mirror of https://github.com/apache/activemq.git
Applying patch from https://issues.apache.org/activemq/browse/AMQ-960
Thanks Kelly Campbell! git-svn-id: https://svn.apache.org/repos/asf/incubator/activemq/trunk@464659 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
d78c1ff608
commit
6bae9594db
|
@ -148,13 +148,20 @@ public class TransportConnector implements Connector {
|
|||
connection.start();
|
||||
}
|
||||
catch (Exception e) {
|
||||
String remoteHost = transport.getRemoteAddress();
|
||||
ServiceSupport.dispose(transport);
|
||||
onAcceptError(e);
|
||||
onAcceptError(e, remoteHost);
|
||||
}
|
||||
}
|
||||
|
||||
public void onAcceptError(Exception error) {
|
||||
log.error("Could not accept connection: " + error, error);
|
||||
onAcceptError(error,null);
|
||||
}
|
||||
|
||||
private void onAcceptError(Exception error, String remoteHost) {
|
||||
log.error("Could not accept connection " +
|
||||
(remoteHost == null ? "" : "from " + remoteHost)
|
||||
+ ": " + error, error);
|
||||
}
|
||||
});
|
||||
this.server.setBrokerInfo(brokerInfo);
|
||||
|
|
|
@ -96,11 +96,11 @@ public class JaasCertificateAuthenticationBroker extends BrokerFilter {
|
|||
break;
|
||||
}
|
||||
}
|
||||
|
||||
SecurityContext s = new JaasSecurityContext(dnName, subject);
|
||||
SecurityContext s = new JaasCertificateSecurityContext(
|
||||
dnName, subject, (X509Certificate[])info.getTransportContext());
|
||||
context.setSecurityContext(s);
|
||||
} catch (Exception e) {
|
||||
throw new SecurityException("User name or password is invalid.", e);
|
||||
throw new SecurityException("User name or password is invalid: " + e.getMessage(), e);
|
||||
}
|
||||
} finally {
|
||||
Thread.currentThread().setContextClassLoader(original);
|
||||
|
|
|
@ -0,0 +1,53 @@
|
|||
/**
|
||||
*
|
||||
* Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
* contributor license agreements. See the NOTICE file distributed with
|
||||
* this work for additional information regarding copyright ownership.
|
||||
* The ASF licenses this file to You under the Apache License, Version 2.0
|
||||
* (the "License"); you may not use this file except in compliance with
|
||||
* the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.apache.activemq.security;
|
||||
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.util.Set;
|
||||
|
||||
import javax.security.auth.Subject;
|
||||
|
||||
/**
|
||||
* Extends the SecurityContext to provide a username which is the
|
||||
* Distinguished Name from the certificate.
|
||||
*
|
||||
*/
|
||||
public class JaasCertificateSecurityContext extends SecurityContext {
|
||||
|
||||
private Subject subject;
|
||||
private X509Certificate[] certs;
|
||||
|
||||
public JaasCertificateSecurityContext(String userName, Subject subject, X509Certificate[] certs) {
|
||||
super(userName);
|
||||
this.subject = subject;
|
||||
this.certs = certs;
|
||||
}
|
||||
|
||||
public Set getPrincipals() {
|
||||
return subject.getPrincipals();
|
||||
}
|
||||
|
||||
public String getUserName() {
|
||||
if (certs != null && certs.length > 0) {
|
||||
return certs[0].getSubjectDN().getName();
|
||||
}
|
||||
return super.getUserName();
|
||||
}
|
||||
|
||||
}
|
|
@ -18,21 +18,19 @@
|
|||
|
||||
package org.apache.activemq.transport.tcp;
|
||||
|
||||
import org.apache.activemq.wireformat.WireFormat;
|
||||
import org.apache.activemq.command.Command;
|
||||
import org.apache.activemq.command.ConnectionInfo;
|
||||
import org.apache.activemq.util.IntrospectionSupport;
|
||||
import org.apache.activemq.wireformat.WireFormat;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.net.URI;
|
||||
import java.net.UnknownHostException;
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.util.Map;
|
||||
|
||||
import javax.net.SocketFactory;
|
||||
import javax.net.ssl.SSLSocketFactory;
|
||||
import javax.net.ssl.SSLSocket;
|
||||
import javax.net.ssl.SSLSession;
|
||||
import javax.net.ssl.SSLPeerUnverifiedException;
|
||||
import javax.net.ssl.SSLSession;
|
||||
import javax.net.ssl.SSLSocket;
|
||||
import javax.net.ssl.SSLSocketFactory;
|
||||
|
||||
/**
|
||||
* A Transport class that uses SSL and client-side certificate authentication.
