mirror of https://github.com/apache/activemq.git
merging 831942: https://issues.apache.org/activemq/browse/AMQ-2474 - Enable broker-to-broker authentication and authorizarion using SSL certificates and jaasCertificateAuthenticationPlugin
git-svn-id: https://svn.apache.org/repos/asf/activemq/branches/activemq-5.3@831968 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
cd96d29a93
commit
84d71fcb3c
|
@ -18,6 +18,7 @@ package org.apache.activemq.network;
|
|||
|
||||
import java.io.IOException;
|
||||
import java.security.GeneralSecurityException;
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.util.Collection;
|
||||
import java.util.List;
|
||||
import java.util.Properties;
|
||||
|
@ -70,7 +71,9 @@ import org.apache.activemq.transport.FutureResponse;
|
|||
import org.apache.activemq.transport.ResponseCallback;
|
||||
import org.apache.activemq.transport.Transport;
|
||||
import org.apache.activemq.transport.TransportDisposedIOException;
|
||||
import org.apache.activemq.transport.TransportFilter;
|
||||
import org.apache.activemq.transport.TransportListener;
|
||||
import org.apache.activemq.transport.tcp.SslTransport;
|
||||
import org.apache.activemq.util.IdGenerator;
|
||||
import org.apache.activemq.util.IntrospectionSupport;
|
||||
import org.apache.activemq.util.LongSequenceGenerator;
|
||||
|
@ -285,6 +288,14 @@ public abstract class DemandForwardingBridgeSupport implements NetworkBridge, Br
|
|||
localConnectionInfo.setClientId(localClientId);
|
||||
localConnectionInfo.setUserName(configuration.getUserName());
|
||||
localConnectionInfo.setPassword(configuration.getPassword());
|
||||
Transport originalTransport = remoteBroker;
|
||||
while (originalTransport instanceof TransportFilter) {
|
||||
originalTransport = ((TransportFilter)originalTransport).getNext();
|
||||
}
|
||||
if (originalTransport instanceof SslTransport) {
|
||||
X509Certificate[] peerCerts = ((SslTransport)originalTransport).getPeerCertificates();
|
||||
localConnectionInfo.setTransportContext(peerCerts);
|
||||
}
|
||||
localBroker.oneway(localConnectionInfo);
|
||||
|
||||
localSessionInfo = new SessionInfo(localConnectionInfo, 1);
|
||||
|
|
|
@ -0,0 +1,85 @@
|
|||
/**
|
||||
* Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
* contributor license agreements. See the NOTICE file distributed with
|
||||
* this work for additional information regarding copyright ownership.
|
||||
* The ASF licenses this file to You under the Apache License, Version 2.0
|
||||
* (the "License"); you may not use this file except in compliance with
|
||||
* the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.apache.activemq.security;
|
||||
|
||||
import java.net.URI;
|
||||
|
||||
import javax.jms.Connection;
|
||||
import javax.jms.MessageConsumer;
|
||||
import javax.jms.MessageProducer;
|
||||
import javax.jms.Session;
|
||||
import javax.jms.TextMessage;
|
||||
|
||||
import junit.framework.TestCase;
|
||||
|
||||
import org.apache.activemq.ActiveMQConnectionFactory;
|
||||
import org.apache.activemq.broker.BrokerFactory;
|
||||
import org.apache.activemq.broker.BrokerService;
|
||||
import org.apache.activemq.command.ActiveMQQueue;
|
||||
|
||||
public class JaasNetworkTest extends TestCase {
|
||||
|
||||
BrokerService broker1;
|
||||
BrokerService broker2;
|
||||
|
||||
public void setUp() throws Exception {
|
||||
System.setProperty("java.security.auth.login.config", "src/test/resources/login.config");
|
||||
broker1 = BrokerFactory.createBroker(new URI("xbean:org/apache/activemq/security/broker1.xml"));
|
||||
broker2 = BrokerFactory.createBroker(new URI("xbean:org/apache/activemq/security/broker2.xml"));
|
||||
broker1.waitUntilStarted();
|
||||
broker2.waitUntilStarted();
|
||||
Thread.sleep(2000);
|
||||
}
|
||||
|
||||
protected void tearDown() throws Exception {
|
||||
super.tearDown();
|
||||
broker1.stop();
|
||||
broker1.waitUntilStopped();
|
||||
broker2.stop();
|
||||
broker2.waitUntilStopped();
|
||||
}
|
||||
|
||||
|
||||
|
||||
public void testNetwork() throws Exception {
|
||||
|
||||
System.setProperty("javax.net.ssl.trustStore", "src/test/resources/org/apache/activemq/security/client.ts");
|
||||
System.setProperty("javax.net.ssl.trustStorePassword", "password");
|
||||
System.setProperty("javax.net.ssl.trustStoreType", "jks");
|
||||
System.setProperty("javax.net.ssl.keyStore", "src/test/resources/org/apache/activemq/security/client.ks");
|
||||
System.setProperty("javax.net.ssl.keyStorePassword", "password");
|
||||
System.setProperty("javax.net.ssl.keyStoreType", "jks");
