From 8e0d7eb19e2f658439f0ccbc34137ee1ffa4c9ac Mon Sep 17 00:00:00 2001 From: charlie-aws Date: Fri, 8 Jul 2022 10:20:27 -0700 Subject: [PATCH] AMQ-8987 EncryptableLDAPLoginModule support wider password encryption schemes (cherry picked from commit 6e3b19bd5931a569abd3a9397438cef6d1301d60) --- .../jaas/EncryptableLDAPLoginModule.java | 5 +++++ .../activemq/jaas/LDAPLoginModuleTest.java | 22 +++++++++++++++++++ activemq-jaas/src/test/resources/login.config | 21 ++++++++++++++++++ 3 files changed, 48 insertions(+) diff --git a/activemq-jaas/src/main/java/org/apache/activemq/jaas/EncryptableLDAPLoginModule.java b/activemq-jaas/src/main/java/org/apache/activemq/jaas/EncryptableLDAPLoginModule.java index 78128b0827..f49d097f5b 100644 --- a/activemq-jaas/src/main/java/org/apache/activemq/jaas/EncryptableLDAPLoginModule.java +++ b/activemq-jaas/src/main/java/org/apache/activemq/jaas/EncryptableLDAPLoginModule.java @@ -23,6 +23,7 @@ import javax.security.auth.callback.CallbackHandler; import org.jasypt.encryption.pbe.StandardPBEStringEncryptor; import org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig; +import org.jasypt.iv.RandomIvGenerator; import org.jasypt.properties.EncryptableProperties; /** @@ -50,6 +51,10 @@ public class EncryptableLDAPLoginModule extends LDAPLoginModule { EnvironmentStringPBEConfig envConfig = new EnvironmentStringPBEConfig(); envConfig.setAlgorithm(passwordAlgorithm); + if (passwordAlgorithm.startsWith("PBE") && passwordAlgorithm.contains("AES")) { + envConfig.setIvGenerator(new RandomIvGenerator()); + } + //If the password was set, use it //else look up the password from the environment if (encryptionPassword == null) { diff --git a/activemq-jaas/src/test/java/org/apache/activemq/jaas/LDAPLoginModuleTest.java b/activemq-jaas/src/test/java/org/apache/activemq/jaas/LDAPLoginModuleTest.java index 208dba2fe9..1653355adb 100644 --- a/activemq-jaas/src/test/java/org/apache/activemq/jaas/LDAPLoginModuleTest.java +++ b/activemq-jaas/src/test/java/org/apache/activemq/jaas/LDAPLoginModuleTest.java @@ -145,6 +145,28 @@ public class LDAPLoginModuleTest extends AbstractLdapTestUnit { context.logout(); } + @Test + public void testAESEncryptedLogin() throws LoginException { + + LoginContext context = new LoginContext("EncryptedAESLDAPLogin", new CallbackHandler() { + @Override + public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { + for (int i = 0; i < callbacks.length; i++) { + if (callbacks[i] instanceof NameCallback) { + ((NameCallback) callbacks[i]).setName("first"); + } else if (callbacks[i] instanceof PasswordCallback) { + ((PasswordCallback) callbacks[i]).setPassword("secret".toCharArray()); + } else { + throw new UnsupportedCallbackException(callbacks[i]); + } + } + } + }); + context.login(); + context.logout(); + } + + @Test public void testUnauthenticated() throws LoginException { LoginContext context = new LoginContext("UnAuthenticatedLDAPLogin", new CallbackHandler() { diff --git a/activemq-jaas/src/test/resources/login.config b/activemq-jaas/src/test/resources/login.config index b5e8cf82a1..2dca7b45d6 100644 --- a/activemq-jaas/src/test/resources/login.config +++ b/activemq-jaas/src/test/resources/login.config @@ -86,6 +86,27 @@ EncryptedLDAPLogin { ; }; +EncryptedAESLDAPLogin { + org.apache.activemq.jaas.EncryptableLDAPLoginModule required + debug=true + initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory + connectionURL="ldap://localhost:1024" + connectionUsername="uid=admin,ou=system" + connectionPassword="ENC(l3ZDKzR+ADzlmYr2Csd/CBXnFRd5Jk02JGKaraMHc7NRQp5amOxvHbuUCQNUQ0cE)" + connectionProtocol=s + authentication=simple + userBase="ou=system" + userSearchMatching="(uid={0})" + userSearchSubtree=false + roleBase="ou=system" + roleName=dummyRoleName + roleSearchMatching="(uid={1})" + roleSearchSubtree=false + encryptionAlgorithm=PBEWITHHMACSHA256ANDAES_256 + encryptionPassword="activemq" + ; +}; + UnAuthenticatedLDAPLogin { org.apache.activemq.jaas.LDAPLoginModule required debug=true