fix for: https://issues.apache.org/jira/browse/AMQ-3996

Updates TransportServer API so that JaasDualAuthenticationBroker can tell when its dealing with a TransportServer that will provide SSL connections and it can validate client certificate chains from ConnectionInfo.  Also updated the properties files to reflect the newly generated certificates. 

git-svn-id: https://svn.apache.org/repos/asf/activemq/trunk@1400155 13f79535-47bb-0310-9956-ffa450edef68

activemq-amqp/src/main/java/org/apache/activemq/transport/amqp/AmqpNioSslTransportFactory.java

@@ -16,6 +16,16 @@
  */
 package org.apache.activemq.transport.amqp;
 
+import java.io.IOException;
+import java.net.Socket;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.net.UnknownHostException;
+
+import javax.net.ServerSocketFactory;
+import javax.net.SocketFactory;
+import javax.net.ssl.SSLContext;
+
 import org.apache.activemq.broker.SslContext;
 import org.apache.activemq.transport.Transport;
 import org.apache.activemq.transport.TransportServer;
@@ -23,15 +33,6 @@ import org.apache.activemq.transport.tcp.TcpTransport;
 import org.apache.activemq.transport.tcp.TcpTransportServer;
 import org.apache.activemq.wireformat.WireFormat;
 
-import javax.net.ServerSocketFactory;
-import javax.net.SocketFactory;
-import javax.net.ssl.SSLContext;
-import java.io.IOException;
-import java.net.Socket;
-import java.net.URI;
-import java.net.URISyntaxException;
-import java.net.UnknownHostException;
-
 public class AmqpNioSslTransportFactory extends AmqpNioTransportFactory {
 
     SSLContext context;
@@ -46,6 +47,11 @@ public class AmqpNioSslTransportFactory extends AmqpNioTransportFactory {
                 }
                 return transport;
             }
+
+            @Override
+            public boolean isSslServer() {
+                return true;
+            }
         };
     }
 

activemq-core/src/main/java/org/apache/activemq/security/JaasDualAuthenticationBroker.java

@@ -17,10 +17,13 @@
 
 package org.apache.activemq.security;
 
-import org.apache.activemq.broker.*;
+import org.apache.activemq.broker.Broker;
-import org.apache.activemq.broker.jmx.ManagedTransportConnector;
+import org.apache.activemq.broker.BrokerFilter;
+import org.apache.activemq.broker.ConnectionContext;
+import org.apache.activemq.broker.Connector;
+import org.apache.activemq.broker.EmptyBroker;
+import org.apache.activemq.broker.TransportConnector;
 import org.apache.activemq.command.ConnectionInfo;
-
 import org.apache.activemq.transport.tcp.SslTransportServer;
 
 /**
@@ -86,7 +89,7 @@ public class JaasDualAuthenticationBroker extends BrokerFilter {
             Connector connector = context.getConnector();
             if (connector instanceof TransportConnector) {
                 TransportConnector transportConnector = (TransportConnector) connector;
-                isSSL = (transportConnector.getServer() instanceof SslTransportServer);
+                isSSL = transportConnector.getServer().isSslServer();
             } else {
                 isSSL = false;
             }

activemq-core/src/main/java/org/apache/activemq/transport/TransportServer.java

@@ -55,4 +55,14 @@ public interface TransportServer extends Service {
      */
     InetSocketAddress getSocketAddress();
 
+    /**
+     * For TransportServers that provide SSL connections to their connected peers they should
+     * return true here if and only if they populate the ConnectionInfo command presented to
+     * the Broker with the peers certificate chain so that the broker knows it can use that
+     * information to authenticate the connected peer.
+     *
+     * @return true if this transport server provides SSL level security over its
+     *          connections.
+     */
+    boolean isSslServer();
 }

activemq-core/src/main/java/org/apache/activemq/transport/TransportServerFilter.java

@@ -56,4 +56,7 @@ public class TransportServerFilter implements TransportServer {
         return next.getSocketAddress();
     }
 
+    public boolean isSslServer() {
+        return next.isSslServer();
+    }
 }

activemq-core/src/main/java/org/apache/activemq/transport/nio/NIOSSLTransportFactory.java

@@ -17,23 +17,6 @@
 
 package org.apache.activemq.transport.nio;
 