|
||||
|
||||
ActiveMQConnectionFactory producerFactory = new ActiveMQConnectionFactory("ssl://localhost:61617");
|
||||
Connection producerConn = producerFactory.createConnection();
|
||||
Session producerSess = producerConn.createSession(false, Session.AUTO_ACKNOWLEDGE);
|
||||
MessageProducer producer = producerSess.createProducer(new ActiveMQQueue("test"));
|
||||
producerConn.start();
|
||||
TextMessage sentMessage = producerSess.createTextMessage("test");
|
||||
producer.send(sentMessage);
|
||||
|
||||
ActiveMQConnectionFactory consumerFactory = new ActiveMQConnectionFactory("ssl://localhost:61618");
|
||||
Connection consumerConn = consumerFactory.createConnection();
|
||||
Session consumerSess = consumerConn.createSession(false, Session.AUTO_ACKNOWLEDGE);
|
||||
consumerConn.start();
|
||||
MessageConsumer consumer = consumerSess.createConsumer(new ActiveMQQueue("test"));
|
||||
TextMessage receivedMessage = (TextMessage)consumer.receive(100);
|
||||
assertEquals(sentMessage, receivedMessage);
|
||||
|
||||
}
|
||||
|
||||
}
|
|
@ -29,3 +29,16 @@ cert-login {
|
|||
|
||||
};
|
||||
|
||||
broker1 {
|
||||
org.apache.activemq.jaas.TextFileCertificateLoginModule required
|
||||
debug=true
|
||||
org.apache.activemq.jaas.textfiledn.user="org/apache/activemq/security/users1.properties"
|
||||
org.apache.activemq.jaas.textfiledn.group="org/apache/activemq/security/groups.properties";
|
||||
};
|
||||
|
||||
broker2 {
|
||||
org.apache.activemq.jaas.TextFileCertificateLoginModule required
|
||||
debug=true
|
||||
org.apache.activemq.jaas.textfiledn.user="org/apache/activemq/security/users2.properties"
|
||||
org.apache.activemq.jaas.textfiledn.group="org/apache/activemq/security/groups.properties";
|
||||
};
|
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,71 @@
|
|||
<!--
|
||||
Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
contributor license agreements. See the NOTICE file distributed with
|
||||
this work for additional information regarding copyright ownership.
|
||||
The ASF licenses this file to You under the Apache License, Version 2.0
|
||||
(the "License"); you may not use this file except in compliance with
|
||||
the License. You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
-->
|
||||
<!-- START SNIPPET: example -->
|
||||
<beans
|
||||
xmlns="http://www.springframework.org/schema/beans"
|
||||
xmlns:amq="http://activemq.apache.org/schema/core"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
|
||||
http://activemq.apache.org/schema/core http://activemq.apache.org/schema/core/activemq-core.xsd">
|
||||
|
||||
<broker xmlns="http://activemq.apache.org/schema/core" brokerName="broker1" useJmx="false" persistent="false">
|
||||
|
||||
<sslContext>
|
||||
<sslContext keyStore="org/apache/activemq/security/broker1.ks"
|
||||
keyStorePassword="password"
|
||||
trustStore="org/apache/activemq/security/broker1.ts"
|
||||
trustStorePassword="password"/>
|
||||
</sslContext>
|
||||
|
||||
|
||||
<!-- The transport connectors ActiveMQ will listen to -->
|
||||
<transportConnectors>
|
||||
<transportConnector name="ssl" uri="ssl://0.0.0.0:61617?transport.closeAsync=false&wantClientAuth=true&needClientAuth=true"/>
|
||||
</transportConnectors>
|
||||
|
||||
<networkConnectors>
|
||||
<networkConnector uri="static://(ssl://localhost:61618)"
|
||||
name="tobackbone"
|
||||
duplex="true"
|
||||
prefetchSize="1"
|
||||
networkTTL="10">
|
||||
</networkConnector>
|
||||
</networkConnectors>
|
||||
|
||||
<plugins>
|
||||
<jaasCertificateAuthenticationPlugin configuration="broker1" />
|
||||
<!-- lets configure a destination based authorization mechanism -->
|
||||
|
||||
<authorizationPlugin>
|
||||
<map>
|
||||
<authorizationMap>
|
||||
<authorizationEntries>
|
||||
<authorizationEntry queue=">" read="admins" write="admins" admin="admins" />
|
||||
|
||||
<authorizationEntry topic=">" read="admins" write="admins" admin="admins" />
|
||||
|
||||
<authorizationEntry topic="ActiveMQ.Advisory.>" read="guests,users" write="guests,users" admin="guests,users"/>
|
||||
</authorizationEntries>
|
||||
|
||||
</authorizationMap>
|
||||
</map>
|
||||
</authorizationPlugin>
|
||||
</plugins>
|
||||
</broker>
|
||||
|
||||
</beans>
|
||||
<!-- END SNIPPET: example -->
|
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,62 @@
|
|||
<!--
|
||||
Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
contributor license agreements. See the NOTICE file distributed with
|
||||
this work for additional information regarding copyright ownership.
