From 1406d40ac34fedb0be2e5bc5998844a46ff15760 Mon Sep 17 00:00:00 2001
From: Robert Gemmell <robbie@apache.org>
Date: Mon, 23 Feb 2015 17:32:10 +0000
Subject: [PATCH] AMQ-5608: dont NPE during authentication attempt if no users
 were defined for the SimpleAuthenticationPlugin

https://issues.apache.org/jira/browse/AMQ-5608
---
 .../security/SimpleAuthenticationPlugin.java  |  8 +--
 ...SimpleAuthenticationPluginNoUsersTest.java | 59 ++++++++++++++++
 .../security/simple-auth-broker-no-users.xml  | 69 +++++++++++++++++++
 3 files changed, 132 insertions(+), 4 deletions(-)
 create mode 100644 activemq-unit-tests/src/test/java/org/apache/activemq/security/SimpleAuthenticationPluginNoUsersTest.java
 create mode 100644 activemq-unit-tests/src/test/resources/org/apache/activemq/security/simple-auth-broker-no-users.xml

diff --git a/activemq-broker/src/main/java/org/apache/activemq/security/SimpleAuthenticationPlugin.java b/activemq-broker/src/main/java/org/apache/activemq/security/SimpleAuthenticationPlugin.java
index a334a98c00..fb0d2e8731 100644
--- a/activemq-broker/src/main/java/org/apache/activemq/security/SimpleAuthenticationPlugin.java
+++ b/activemq-broker/src/main/java/org/apache/activemq/security/SimpleAuthenticationPlugin.java
@@ -40,8 +40,8 @@ import org.apache.activemq.jaas.GroupPrincipal;
  *
  */
 public class SimpleAuthenticationPlugin implements BrokerPlugin {
-    private Map<String, String> userPasswords;
-    private Map<String, Set<Principal>> userGroups;
+    private Map<String, String> userPasswords = new HashMap<String, String>();
+    private Map<String, Set<Principal>> userGroups = new HashMap<String, Set<Principal>>();
     private static final String DEFAULT_ANONYMOUS_USER = "anonymous";
     private static final String DEFAULT_ANONYMOUS_GROUP = "anonymous";
     private String anonymousUser = DEFAULT_ANONYMOUS_USER;
@@ -73,8 +73,8 @@ public class SimpleAuthenticationPlugin implements BrokerPlugin {
      * @org.apache.xbean.ElementType class="org.apache.activemq.security.AuthenticationUser"
      */
     public void setUsers(List<?> users) {
-        userPasswords = new HashMap<String, String>();
-        userGroups = new HashMap<String, Set<Principal>>();
+        userPasswords.clear();
+        userGroups.clear();
         for (Iterator<?> it = users.iterator(); it.hasNext();) {
             AuthenticationUser user = (AuthenticationUser)it.next();
             userPasswords.put(user.getUsername(), user.getPassword());
diff --git a/activemq-unit-tests/src/test/java/org/apache/activemq/security/SimpleAuthenticationPluginNoUsersTest.java b/activemq-unit-tests/src/test/java/org/apache/activemq/security/SimpleAuthenticationPluginNoUsersTest.java
new file mode 100644
index 0000000000..dc35cc1a77
--- /dev/null
+++ b/activemq-unit-tests/src/test/java/org/apache/activemq/security/SimpleAuthenticationPluginNoUsersTest.java
@@ -0,0 +1,59 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.security;
+
+import java.net.URI;
+
+import javax.jms.Connection;
+import javax.jms.JMSSecurityException;
+
+import org.apache.activemq.broker.BrokerFactory;
+import org.apache.activemq.broker.BrokerService;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class SimpleAuthenticationPluginNoUsersTest extends SecurityTestSupport {
+
+    private static final Logger LOG = LoggerFactory.getLogger(SimpleAuthenticationPluginNoUsersTest.class);
+
+    @Override
+    protected void setUp() throws Exception {
+        setAutoFail(true);
+        super.setUp();
+    }
+
+    @Override
+    protected BrokerService createBroker() throws Exception {
+        return createBroker("org/apache/activemq/security/simple-auth-broker-no-users.xml");
+    }
+
+    protected BrokerService createBroker(String uri) throws Exception {
+        LOG.info("Loading broker configuration from the classpath with URI: " + uri);
+        return BrokerFactory.createBroker(new URI("xbean:" + uri));
+    }
+
+    public void testConnectionStartThrowsJMSSecurityException() throws Exception {
+
+        Connection connection = factory.createConnection("user", "password");
+        try {
+            connection.start();
+            fail("Should throw JMSSecurityException");
+        } catch (JMSSecurityException jmsEx) {
+            //expected
+        }
+    }
+}
diff --git a/activemq-unit-tests/src/test/resources/org/apache/activemq/security/simple-auth-broker-no-users.xml b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/simple-auth-broker-no-users.xml
new file mode 100644
index 0000000000..b4485f0bc5
--- /dev/null
+++ b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/simple-auth-broker-no-users.xml
@@ -0,0 +1,69 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+
+<!-- this file can only be parsed using the xbean-spring library -->
+<!-- START SNIPPET: example -->
+<beans
+  xmlns="http://www.springframework.org/schema/beans"
+  xmlns:amq="http://activemq.apache.org/schema/core"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+  http://activemq.apache.org/schema/core http://activemq.apache.org/schema/core/activemq-core.xsd">
+
+  <bean id="configurationEncryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
+      <property name="algorithm" value="PBEWithMD5AndDES"/>
+      <property name="password" value="activemq"/>
+  </bean>
+
+  <bean id="propertyConfigurer" class="org.jasypt.spring.properties.EncryptablePropertyPlaceholderConfigurer">
+      <constructor-arg ref="configurationEncryptor" />
+      <property name="location" value="classpath:credentials.properties"/>
+  </bean>
+
+  <broker useJmx="true" persistent="false" xmlns="http://activemq.apache.org/schema/core" populateJMSXUserID="true" schedulePeriodForDestinationPurge="2000">
+
+    <destinations>
+      <queue physicalName="TEST.Q" />
+    </destinations>
+
+    <!-- Use a non-default port in case the default port is in use -->
+    <managementContext>
+      <managementContext connectorPort="1199"/>
+    </managementContext>
+
+    <destinationPolicy>
+        <policyMap>
+          <policyEntries>
+            <policyEntry queue="USERS.PURGE.>" gcInactiveDestinations="true" inactiveTimoutBeforeGC="500" />
+          </policyEntries>
+        </policyMap>
+    </destinationPolicy>
+
+    <transportConnectors>
+      <transportConnector uri="tcp://0.0.0.0:0" />
+    </transportConnectors>
+
+    <plugins>
+        <!-- Defining a SimpleAuthenticationPlugin
+             with no nested 'users'. Should deny all
+             login attempts rather than NPE -->
+        <simpleAuthenticationPlugin />
+    </plugins>
+  </broker>
+
+</beans>