-import org.apache.activemq.broker.SslContext;
-import org.apache.activemq.transport.Transport;
-import org.apache.activemq.transport.TransportServer;
-import org.apache.activemq.transport.tcp.SslTransport;
-import org.apache.activemq.transport.tcp.SslTransportFactory;
-import org.apache.activemq.transport.tcp.TcpTransport;
-import org.apache.activemq.transport.tcp.TcpTransportServer;
-import org.apache.activemq.util.IOExceptionSupport;
-import org.apache.activemq.util.IntrospectionSupport;
-import org.apache.activemq.wireformat.WireFormat;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import javax.net.ServerSocketFactory;
-import javax.net.SocketFactory;
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLSocketFactory;
 import java.io.IOException;
 import java.net.Socket;
 import java.net.URI;
@@ -41,6 +24,22 @@ import java.net.URISyntaxException;
 import java.net.UnknownHostException;
 import java.util.Map;
 
+import javax.net.ServerSocketFactory;
+import javax.net.SocketFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocketFactory;
+
+import org.apache.activemq.broker.SslContext;
+import org.apache.activemq.transport.Transport;
+import org.apache.activemq.transport.TransportServer;
+import org.apache.activemq.transport.tcp.SslTransport;
+import org.apache.activemq.transport.tcp.TcpTransportServer;
+import org.apache.activemq.util.IOExceptionSupport;
+import org.apache.activemq.util.IntrospectionSupport;
+import org.apache.activemq.wireformat.WireFormat;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
 public class NIOSSLTransportFactory extends NIOTransportFactory {
     private static final Logger LOG = LoggerFactory.getLogger(NIOSSLTransportFactory.class);
      SSLContext context;
@@ -54,6 +53,11 @@ public class NIOSSLTransportFactory extends NIOTransportFactory {
                 }
                 return transport;
             }
+
+            @Override
+            public boolean isSslServer() {
+                return true;
+            }
         };
     }
 

activemq-core/src/main/java/org/apache/activemq/transport/stomp/StompNIOSSLTransportFactory.java

@@ -16,6 +16,16 @@
  */
 package org.apache.activemq.transport.stomp;
 
+import java.io.IOException;
+import java.net.Socket;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.net.UnknownHostException;
+
+import javax.net.ServerSocketFactory;
+import javax.net.SocketFactory;
+import javax.net.ssl.SSLContext;
+
 import org.apache.activemq.broker.SslContext;
 import org.apache.activemq.transport.Transport;
 import org.apache.activemq.transport.TransportServer;
@@ -23,15 +33,6 @@ import org.apache.activemq.transport.tcp.TcpTransport;
 import org.apache.activemq.transport.tcp.TcpTransportServer;
 import org.apache.activemq.wireformat.WireFormat;
 
-import javax.net.ServerSocketFactory;
-import javax.net.SocketFactory;
-import javax.net.ssl.SSLContext;
-import java.io.IOException;
-import java.net.Socket;
-import java.net.URI;
-import java.net.URISyntaxException;
-import java.net.UnknownHostException;
-
 public class StompNIOSSLTransportFactory extends StompNIOTransportFactory {
 
     SSLContext context;
@@ -46,6 +47,11 @@ public class StompNIOSSLTransportFactory extends StompNIOTransportFactory {
                 }
                 return transport;
             }
+
+            @Override
+            public boolean isSslServer() {
+                return false;
+            }
         };
     }
 

activemq-core/src/main/java/org/apache/activemq/transport/tcp/SslTransportServer.java

@@ -45,7 +45,6 @@ public class SslTransportServer extends TcpTransportServer {
     // Specifies if sockets created from this server should wantClientAuth.
     private boolean wantClientAuth;
 
-    
     /**
      * Creates a ssl transport server for the specified url using the provided
      * serverSocketFactory
@@ -56,10 +55,7 @@ public class SslTransportServer extends TcpTransportServer {
      * @throws IOException passed up from TcpTransportFactory.
      * @throws URISyntaxException passed up from TcpTransportFactory.
      */
-    public SslTransportServer(
+    public SslTransportServer(SslTransportFactory transportFactory, URI location, SSLServerSocketFactory serverSocketFactory) throws IOException, URISyntaxException {
-            SslTransportFactory transportFactory,
-            URI location,
-            SSLServerSocketFactory serverSocketFactory) throws IOException, URISyntaxException {
         super(transportFactory, location, serverSocketFactory);
     }
 
@@ -126,4 +122,10 @@ public class SslTransportServer extends TcpTransportServer {
     protected Transport createTransport(Socket socket, WireFormat format) throws IOException {
         return new SslTransport(format, (SSLSocket)socket);
     }
+
+    @Override
+    public boolean isSslServer() {
+        return true;
+    }
+
 }

activemq-core/src/main/java/org/apache/activemq/transport/tcp/TcpTransportServer.java