|
||||
The ASF licenses this file to You under the Apache License, Version 2.0
|
||||
(the "License"); you may not use this file except in compliance with
|
||||
the License. You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
-->
|
||||
<!-- START SNIPPET: example -->
|
||||
<beans
|
||||
xmlns="http://www.springframework.org/schema/beans"
|
||||
xmlns:amq="http://activemq.apache.org/schema/core"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
|
||||
http://activemq.apache.org/schema/core http://activemq.apache.org/schema/core/activemq-core.xsd">
|
||||
|
||||
<broker xmlns="http://activemq.apache.org/schema/core" brokerName="broker2" useJmx="false" persistent="false">
|
||||
|
||||
<sslContext>
|
||||
<sslContext keyStore="org/apache/activemq/security/broker2.ks"
|
||||
keyStorePassword="password"
|
||||
trustStore="org/apache/activemq/security/broker2.ts"
|
||||
trustStorePassword="password"/>
|
||||
</sslContext>
|
||||
|
||||
|
||||
<!-- The transport connectors ActiveMQ will listen to -->
|
||||
<transportConnectors>
|
||||
<transportConnector name="ssl" uri="ssl://0.0.0.0:61618?transport.closeAsync=false&wantClientAuth=true&needClientAuth=true"/>
|
||||
</transportConnectors>
|
||||
|
||||
<plugins>
|
||||
<jaasCertificateAuthenticationPlugin configuration="broker2" />
|
||||
|
||||
<authorizationPlugin>
|
||||
<map>
|
||||
<authorizationMap>
|
||||
<authorizationEntries>
|
||||
<authorizationEntry queue=">" read="admins" write="admins" admin="admins" />
|
||||
|
||||
<authorizationEntry topic=">" read="admins" write="admins" admin="admins" />
|
||||
|
||||
<authorizationEntry topic="ActiveMQ.Advisory.>" read="guests,users" write="guests,users" admin="guests,users"/>
|
||||
</authorizationEntries>
|
||||
|
||||
</authorizationMap>
|
||||
</map>
|
||||
</authorizationPlugin>
|
||||
</plugins>
|
||||
|
||||
</broker>
|
||||
|
||||
</beans>
|
||||
<!-- END SNIPPET: example -->
|
Binary file not shown.
Binary file not shown.
|
@ -15,7 +15,7 @@
|
|||
## limitations under the License.
|
||||
## ---------------------------------------------------------------------------
|
||||
|
||||
admins=system,sslclient
|
||||
tempDestinationAdmins=system,user,sslclient
|
||||
users=system,user,sslclient
|
||||
admins=system,sslclient,client,broker1,broker2
|
||||
tempDestinationAdmins=system,user,sslclient,client,broker1,broker2
|
||||
users=system,user,sslclient,client,broker1,broker2
|
||||
guests=guest
|
||||
|
|
|
@ -0,0 +1,19 @@
|
|||
## ---------------------------------------------------------------------------
|
||||
## Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
## contributor license agreements. See the NOTICE file distributed with
|
||||
## this work for additional information regarding copyright ownership.
|
||||
## The ASF licenses this file to You under the Apache License, Version 2.0
|
||||
## (the "License"); you may not use this file except in compliance with
|
||||
## the License. You may obtain a copy of the License at
|
||||
##
|
||||
## http://www.apache.org/licenses/LICENSE-2.0
|
||||
##
|
||||
## Unless required by applicable law or agreed to in writing, software
|
||||
## distributed under the License is distributed on an "AS IS" BASIS,
|
||||
## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
## See the License for the specific language governing permissions and
|
||||
## limitations under the License.
|
||||
## ---------------------------------------------------------------------------
|
||||
|
||||
client=CN=client, OU=activemq, O=apache, L=Unknown, ST=Unknown, C=Unknown
|
||||
broker2=CN=broker2, OU=activemq, O=apache, L=Unknown, ST=Unknown, C=Unknown
|
|
@ -0,0 +1,19 @@
|
|||
## ---------------------------------------------------------------------------
|
||||
## Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
## contributor license agreements. See the NOTICE file distributed with
|
||||
## this work for additional information regarding copyright ownership.
|
||||
## The ASF licenses this file to You under the Apache License, Version 2.0
|
||||
## (the "License"); you may not use this file except in compliance with
|
||||
## the License. You may obtain a copy of the License at
|
||||
##
|
||||
## http://www.apache.org/licenses/LICENSE-2.0
|
||||
##
|
||||
## Unless required by applicable law or agreed to in writing, software
|
||||
## distributed under the License is distributed on an "AS IS" BASIS,
|
||||
## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
## See the License for the specific language governing permissions and
|
||||
## limitations under the License.
|
||||
## ---------------------------------------------------------------------------
|
||||
|
||||
client=CN=client, OU=activemq, O=apache, L=Unknown, ST=Unknown, C=Unknown
|
||||
broker1=CN=broker1, OU=activemq, O=apache, L=Unknown, ST=Unknown, C=Unknown
|
Loading…
Reference in New Issue