mirror of https://github.com/apache/activemq.git
AMQ-8035 - ensure propagated credentials are visible for bind and removed for subsequent mapping operations
This commit is contained in:
parent
4450c17c1c
commit
73e291693d
|
@ -440,6 +440,7 @@ public class LDAPLoginModule implements LoginModule {
|
||||||
if (log.isDebugEnabled()) {
|
if (log.isDebugEnabled()) {
|
||||||
log.debug("Binding the user.");
|
log.debug("Binding the user.");
|
||||||
}
|
}
|
||||||
|
context.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple");
|
||||||
context.addToEnvironment(Context.SECURITY_PRINCIPAL, dn);
|
context.addToEnvironment(Context.SECURITY_PRINCIPAL, dn);
|
||||||
context.addToEnvironment(Context.SECURITY_CREDENTIALS, password);
|
context.addToEnvironment(Context.SECURITY_CREDENTIALS, password);
|
||||||
try {
|
try {
|
||||||
|
@ -465,7 +466,7 @@ public class LDAPLoginModule implements LoginModule {
|
||||||
} else {
|
} else {
|
||||||
context.removeFromEnvironment(Context.SECURITY_CREDENTIALS);
|
context.removeFromEnvironment(Context.SECURITY_CREDENTIALS);
|
||||||
}
|
}
|
||||||
|
context.addToEnvironment(Context.SECURITY_AUTHENTICATION, getLDAPPropertyValue(AUTHENTICATION));
|
||||||
return isValid;
|
return isValid;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -18,7 +18,6 @@ package org.apache.activemq.jaas;
|
||||||
|
|
||||||
import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
|
import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
|
||||||
import org.apache.directory.server.core.integ.FrameworkRunner;
|
import org.apache.directory.server.core.integ.FrameworkRunner;
|
||||||
import org.apache.directory.server.integ.ServerIntegrationUtils;
|
|
||||||
import org.apache.directory.server.ldap.LdapServer;
|
import org.apache.directory.server.ldap.LdapServer;
|
||||||
import org.apache.directory.server.annotations.CreateLdapServer;
|
import org.apache.directory.server.annotations.CreateLdapServer;
|
||||||
import org.apache.directory.server.annotations.CreateTransport;
|
import org.apache.directory.server.annotations.CreateTransport;
|
||||||
|
@ -34,11 +33,11 @@ import javax.naming.NamingEnumeration;
|
||||||
import javax.naming.directory.DirContext;
|
import javax.naming.directory.DirContext;
|
||||||
import javax.naming.directory.InitialDirContext;
|
import javax.naming.directory.InitialDirContext;
|
||||||
import javax.security.auth.callback.*;
|
import javax.security.auth.callback.*;
|
||||||
|
import javax.security.auth.login.FailedLoginException;
|
||||||
import javax.security.auth.login.LoginContext;
|
import javax.security.auth.login.LoginContext;
|
||||||
import javax.security.auth.login.LoginException;
|
import javax.security.auth.login.LoginException;
|
||||||
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.net.URL;
|
|
||||||
import java.util.HashSet;
|
import java.util.HashSet;
|
||||||
import java.util.Hashtable;
|
import java.util.Hashtable;
|
||||||
|
|
||||||
|
@ -47,7 +46,7 @@ import static org.junit.Assert.assertTrue;
|
||||||
import static org.junit.Assert.fail;
|
import static org.junit.Assert.fail;
|
||||||
|
|
||||||
@RunWith ( FrameworkRunner.class )
|
@RunWith ( FrameworkRunner.class )
|
||||||
@CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP", port=1024)})
|
@CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP", port=1024)}, allowAnonymousAccess = true)
|
||||||
@ApplyLdifFiles(
|
@ApplyLdifFiles(
|
||||||
"test.ldif"
|
"test.ldif"
|
||||||
)
|
)
|
||||||
|
@ -172,4 +171,47 @@ public class LDAPLoginModuleTest extends AbstractLdapTestUnit {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testAuthenticatedViaBindOnAnonConnection() throws Exception {
|
||||||
|
LoginContext context = new LoginContext("AnonBindCheckUserLDAPLogin", new CallbackHandler() {
|
||||||
|
@Override
|
||||||
|
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
|
||||||
|
for (int i = 0; i < callbacks.length; i++) {
|
||||||
|
if (callbacks[i] instanceof NameCallback) {
|
||||||
|
((NameCallback) callbacks[i]).setName("first");
|
||||||
|
} else if (callbacks[i] instanceof PasswordCallback) {
|
||||||
|
((PasswordCallback) callbacks[i]).setPassword("wrongSecret".toCharArray());
|
||||||
|
} else {
|
||||||
|
throw new UnsupportedCallbackException(callbacks[i]);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
});
|
||||||
|
try {
|
||||||
|
context.login();
|
||||||
|
fail("Should have failed authenticating");
|
||||||
|
} catch (FailedLoginException expected) {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testAuthenticatedOkViaBindOnAnonConnection() throws Exception {
|
||||||
|
LoginContext context = new LoginContext("AnonBindCheckUserLDAPLogin", new CallbackHandler() {
|
||||||
|
@Override
|
||||||
|
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
|
||||||
|
for (int i = 0; i < callbacks.length; i++) {
|
||||||
|
if (callbacks[i] instanceof NameCallback) {
|
||||||
|
((NameCallback) callbacks[i]).setName("first");
|
||||||
|
} else if (callbacks[i] instanceof PasswordCallback) {
|
||||||
|
((PasswordCallback) callbacks[i]).setPassword("secret".toCharArray());
|
||||||
|
} else {
|
||||||
|
throw new UnsupportedCallbackException(callbacks[i]);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
});
|
||||||
|
context.login();
|
||||||
|
context.logout();
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -105,6 +105,25 @@ UnAuthenticatedLDAPLogin {
|
||||||
;
|
;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
AnonBindCheckUserLDAPLogin {
|
||||||
|
org.apache.activemq.jaas.LDAPLoginModule required
|
||||||
|
debug=true
|
||||||
|
initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
|
||||||
|
connectionURL="ldap://localhost:1024"
|
||||||
|
connectionUsername=none
|
||||||
|
connectionPassword=none
|
||||||
|
connectionProtocol=s
|
||||||
|
authentication=none
|
||||||
|
userBase="ou=system"
|
||||||
|
userSearchMatching="(uid={0})"
|
||||||
|
userSearchSubtree=false
|
||||||
|
roleBase="ou=system"
|
||||||
|
roleName=cn
|
||||||
|
roleSearchMatching="(member=uid={1},ou=system)"
|
||||||
|
roleSearchSubtree=false
|
||||||
|
;
|
||||||
|
};
|
||||||
|
|
||||||
ExpandedLDAPLogin {
|
ExpandedLDAPLogin {
|
||||||
org.apache.activemq.jaas.LDAPLoginModule required
|
org.apache.activemq.jaas.LDAPLoginModule required
|
||||||
debug=true
|
debug=true
|
||||||
|
|
Loading…
Reference in New Issue