@@ -119,7 +119,6 @@ public class TcpTransportServer extends TransportServerThreadSupport implements
         super(location);
         this.transportFactory = transportFactory;
         this.serverSocketFactory = serverSocketFactory;
-        
     }
 
     public void bind() throws IOException {
@@ -130,10 +129,8 @@ public class TcpTransportServer extends TransportServerThreadSupport implements
         InetAddress addr = InetAddress.getByName(host);
 
         try {
-
             this.serverSocket = serverSocketFactory.createServerSocket(bind.getPort(), backlog, addr);
             configureServerSocket(this.serverSocket);
-            
         } catch (IOException e) {
             throw IOExceptionSupport.create("Failed to bind to server socket: " + bind + " due to: " + e, e);
         }
@@ -235,7 +232,6 @@ public class TcpTransportServer extends TransportServerThreadSupport implements
         return startLogging;
     }
 
-
     public void setStartLogging(boolean startLogging) {
         this.startLogging = startLogging;
     }
@@ -268,7 +264,6 @@ public class TcpTransportServer extends TransportServerThreadSupport implements
         this.useQueueForAccept = useQueueForAccept;
     }
 
-
     /**
      * pull Sockets from the ServerSocket
      */
@@ -473,7 +468,6 @@ public class TcpTransportServer extends TransportServerThreadSupport implements
         this.maximumConnections = maximumConnections;
     }
 
-    
     public void started(Service service) {
        this.currentTransportCount++;
     }
@@ -481,4 +475,9 @@ public class TcpTransportServer extends TransportServerThreadSupport implements
     public void stopped(Service service) {
         this.currentTransportCount--;
     }
+
+    @Override
+    public boolean isSslServer() {
+        return false;
+    }
 }

activemq-core/src/main/java/org/apache/activemq/transport/udp/UdpTransportServer.java

@@ -34,7 +34,6 @@ import org.apache.activemq.transport.TransportServer;
 import org.apache.activemq.transport.TransportServerSupport;
 import org.apache.activemq.transport.reliable.ReliableTransport;
 import org.apache.activemq.transport.reliable.ReplayStrategy;
-import org.apache.activemq.transport.reliable.Replayer;
 import org.apache.activemq.util.ServiceStopper;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -175,4 +174,9 @@ public class UdpTransportServer extends TransportServerSupport {
     public InetSocketAddress getSocketAddress() {
         return serverTransport.getLocalSocketAddress();
     }
+
+    @Override
+    public boolean isSslServer() {
+        return false;
+    }
 }

activemq-core/src/main/java/org/apache/activemq/transport/vm/VMTransportServer.java

@@ -137,4 +137,9 @@ public class VMTransportServer implements TransportServer {
     public int getConnectionCount() {
         return connectionCount.intValue();
     }
+
+    @Override
+    public boolean isSslServer() {
+        return false;
+    }
 }

activemq-core/src/test/resources/org/apache/activemq/security/users1.properties

@@ -15,5 +15,5 @@
 ## limitations under the License.
 ## ---------------------------------------------------------------------------
 
-client=CN=client, OU=activemq, O=apache, L=Unknown, ST=Unknown, C=Unknown
+client=CN=client, OU=activemq, O=apache
-broker2=CN=broker2, OU=activemq, O=apache, L=Unknown, ST=Unknown, C=Unknown
+broker2=CN=broker2, OU=activemq, O=apache

activemq-core/src/test/resources/org/apache/activemq/security/users2.properties

@@ -15,5 +15,5 @@
 ## limitations under the License.
 ## ---------------------------------------------------------------------------
 
-client=CN=client, OU=activemq, O=apache, L=Unknown, ST=Unknown, C=Unknown
+client=CN=client, OU=activemq, O=apache
-broker1=CN=broker1, OU=activemq, O=apache, L=Unknown, ST=Unknown, C=Unknown
+broker1=CN=broker1, OU=activemq, O=apache

activemq-optional/src/main/java/org/apache/activemq/transport/http/HttpTransportServer.java

@@ -114,4 +114,9 @@ public class HttpTransportServer extends WebTransportServerSupport {
         socketConnectorFactory.setTransportOptions(transportOptions);
         super.setTransportOption(transportOptions);
     }
+
+    @Override
+    public boolean isSslServer() {
+        return false;
+    }
 }

activemq-optional/src/main/java/org/apache/activemq/transport/ws/WSTransportServer.java

@@ -100,4 +100,9 @@ public class WSTransportServer extends WebTransportServerSupport {
         super.setTransportOption(transportOptions);
     }
 
+    @Override
+    public boolean isSslServer() {
+        return false;
+    }
+
 }