|
||||
|
@ -44,7 +42,7 @@ import javax.net.ssl.SSLPeerUnverifiedException;
|
|||
* set before the socket is connected. Otherwise, unexpected situations may occur.
|
||||
*
|
||||
*/
|
||||
class SslTransport extends TcpTransport {
|
||||
public class SslTransport extends TcpTransport {
|
||||
/**
|
||||
* Connect to a remote node such as a Broker.
|
||||
*
|
||||
|
@ -60,7 +58,9 @@ class SslTransport extends TcpTransport {
|
|||
*/
|
||||
public SslTransport(WireFormat wireFormat, SSLSocketFactory socketFactory, URI remoteLocation, URI localLocation, boolean needClientAuth) throws IOException {
|
||||
super(wireFormat, socketFactory, remoteLocation, localLocation);
|
||||
((SSLSocket)this.socket).setNeedClientAuth(needClientAuth);
|
||||
if (this.socket != null) {
|
||||
((SSLSocket)this.socket).setNeedClientAuth(needClientAuth);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -106,5 +106,13 @@ class SslTransport extends TcpTransport {
|
|||
|
||||
super.doConsume(command);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return pretty print of 'this'
|
||||
*/
|
||||
public String toString() {
|
||||
return "ssl://"+socket.getInetAddress()+":"+socket.getPort();
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
|
|
@ -48,12 +48,12 @@ public class SslTransportServer extends TcpTransportServer {
|
|||
|
||||
|
||||
/**
|
||||
* Constructor.
|
||||
* Creates a ssl transport server for the specified url using the provided
|
||||
* serverSocketFactory
|
||||
*
|
||||
* @param transportFactory The factory used to create transports when connections arrive.
|
||||
* @param location The location of the broker to bind to.
|
||||
* @param serverSocketFactory The factory used to create this server.
|
||||
* @param needClientAuth States if this server should needClientAuth.
|
||||
* @throws IOException passed up from TcpTransportFactory.
|
||||
* @throws URISyntaxException passed up from TcpTransportFactory.
|
||||
*/
|
||||
|
@ -65,34 +65,34 @@ public class SslTransportServer extends TcpTransportServer {
|
|||
}
|
||||
|
||||
/**
|
||||
* Setter for needClientAuth.
|
||||
*
|
||||
* When set to true, needClientAuth will set SSLSockets' needClientAuth to true forcing clients to provide
|
||||
* client certificates.
|
||||
* Sets whether client authentication should be required
|
||||
* Must be called before {@link #bind()}
|
||||
* Note: Calling this method clears the wantClientAuth flag
|
||||
* in the underlying implementation.
|
||||
*/
|
||||
public void setNeedClientAuth(boolean needAuth) {
|
||||
this.needClientAuth = needAuth;
|
||||
}
|
||||
|
||||
/**
|
||||
* Getter for needClientAuth.
|
||||
* Returns whether client authentication should be required.
|
||||
*/
|
||||
public boolean getNeedClientAuth() {
|
||||
return this.needClientAuth;
|
||||
}
|
||||
|
||||
/**
|
||||
* Getter for wantClientAuth.
|
||||
* Returns whether client authentication should be requested.
|
||||
*/
|
||||
public boolean getWantClientAuth() {
|
||||
return this.wantClientAuth;
|
||||
}
|
||||
|
||||
/**
|
||||
* Setter for wantClientAuth.
|
||||
*
|
||||
* When set to true, wantClientAuth will set SSLSockets' wantClientAuth to true forcing clients to provide
|
||||
* client certificates.
|
||||
* Sets whether client authentication should be requested.
|
||||
* Must be called before {@link #bind()}
|
||||
* Note: Calling this method clears the needClientAuth flag
|
||||
* in the underlying implementation.
|
||||
*/
|
||||
public void setWantClientAuth(boolean wantAuth) {
|
||||
this.wantClientAuth = wantAuth;
|
||||
|
|
Loading…
Reference in New Issue