+ *       debug=true
+ *       org.apache.activemq.jaas.textfiledn.user="dns.properties"
+ *       org.apache.activemq.jaas.textfiledn.group="groups.properties";
+ * };
+ *
+ */ +public class JaasDualAuthenticationBroker extends BrokerFilter { + private final JaasCertificateAuthenticationBroker sslBroker; + private final JaasAuthenticationBroker nonSslBroker; + + + /*** Simple constructor. Leaves everything to superclass. + * + * @param next The Broker that does the actual work for this Filter. + * @param jaasConfiguration The JAAS domain configuration name for + * non-SSL connections (refer to JAAS documentation). + * @param jaasSslConfiguration The JAAS domain configuration name for + * SSL connections (refer to JAAS documentation). + */ + public JaasDualAuthenticationBroker(Broker next, String jaasConfiguration, String jaasSslConfiguration) { + super(next); + + this.nonSslBroker = new JaasAuthenticationBroker(new EmptyBroker(), jaasConfiguration); + this.sslBroker = new JaasCertificateAuthenticationBroker(new EmptyBroker(), jaasSslConfiguration); + } + + /** + * Overridden to allow for authentication using different Jaas + * configurations depending on if the connection is SSL or not. + * + * @param context The context for the incoming Connection. + * @param info The ConnectionInfo Command representing the incoming + * connection. + */ + public void addConnection(ConnectionContext context, ConnectionInfo info) throws Exception { + if (context.getSecurityContext() == null) { + boolean isSSL; + Connector connector = context.getConnector(); + if (connector instanceof TransportConnector) { + TransportConnector transportConnector = (TransportConnector) connector; + isSSL = (transportConnector.getServer() instanceof SslTransportServer); + } else { + isSSL = false; + } + + if (isSSL) { + this.sslBroker.addConnection(context, info); + } else { + this.nonSslBroker.addConnection(context, info); + } + super.addConnection(context, info); + } + } + + /** + * Overriding removeConnection to make sure the security context is cleaned. + */ + public void removeConnection(ConnectionContext context, ConnectionInfo info, Throwable error) throws Exception { + boolean isSSL; + Connector connector = context.getConnector(); + if (connector instanceof ManagedTransportConnector) { + ManagedTransportConnector managedTransportConnector = (ManagedTransportConnector) connector; + isSSL = (managedTransportConnector.getServer() instanceof SslTransportServer); + } else { + isSSL = false; + } + if (isSSL) { + this.sslBroker.removeConnection(context, info, error); + } else { + this.nonSslBroker.removeConnection(context, info, error); + } + super.removeConnection(context, info, error); + } +} diff --git a/activemq-core/src/main/java/org/apache/activemq/security/JaasDualAuthenticationPlugin.java b/activemq-core/src/main/java/org/apache/activemq/security/JaasDualAuthenticationPlugin.java new file mode 100644 index 0000000000..b4c90f047b --- /dev/null +++ b/activemq-core/src/main/java/org/apache/activemq/security/JaasDualAuthenticationPlugin.java @@ -0,0 +1,51 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.activemq.security; + +import org.apache.activemq.broker.Broker; + +/** + * A JAAS based SSL certificate authentication plugin. + * + * @org.apache.xbean.XBean description="Provides a JAAS based authentication plugin + * which uses properties for non-SSL and certificates for SSL" + * + * @version $Revision: $ + */ +public class JaasDualAuthenticationPlugin extends JaasAuthenticationPlugin { + private String sslConfiguration = "activemq-ssl-domain"; + + public Broker installPlugin(Broker broker) { + initialiseJaas(); + return new JaasDualAuthenticationBroker(broker, configuration, sslConfiguration); + } + + // Properties + // ------------------------------------------------------------------------- + + /** + * Set the JAAS SSL configuration domain + */ + public void setSslConfiguration(String sslConfiguration) { + this.sslConfiguration = sslConfiguration; + } + + public String getSslConfiguration() { + return sslConfiguration; + } +} diff --git a/activemq-core/src/test/java/org/apache/activemq/security/JaasDualAuthenticationBrokerTest.java b/activemq-core/src/test/java/org/apache/activemq/security/JaasDualAuthenticationBrokerTest.java new file mode 100644 index 