From 73e291693d59a96c0054fc7e7e09c2c67b192911 Mon Sep 17 00:00:00 2001 From: gtully Date: Mon, 7 Sep 2020 17:02:23 +0100 Subject: [PATCH] AMQ-8035 - ensure propagated credentials are visible for bind and removed for subsequent mapping operations --- .../apache/activemq/jaas/LDAPLoginModule.java | 3 +- .../activemq/jaas/LDAPLoginModuleTest.java | 48 +++++++++++++++++-- activemq-jaas/src/test/resources/login.config | 19 ++++++++ 3 files changed, 66 insertions(+), 4 deletions(-) diff --git a/activemq-jaas/src/main/java/org/apache/activemq/jaas/LDAPLoginModule.java b/activemq-jaas/src/main/java/org/apache/activemq/jaas/LDAPLoginModule.java index aad8f5003c..e1dc703bed 100644 --- a/activemq-jaas/src/main/java/org/apache/activemq/jaas/LDAPLoginModule.java +++ b/activemq-jaas/src/main/java/org/apache/activemq/jaas/LDAPLoginModule.java @@ -440,6 +440,7 @@ public class LDAPLoginModule implements LoginModule { if (log.isDebugEnabled()) { log.debug("Binding the user."); } + context.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple"); context.addToEnvironment(Context.SECURITY_PRINCIPAL, dn); context.addToEnvironment(Context.SECURITY_CREDENTIALS, password); try { @@ -465,7 +466,7 @@ public class LDAPLoginModule implements LoginModule { } else { context.removeFromEnvironment(Context.SECURITY_CREDENTIALS); } - + context.addToEnvironment(Context.SECURITY_AUTHENTICATION, getLDAPPropertyValue(AUTHENTICATION)); return isValid; } diff --git a/activemq-jaas/src/test/java/org/apache/activemq/jaas/LDAPLoginModuleTest.java b/activemq-jaas/src/test/java/org/apache/activemq/jaas/LDAPLoginModuleTest.java index ea2fb57ce2..208dba2fe9 100644 --- a/activemq-jaas/src/test/java/org/apache/activemq/jaas/LDAPLoginModuleTest.java +++ b/activemq-jaas/src/test/java/org/apache/activemq/jaas/LDAPLoginModuleTest.java @@ -18,7 +18,6 @@ package org.apache.activemq.jaas; import org.apache.directory.server.core.integ.AbstractLdapTestUnit; import org.apache.directory.server.core.integ.FrameworkRunner; -import org.apache.directory.server.integ.ServerIntegrationUtils; import org.apache.directory.server.ldap.LdapServer; import org.apache.directory.server.annotations.CreateLdapServer; import org.apache.directory.server.annotations.CreateTransport; @@ -34,11 +33,11 @@ import javax.naming.NamingEnumeration; import javax.naming.directory.DirContext; import javax.naming.directory.InitialDirContext; import javax.security.auth.callback.*; +import javax.security.auth.login.FailedLoginException; import javax.security.auth.login.LoginContext; import javax.security.auth.login.LoginException; import java.io.IOException; -import java.net.URL; import java.util.HashSet; import java.util.Hashtable; @@ -47,7 +46,7 @@ import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; @RunWith ( FrameworkRunner.class ) -@CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP", port=1024)}) +@CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP", port=1024)}, allowAnonymousAccess = true) @ApplyLdifFiles( "test.ldif" ) @@ -172,4 +171,47 @@ public class LDAPLoginModuleTest extends AbstractLdapTestUnit { } + @Test + public void testAuthenticatedViaBindOnAnonConnection() throws Exception { + LoginContext context = new LoginContext("AnonBindCheckUserLDAPLogin", new CallbackHandler() { + @Override + public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { + for (int i = 0; i < callbacks.length; i++) { + if (callbacks[i] instanceof NameCallback) { + ((NameCallback) callbacks[i]).setName("first"); + } else if (callbacks[i] instanceof PasswordCallback) { + ((PasswordCallback) callbacks[i]).setPassword("wrongSecret".toCharArray()); + } else { + throw new UnsupportedCallbackException(callbacks[i]); + } + } + } + }); + try { + context.login(); + fail("Should have failed authenticating"); + } catch (FailedLoginException expected) { + } + } + + @Test + public void testAuthenticatedOkViaBindOnAnonConnection() throws Exception { + LoginContext context = new LoginContext("AnonBindCheckUserLDAPLogin", new CallbackHandler() { + @Override + public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { + for (int i = 0; i < callbacks.length; i++) { + if (callbacks[i] instanceof NameCallback) { + ((NameCallback) callbacks[i]).setName("first"); + } else if (callbacks[i] instanceof PasswordCallback) { + ((PasswordCallback) callbacks[i]).setPassword("secret".toCharArray()); + } else { + throw new UnsupportedCallbackException(callbacks[i]); + } + } + } + }); + context.login(); + context.logout(); + } + } diff --git a/activemq-jaas/src/test/resources/login.config b/activemq-jaas/src/test/resources/login.config index aad35cfd68..b5e8cf82a1 100644 --- a/activemq-jaas/src/test/resources/login.config +++ b/activemq-jaas/src/test/resources/login.config @@ -105,6 +105,25 @@ UnAuthenticatedLDAPLogin { ; }; +AnonBindCheckUserLDAPLogin { + org.apache.activemq.jaas.LDAPLoginModule required + debug=true + initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory + connectionURL="ldap://localhost:1024" + connectionUsername=none + connectionPassword=none + connectionProtocol=s + authentication=none + userBase="ou=system" + userSearchMatching="(uid={0})" + userSearchSubtree=false + roleBase="ou=system" + roleName=cn + roleSearchMatching="(member=uid={1},ou=system)" + roleSearchSubtree=false + ; +}; + ExpandedLDAPLogin { org.apache.activemq.jaas.LDAPLoginModule required debug=true