Thanks Kelly Campbell!

git-svn-id: https://svn.apache.org/repos/asf/incubator/activemq/trunk@464659 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Hiram R. Chirino 2006-10-16 20:54:24 +00:00
parent d78c1ff608
commit 6bae9594db
5 changed files with 94 additions and 26 deletions

View File

@ -148,13 +148,20 @@ public class TransportConnector implements Connector {
connection.start();
}
catch (Exception e) {
String remoteHost = transport.getRemoteAddress();
ServiceSupport.dispose(transport);
onAcceptError(e);
onAcceptError(e, remoteHost);
}
}
public void onAcceptError(Exception error) {
log.error("Could not accept connection: " + error, error);
onAcceptError(error,null);
}
private void onAcceptError(Exception error, String remoteHost) {
log.error("Could not accept connection " +
(remoteHost == null ? "" : "from " + remoteHost)
+ ": " + error, error);
}
});
this.server.setBrokerInfo(brokerInfo);

View File

@ -96,11 +96,11 @@ public class JaasCertificateAuthenticationBroker extends BrokerFilter {
break;
}
}
SecurityContext s = new JaasSecurityContext(dnName, subject);
SecurityContext s = new JaasCertificateSecurityContext(
dnName, subject, (X509Certificate[])info.getTransportContext());
context.setSecurityContext(s);
} catch (Exception e) {
throw new SecurityException("User name or password is invalid.", e);
throw new SecurityException("User name or password is invalid: " + e.getMessage(), e);
}
} finally {
Thread.currentThread().setContextClassLoader(original);

View File

@ -0,0 +1,53 @@
/**
*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.activemq.security;
import java.security.cert.X509Certificate;
import java.util.Set;
import javax.security.auth.Subject;
/**
* Extends the SecurityContext to provide a username which is the
* Distinguished Name from the certificate.
*
*/
public class JaasCertificateSecurityContext extends SecurityContext {
private Subject subject;
private X509Certificate[] certs;
public JaasCertificateSecurityContext(String userName, Subject subject, X509Certificate[] certs) {
super(userName);
this.subject = subject;
this.certs = certs;
}
public Set getPrincipals() {
return subject.getPrincipals();
}
public String getUserName() {
if (certs != null && certs.length > 0) {
return certs[0].getSubjectDN().getName();
}
return super.getUserName();
}
}

View File

@ -18,21 +18,19 @@
package org.apache.activemq.transport.tcp;
import org.apache.activemq.wireformat.WireFormat;
import org.apache.activemq.command.Command;
import org.apache.activemq.command.ConnectionInfo;
import org.apache.activemq.util.IntrospectionSupport;
import org.apache.activemq.wireformat.WireFormat;
import java.io.IOException;
import java.net.URI;
import java.net.UnknownHostException;
import java.security.cert.X509Certificate;
import java.util.Map;
import javax.net.SocketFactory;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
/**
* A Transport class that uses SSL and client-side certificate authentication.
@ -44,7 +42,7 @@ import javax.net.ssl.SSLPeerUnverifiedException;
* set before the socket is connected. Otherwise, unexpected situations may occur.
*
*/
class SslTransport extends TcpTransport {
public class SslTransport extends TcpTransport {
/**
* Connect to a remote node such as a Broker.
*
@ -60,7 +58,9 @@ class SslTransport extends TcpTransport {
*/
public SslTransport(WireFormat wireFormat, SSLSocketFactory socketFactory, URI remoteLocation, URI localLocation, boolean needClientAuth) throws IOException {
super(wireFormat, socketFactory, remoteLocation, localLocation);
((SSLSocket)this.socket).setNeedClientAuth(needClientAuth);
if (this.socket != null) {
((SSLSocket)this.socket).setNeedClientAuth(needClientAuth);
}
}
/**
@ -106,5 +106,13 @@ class SslTransport extends TcpTransport {
super.doConsume(command);
}
/**
* @return pretty print of 'this'
*/
public String toString() {
return "ssl://"+socket.getInetAddress()+":"+socket.getPort();
}
}

View File

@ -48,12 +48,12 @@ public class SslTransportServer extends TcpTransportServer {
/**
* Constructor.
* Creates a ssl transport server for the specified url using the provided
* serverSocketFactory
*
* @param transportFactory The factory used to create transports when connections arrive.
* @param location The location of the broker to bind to.
* @param serverSocketFactory The factory used to create this server.
* @param needClientAuth States if this server should needClientAuth.
* @throws IOException passed up from TcpTransportFactory.
* @throws URISyntaxException passed up from TcpTransportFactory.
*/
@ -65,34 +65,34 @@ public class SslTransportServer extends TcpTransportServer {
}
/**
* Setter for needClientAuth.
*
* When set to true, needClientAuth will set SSLSockets' needClientAuth to true forcing clients to provide
* client certificates.
* Sets whether client authentication should be required
* Must be called before {@link #bind()}
* Note: Calling this method clears the wantClientAuth flag
* in the underlying implementation.
*/
public void setNeedClientAuth(boolean needAuth) {
this.needClientAuth = needAuth;
}
/**
* Getter for needClientAuth.
* Returns whether client authentication should be required.
*/
public boolean getNeedClientAuth() {
return this.needClientAuth;
}
/**
* Getter for wantClientAuth.
* Returns whether client authentication should be requested.
*/
public boolean getWantClientAuth() {
return this.wantClientAuth;
}
/**
* Setter for wantClientAuth.
*
* When set to true, wantClientAuth will set SSLSockets' wantClientAuth to true forcing clients to provide
* client certificates.
* Sets whether client authentication should be requested.
* Must be called before {@link #bind()}
* Note: Calling this method clears the needClientAuth flag
* in the underlying implementation.
*/
public void setWantClientAuth(boolean wantAuth) {
this.wantClientAuth = wantAuth;