0000000000..f8b977e73b --- /dev/null +++ b/activemq-core/src/test/java/org/apache/activemq/security/JaasDualAuthenticationBrokerTest.java @@ -0,0 +1,209 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.activemq.security; + +import junit.framework.TestCase; +import org.apache.activemq.broker.ConnectionContext; +import org.apache.activemq.broker.Connector; +import org.apache.activemq.broker.StubBroker; +import org.apache.activemq.broker.TransportConnector; +import org.apache.activemq.command.ConnectionInfo; +import org.apache.activemq.jaas.GroupPrincipal; +import org.apache.activemq.jaas.UserPrincipal; +import org.apache.activemq.transport.tcp.*; + +import javax.net.ssl.SSLServerSocket; +import javax.security.auth.login.AppConfigurationEntry; +import javax.security.auth.login.Configuration; +import java.net.URI; +import java.security.Principal; +import java.util.HashMap; +import java.util.HashSet; +import java.util.Iterator; +import java.util.Set; + +/** + * + */ +public class JaasDualAuthenticationBrokerTest extends TestCase { + + private static final String INSECURE_GROUP = "insecureGroup"; + private static final String INSECURE_USERNAME = "insecureUserName"; + private static final String DN_GROUP = "dnGroup"; + private static final String DN_USERNAME = "dnUserName"; + + StubBroker receiveBroker; + JaasDualAuthenticationBroker authBroker; + + ConnectionContext connectionContext; + ConnectionInfo connectionInfo; + + SslTransportServer sslTransportServer; + TcpTransportServer nonSslTransportServer; + + /** create a dual login config, for both SSL and non-SSL connections + * using the StubLoginModule + * + */ + void createLoginConfig() { + HashMap sslConfigOptions = new HashMap(); + HashMap configOptions = new HashMap(); + + sslConfigOptions.put(StubLoginModule.ALLOW_LOGIN_PROPERTY, "true"); + sslConfigOptions.put(StubLoginModule.USERS_PROPERTY, DN_USERNAME); + sslConfigOptions.put(StubLoginModule.GROUPS_PROPERTY, DN_GROUP); + AppConfigurationEntry sslConfigEntry = new AppConfigurationEntry("org.apache.activemq.security.StubLoginModule", + AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, sslConfigOptions); + + configOptions.put(StubLoginModule.ALLOW_LOGIN_PROPERTY, "true"); + configOptions.put(StubLoginModule.USERS_PROPERTY, INSECURE_USERNAME); + configOptions.put(StubLoginModule.GROUPS_PROPERTY, INSECURE_GROUP); + AppConfigurationEntry configEntry = new AppConfigurationEntry("org.apache.activemq.security.StubLoginModule", + AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, configOptions); + + StubDualJaasConfiguration jaasConfig = new StubDualJaasConfiguration(configEntry, sslConfigEntry); + + Configuration.setConfiguration(jaasConfig); + } + + protected void setUp() throws Exception { + receiveBroker = new StubBroker(); + + authBroker = new JaasDualAuthenticationBroker(receiveBroker, "activemq-domain", "activemq-ssl-domain"); + + connectionContext = new ConnectionContext(); + + SSLServerSocket sslServerSocket = new StubSSLServerSocket(); + StubSSLSocketFactory socketFactory = new StubSSLSocketFactory(sslServerSocket); + + try { + sslTransportServer = new SslTransportServer(null, new URI("ssl://localhost:61616?needClientAuth=true"), + socketFactory); + } catch (Exception e) { + fail("Unable to create SslTransportServer."); + } + sslTransportServer.setNeedClientAuth(true); + sslTransportServer.bind(); + + try { + nonSslTransportServer = new TcpTransportServer(null, new URI("tcp://localhost:61613"), socketFactory); + } catch (Exception e) { + fail("Unable to create TcpTransportServer."); + } + + + connectionInfo = new ConnectionInfo(); + + createLoginConfig(); + } + + protected void tearDown() throws Exception { + super.tearDown(); + } + + + public void testSecureConnector() { + Connector connector = new TransportConnector(sslTransportServer); + connectionContext.setConnector(connector); + connectionInfo.setTransportContext(new StubX509Certificate[] {}); + + try { + authBroker.addConnection(connectionContext, connectionInfo); + } catch (Exception e) { + fail("Call to addConnection failed: " + e.getMessage()); + } + + assertEquals("Number of addConnection calls to underlying Broker must match number of calls made to " + + "AuthenticationBroker.", 1, receiveBroker.addConnectionData.size()); + + ConnectionContext receivedContext = receiveBroker.addConnectionData.getFirst().connectionContext; + + assertEquals("The SecurityContext's userName must be set to that of the UserPrincipal.", + DN_USERNAME, receivedContext.getSecurityContext().getUserName()); + + Set receivedPrincipals = receivedContext.getSecurityContext().getPrincipals(); + + + assertEquals("2 Principals received", 2, receivedPrincipals.size()); + + for (Iterator iter = receivedPrincipals.iterator(); iter.hasNext();) { + Principal currentPrincipal = (Principal)iter.next(); + + if (currentPrincipal instanceof UserPrincipal) { + assertEquals("UserPrincipal is '" + DN_USERNAME + "'", DN_USERNAME, currentPrincipal.getName()); + } else if (currentPrincipal instanceof GroupPrincipal) { + assertEquals("GroupPrincipal is '" + DN_GROUP + "'", DN_GROUP, currentPrincipal.getName()); + } else { + fail("Unexpected Principal subclass found."); + } + } + + try { + authBroker.removeConnection(connectionContext, connectionInfo, null); + } catch (Exception e) { + fail("Call to removeConnection failed: " + e.getMessage()); + } + assertEquals("Number of removeConnection calls to underlying Broker must match number of calls made to " + + "AuthenticationBroker.", 1, receiveBroker.removeConnectionData.size()); + } + + public void testInsecureConnector() { + Connector connector = new TransportConnector(nonSslTransportServer); + connectionContext.setConnector(connector); + connectionInfo.setUserName(INSECURE_USERNAME); + + try { + authBroker.addConnection(connectionContext, connectionInfo); + } catch (Exception e) { + fail("Call to addConnection failed: " + e.getMessage()); + } + + assertEquals("Number of addConnection calls to underlying Broker must match number of calls made to " + + "AuthenticationBroker.", 1, receiveBroker.addConnectionData.size()); + + ConnectionContext receivedContext = receiveBroker.addConnectionData.getFirst().connectionContext; + + assertEquals("The SecurityContext's userName must be set to that of the UserPrincipal.", + INSECURE_USERNAME, receivedContext.getSecurityContext().getUserName()); + + Set receivedPrincipals = receivedContext.getSecurityContext().getPrincipals(); + + assertEquals("2 Principals received", 2, receivedPrincipals.size()); + for (Iterator iter = receivedPrincipals.iterator(); iter.hasNext();) { + Principal currentPrincipal = (Principal)iter.next(); + + if (currentPrincipal instanceof UserPrincipal) { + assertEquals("UserPrincipal is '" + INSECURE_USERNAME + "'", + INSECURE_USERNAME, currentPrincipal.getName()); + } else if (currentPrincipal instanceof GroupPrincipal) { + assertEquals("GroupPrincipal is '" + INSECURE_GROUP + "'", + INSECURE_GROUP, currentPrincipal.getName()); + } else { + fail("Unexpected Principal subclass found."); + } + } + + try { + authBroker.removeConnection(connectionContext, connectionInfo, null); + } catch (Exception e) { + fail("Call to removeConnection failed: " + e.getMessage()); + } + assertEquals("Number of removeConnection calls to underlying Broker must match number of calls made to " + + "AuthenticationBroker.", 1, receiveBroker.removeConnectionData.size()); + } +} diff --git a/activemq-core/src/test/java/org/apache/activemq/security/StubDualJaasConfiguration.java b/activemq-core/src/test/java/org/apache/activemq/security/StubDualJaasConfiguration.java new file mode 100644 index 0000000000..7cb9282982 --- /dev/null +++ b/activemq-core/src/test/java/org/apache/activemq/security/StubDualJaasConfiguration.java @@ -0,0 +1,43 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.activemq.security; + +import javax.security.auth.login.AppConfigurationEntry; +import javax.security.auth.login.Configuration; + +public class StubDualJaasConfiguration extends Configuration { + private AppConfigurationEntry nonSslConfigEntry; + private AppConfigurationEntry sslConfigEntry; + + public StubDualJaasConfiguration(AppConfigurationEntry nonSslConfigEntry, AppConfigurationEntry sslConfigEntry) { + this.nonSslConfigEntry = nonSslConfigEntry; + this.sslConfigEntry = sslConfigEntry; + } + + public AppConfigurationEntry[] getAppConfigurationEntry(String name) { + if ("activemq-domain".equals(name)) { + return new AppConfigurationEntry[] {nonSslConfigEntry}; + } else { + return new AppConfigurationEntry[] {sslConfigEntry}; + } + } + + public void refresh() { + } + +}