From 6bae9594dbf3fd1bc88ca4bf5d60f3dfea1887f1 Mon Sep 17 00:00:00 2001 From: "Hiram R. Chirino" Date: Mon, 16 Oct 2006 20:54:24 +0000 Subject: [PATCH] Applying patch from https://issues.apache.org/activemq/browse/AMQ-960 Thanks Kelly Campbell! git-svn-id: https://svn.apache.org/repos/asf/incubator/activemq/trunk@464659 13f79535-47bb-0310-9956-ffa450edef68 --- .../activemq/broker/TransportConnector.java | 11 +++- .../JaasCertificateAuthenticationBroker.java | 6 +-- .../JaasCertificateSecurityContext.java | 53 +++++++++++++++++++ .../activemq/transport/tcp/SslTransport.java | 26 +++++---- .../transport/tcp/SslTransportServer.java | 24 ++++----- 5 files changed, 94 insertions(+), 26 deletions(-) create mode 100644 activemq-core/src/main/java/org/apache/activemq/security/JaasCertificateSecurityContext.java diff --git a/activemq-core/src/main/java/org/apache/activemq/broker/TransportConnector.java b/activemq-core/src/main/java/org/apache/activemq/broker/TransportConnector.java index f64812c416..811d5874be 100755 --- a/activemq-core/src/main/java/org/apache/activemq/broker/TransportConnector.java +++ b/activemq-core/src/main/java/org/apache/activemq/broker/TransportConnector.java @@ -148,13 +148,20 @@ public class TransportConnector implements Connector { connection.start(); } catch (Exception e) { + String remoteHost = transport.getRemoteAddress(); ServiceSupport.dispose(transport); - onAcceptError(e); + onAcceptError(e, remoteHost); } } public void onAcceptError(Exception error) { - log.error("Could not accept connection: " + error, error); + onAcceptError(error,null); + } + + private void onAcceptError(Exception error, String remoteHost) { + log.error("Could not accept connection " + + (remoteHost == null ? "" : "from " + remoteHost) + + ": " + error, error); } }); this.server.setBrokerInfo(brokerInfo); diff --git a/activemq-core/src/main/java/org/apache/activemq/security/JaasCertificateAuthenticationBroker.java b/activemq-core/src/main/java/org/apache/activemq/security/JaasCertificateAuthenticationBroker.java index 84e3e337d5..a302cd8c16 100644 --- a/activemq-core/src/main/java/org/apache/activemq/security/JaasCertificateAuthenticationBroker.java +++ b/activemq-core/src/main/java/org/apache/activemq/security/JaasCertificateAuthenticationBroker.java @@ -96,11 +96,11 @@ public class JaasCertificateAuthenticationBroker extends BrokerFilter { break; } } - - SecurityContext s = new JaasSecurityContext(dnName, subject); + SecurityContext s = new JaasCertificateSecurityContext( + dnName, subject, (X509Certificate[])info.getTransportContext()); context.setSecurityContext(s); } catch (Exception e) { - throw new SecurityException("User name or password is invalid.", e); + throw new SecurityException("User name or password is invalid: " + e.getMessage(), e); } } finally { Thread.currentThread().setContextClassLoader(original); diff --git a/activemq-core/src/main/java/org/apache/activemq/security/JaasCertificateSecurityContext.java b/activemq-core/src/main/java/org/apache/activemq/security/JaasCertificateSecurityContext.java new file mode 100644 index 0000000000..9b99cad0f0 --- /dev/null +++ b/activemq-core/src/main/java/org/apache/activemq/security/JaasCertificateSecurityContext.java @@ -0,0 +1,53 @@ +/** + * + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.activemq.security; + +import java.security.cert.X509Certificate; +import java.util.Set; + +import javax.security.auth.Subject; + +/** + * Extends the SecurityContext to provide a username which is the + * Distinguished Name from the certificate. + * + */ +public class JaasCertificateSecurityContext extends SecurityContext { + + private Subject subject; + private X509Certificate[] certs; + + public JaasCertificateSecurityContext(String userName, Subject subject, X509Certificate[] certs) { + super(userName); + this.subject = subject; + this.certs = certs; + } + + public Set getPrincipals() { + return subject.getPrincipals(); + } + + public String getUserName() { + if (certs != null && certs.length > 0) { + return certs[0].getSubjectDN().getName(); + } + return super.getUserName(); + } + +} diff --git a/activemq-core/src/main/java/org/apache/activemq/transport/tcp/SslTransport.java b/activemq-core/src/main/java/org/apache/activemq/transport/tcp/SslTransport.java index 306a1dfc7c..91c903ebab 100644 --- a/activemq-core/src/main/java/org/apache/activemq/transport/tcp/SslTransport.java +++ b/activemq-core/src/main/java/org/apache/activemq/transport/tcp/SslTransport.java @@ -18,21 +18,19 @@ package org.apache.activemq.transport.tcp; -import org.apache.activemq.wireformat.WireFormat; import org.apache.activemq.command.Command; import org.apache.activemq.command.ConnectionInfo; -import org.apache.activemq.util.IntrospectionSupport; +import org.apache.activemq.wireformat.WireFormat; import java.io.IOException; import java.net.URI; +import java.net.UnknownHostException; import java.security.cert.X509Certificate; -import java.util.Map; -import javax.net.SocketFactory; -import javax.net.ssl.SSLSocketFactory; -import javax.net.ssl.SSLSocket; -import javax.net.ssl.SSLSession; import javax.net.ssl.SSLPeerUnverifiedException; +import javax.net.ssl.SSLSession; +import javax.net.ssl.SSLSocket; +import javax.net.ssl.SSLSocketFactory; /** * A Transport class that uses SSL and client-side certificate authentication. @@ -44,7 +42,7 @@ import javax.net.ssl.SSLPeerUnverifiedException; * set before the socket is connected. Otherwise, unexpected situations may occur. * */ -class SslTransport extends TcpTransport { +public class SslTransport extends TcpTransport { /** * Connect to a remote node such as a Broker. * @@ -60,7 +58,9 @@ class SslTransport extends TcpTransport { */ public SslTransport(WireFormat wireFormat, SSLSocketFactory socketFactory, URI remoteLocation, URI localLocation, boolean needClientAuth) throws IOException { super(wireFormat, socketFactory, remoteLocation, localLocation); - ((SSLSocket)this.socket).setNeedClientAuth(needClientAuth); + if (this.socket != null) { + ((SSLSocket)this.socket).setNeedClientAuth(needClientAuth); + } } /** @@ -106,5 +106,13 @@ class SslTransport extends TcpTransport { super.doConsume(command); } + + /** + * @return pretty print of 'this' + */ + public String toString() { + return "ssl://"+socket.getInetAddress()+":"+socket.getPort(); + } + } diff --git a/activemq-core/src/main/java/org/apache/activemq/transport/tcp/SslTransportServer.java b/activemq-core/src/main/java/org/apache/activemq/transport/tcp/SslTransportServer.java index 167f50f59a..665aad1e42 100644 --- a/activemq-core/src/main/java/org/apache/activemq/transport/tcp/SslTransportServer.java +++ b/activemq-core/src/main/java/org/apache/activemq/transport/tcp/SslTransportServer.java @@ -48,12 +48,12 @@ public class SslTransportServer extends TcpTransportServer { /** - * Constructor. + * Creates a ssl transport server for the specified url using the provided + * serverSocketFactory * * @param transportFactory The factory used to create transports when connections arrive. * @param location The location of the broker to bind to. * @param serverSocketFactory The factory used to create this server. - * @param needClientAuth States if this server should needClientAuth. * @throws IOException passed up from TcpTransportFactory. * @throws URISyntaxException passed up from TcpTransportFactory. */ @@ -65,34 +65,34 @@ public class SslTransportServer extends TcpTransportServer { } /** - * Setter for needClientAuth. - * - * When set to true, needClientAuth will set SSLSockets' needClientAuth to true forcing clients to provide - * client certificates. + * Sets whether client authentication should be required + * Must be called before {@link #bind()} + * Note: Calling this method clears the wantClientAuth flag + * in the underlying implementation. */ public void setNeedClientAuth(boolean needAuth) { this.needClientAuth = needAuth; } /** - * Getter for needClientAuth. + * Returns whether client authentication should be required. */ public boolean getNeedClientAuth() { return this.needClientAuth; } /** - * Getter for wantClientAuth. + * Returns whether client authentication should be requested. */ public boolean getWantClientAuth() { return this.wantClientAuth; } /** - * Setter for wantClientAuth. - * - * When set to true, wantClientAuth will set SSLSockets' wantClientAuth to true forcing clients to provide - * client certificates. + * Sets whether client authentication should be requested. + * Must be called before {@link #bind()} + * Note: Calling this method clears the needClientAuth flag + * in the underlying implementation. */ public void setWantClientAuth(boolean wantAuth) { this.wantClientAuth = wantAuth;