merging 831942: https://issues.apache.org/activemq/browse/AMQ-2474 - Enable broker-to-broker authentication and authorizarion using SSL certificates and jaasCertificateAuthenticationPlugin

git-svn-id: https://svn.apache.org/repos/asf/activemq/branches/activemq-5.3@831968 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Bosanac Dejan 2009-11-02 16:46:45 +00:00
parent cd96d29a93
commit 84d71fcb3c
14 changed files with 283 additions and 3 deletions

View File

@ -18,6 +18,7 @@ package org.apache.activemq.network;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.List;
import java.util.Properties;
@ -70,7 +71,9 @@ import org.apache.activemq.transport.FutureResponse;
import org.apache.activemq.transport.ResponseCallback;
import org.apache.activemq.transport.Transport;
import org.apache.activemq.transport.TransportDisposedIOException;
import org.apache.activemq.transport.TransportFilter;
import org.apache.activemq.transport.TransportListener;
import org.apache.activemq.transport.tcp.SslTransport;
import org.apache.activemq.util.IdGenerator;
import org.apache.activemq.util.IntrospectionSupport;
import org.apache.activemq.util.LongSequenceGenerator;
@ -285,6 +288,14 @@ public abstract class DemandForwardingBridgeSupport implements NetworkBridge, Br
localConnectionInfo.setClientId(localClientId);
localConnectionInfo.setUserName(configuration.getUserName());
localConnectionInfo.setPassword(configuration.getPassword());
Transport originalTransport = remoteBroker;
while (originalTransport instanceof TransportFilter) {
originalTransport = ((TransportFilter)originalTransport).getNext();
}
if (originalTransport instanceof SslTransport) {
X509Certificate[] peerCerts = ((SslTransport)originalTransport).getPeerCertificates();
localConnectionInfo.setTransportContext(peerCerts);
}
localBroker.oneway(localConnectionInfo);
localSessionInfo = new SessionInfo(localConnectionInfo, 1);

View File

@ -0,0 +1,85 @@
/**
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.activemq.security;
import java.net.URI;
import javax.jms.Connection;
import javax.jms.MessageConsumer;
import javax.jms.MessageProducer;
import javax.jms.Session;
import javax.jms.TextMessage;
import junit.framework.TestCase;
import org.apache.activemq.ActiveMQConnectionFactory;
import org.apache.activemq.broker.BrokerFactory;
import org.apache.activemq.broker.BrokerService;
import org.apache.activemq.command.ActiveMQQueue;
public class JaasNetworkTest extends TestCase {
BrokerService broker1;
BrokerService broker2;
public void setUp() throws Exception {
System.setProperty("java.security.auth.login.config", "src/test/resources/login.config");
broker1 = BrokerFactory.createBroker(new URI("xbean:org/apache/activemq/security/broker1.xml"));
broker2 = BrokerFactory.createBroker(new URI("xbean:org/apache/activemq/security/broker2.xml"));
broker1.waitUntilStarted();
broker2.waitUntilStarted();
Thread.sleep(2000);
}
protected void tearDown() throws Exception {
super.tearDown();
broker1.stop();
broker1.waitUntilStopped();
broker2.stop();
broker2.waitUntilStopped();
}
public void testNetwork() throws Exception {
System.setProperty("javax.net.ssl.trustStore", "src/test/resources/org/apache/activemq/security/client.ts");
System.setProperty("javax.net.ssl.trustStorePassword", "password");
System.setProperty("javax.net.ssl.trustStoreType", "jks");
System.setProperty("javax.net.ssl.keyStore", "src/test/resources/org/apache/activemq/security/client.ks");
System.setProperty("javax.net.ssl.keyStorePassword", "password");
System.setProperty("javax.net.ssl.keyStoreType", "jks");
ActiveMQConnectionFactory producerFactory = new ActiveMQConnectionFactory("ssl://localhost:61617");
Connection producerConn = producerFactory.createConnection();
Session producerSess = producerConn.createSession(false, Session.AUTO_ACKNOWLEDGE);
MessageProducer producer = producerSess.createProducer(new ActiveMQQueue("test"));
producerConn.start();
TextMessage sentMessage = producerSess.createTextMessage("test");
producer.send(sentMessage);
ActiveMQConnectionFactory consumerFactory = new ActiveMQConnectionFactory("ssl://localhost:61618");
Connection consumerConn = consumerFactory.createConnection();
Session consumerSess = consumerConn.createSession(false, Session.AUTO_ACKNOWLEDGE);
consumerConn.start();
MessageConsumer consumer = consumerSess.createConsumer(new ActiveMQQueue("test"));
TextMessage receivedMessage = (TextMessage)consumer.receive(100);
assertEquals(sentMessage, receivedMessage);
}
}

View File

@ -29,3 +29,16 @@ cert-login {
};
broker1 {
org.apache.activemq.jaas.TextFileCertificateLoginModule required
debug=true
org.apache.activemq.jaas.textfiledn.user="org/apache/activemq/security/users1.properties"
org.apache.activemq.jaas.textfiledn.group="org/apache/activemq/security/groups.properties";
};
broker2 {
org.apache.activemq.jaas.TextFileCertificateLoginModule required
debug=true
org.apache.activemq.jaas.textfiledn.user="org/apache/activemq/security/users2.properties"
org.apache.activemq.jaas.textfiledn.group="org/apache/activemq/security/groups.properties";
};

View File

@ -0,0 +1,71 @@
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- START SNIPPET: example -->
<beans
xmlns="http://www.springframework.org/schema/beans"
xmlns:amq="http://activemq.apache.org/schema/core"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://activemq.apache.org/schema/core http://activemq.apache.org/schema/core/activemq-core.xsd">
<broker xmlns="http://activemq.apache.org/schema/core" brokerName="broker1" useJmx="false" persistent="false">
<sslContext>
<sslContext keyStore="org/apache/activemq/security/broker1.ks"
keyStorePassword="password"
trustStore="org/apache/activemq/security/broker1.ts"
trustStorePassword="password"/>
</sslContext>
<!-- The transport connectors ActiveMQ will listen to -->
<transportConnectors>
<transportConnector name="ssl" uri="ssl://0.0.0.0:61617?transport.closeAsync=false&amp;wantClientAuth=true&amp;needClientAuth=true"/>
</transportConnectors>
<networkConnectors>
<networkConnector uri="static://(ssl://localhost:61618)"
name="tobackbone"
duplex="true"
prefetchSize="1"
networkTTL="10">
</networkConnector>
</networkConnectors>
<plugins>
<jaasCertificateAuthenticationPlugin configuration="broker1" />
<!-- lets configure a destination based authorization mechanism -->
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry queue=">" read="admins" write="admins" admin="admins" />
<authorizationEntry topic=">" read="admins" write="admins" admin="admins" />
<authorizationEntry topic="ActiveMQ.Advisory.>" read="guests,users" write="guests,users" admin="guests,users"/>
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
</plugins>
</broker>
</beans>
<!-- END SNIPPET: example -->

View File

@ -0,0 +1,62 @@
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- START SNIPPET: example -->
<beans
xmlns="http://www.springframework.org/schema/beans"
xmlns:amq="http://activemq.apache.org/schema/core"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://activemq.apache.org/schema/core http://activemq.apache.org/schema/core/activemq-core.xsd">
<broker xmlns="http://activemq.apache.org/schema/core" brokerName="broker2" useJmx="false" persistent="false">
<sslContext>
<sslContext keyStore="org/apache/activemq/security/broker2.ks"
keyStorePassword="password"
trustStore="org/apache/activemq/security/broker2.ts"
trustStorePassword="password"/>
</sslContext>
<!-- The transport connectors ActiveMQ will listen to -->
<transportConnectors>
<transportConnector name="ssl" uri="ssl://0.0.0.0:61618?transport.closeAsync=false&amp;wantClientAuth=true&amp;needClientAuth=true"/>
</transportConnectors>
<plugins>
<jaasCertificateAuthenticationPlugin configuration="broker2" />
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry queue=">" read="admins" write="admins" admin="admins" />
<authorizationEntry topic=">" read="admins" write="admins" admin="admins" />
<authorizationEntry topic="ActiveMQ.Advisory.>" read="guests,users" write="guests,users" admin="guests,users"/>
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
</plugins>
</broker>
</beans>
<!-- END SNIPPET: example -->

View File

@ -15,7 +15,7 @@
## limitations under the License.
## ---------------------------------------------------------------------------
admins=system,sslclient
tempDestinationAdmins=system,user,sslclient
users=system,user,sslclient
admins=system,sslclient,client,broker1,broker2
tempDestinationAdmins=system,user,sslclient,client,broker1,broker2
users=system,user,sslclient,client,broker1,broker2
guests=guest

View File

@ -0,0 +1,19 @@
## ---------------------------------------------------------------------------
## Licensed to the Apache Software Foundation (ASF) under one or more
## contributor license agreements. See the NOTICE file distributed with
## this work for additional information regarding copyright ownership.
## The ASF licenses this file to You under the Apache License, Version 2.0
## (the "License"); you may not use this file except in compliance with
## the License. You may obtain a copy of the License at
##
## http://www.apache.org/licenses/LICENSE-2.0
##
## Unless required by applicable law or agreed to in writing, software
## distributed under the License is distributed on an "AS IS" BASIS,
## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
## See the License for the specific language governing permissions and
## limitations under the License.
## ---------------------------------------------------------------------------
client=CN=client, OU=activemq, O=apache, L=Unknown, ST=Unknown, C=Unknown
broker2=CN=broker2, OU=activemq, O=apache, L=Unknown, ST=Unknown, C=Unknown

View File

@ -0,0 +1,19 @@
## ---------------------------------------------------------------------------
## Licensed to the Apache Software Foundation (ASF) under one or more
## contributor license agreements. See the NOTICE file distributed with
## this work for additional information regarding copyright ownership.
## The ASF licenses this file to You under the Apache License, Version 2.0
## (the "License"); you may not use this file except in compliance with
## the License. You may obtain a copy of the License at
##
## http://www.apache.org/licenses/LICENSE-2.0
##
## Unless required by applicable law or agreed to in writing, software
## distributed under the License is distributed on an "AS IS" BASIS,
## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
## See the License for the specific language governing permissions and
## limitations under the License.
## ---------------------------------------------------------------------------
client=CN=client, OU=activemq, O=apache, L=Unknown, ST=Unknown, C=Unknown
broker1=CN=broker1, OU=activemq, O=apache, L=Unknown, ST=Unknown, C=Unknown