https://issues.apache.org/activemq/browse/AMQ-2474 - jaas certificate authentication plugin and network of brokers

git-svn-id: https://svn.apache.org/repos/asf/activemq/trunk@831942 13f79535-47bb-0310-9956-ffa450edef68

activemq-core/src/main/java/org/apache/activemq/network/DemandForwardingBridgeSupport.java

@@ -18,6 +18,7 @@ package org.apache.activemq.network;
 
 import java.io.IOException;
 import java.security.GeneralSecurityException;
+import java.security.cert.X509Certificate;
 import java.util.Collection;
 import java.util.List;
 import java.util.Properties;
@@ -70,7 +71,9 @@ import org.apache.activemq.transport.FutureResponse;
 import org.apache.activemq.transport.ResponseCallback;
 import org.apache.activemq.transport.Transport;
 import org.apache.activemq.transport.TransportDisposedIOException;
+import org.apache.activemq.transport.TransportFilter;
 import org.apache.activemq.transport.TransportListener;
+import org.apache.activemq.transport.tcp.SslTransport;
 import org.apache.activemq.util.IdGenerator;
 import org.apache.activemq.util.IntrospectionSupport;
 import org.apache.activemq.util.LongSequenceGenerator;
@@ -285,6 +288,14 @@ public abstract class DemandForwardingBridgeSupport implements NetworkBridge, Br
                 localConnectionInfo.setClientId(localClientId);
                 localConnectionInfo.setUserName(configuration.getUserName());
                 localConnectionInfo.setPassword(configuration.getPassword());
+                Transport originalTransport = remoteBroker;
+                while (originalTransport instanceof TransportFilter) {
+                    originalTransport = ((TransportFilter)originalTransport).getNext();
+                }
+                if (originalTransport instanceof SslTransport) {
+                    X509Certificate[] peerCerts = ((SslTransport)originalTransport).getPeerCertificates();
+                    localConnectionInfo.setTransportContext(peerCerts);
+                }
                 localBroker.oneway(localConnectionInfo);
 
                 localSessionInfo = new SessionInfo(localConnectionInfo, 1);

activemq-core/src/test/java/org/apache/activemq/security/JaasNetworkTest.java

@@ -0,0 +1,85 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.security;
+
+import java.net.URI;
+
+import javax.jms.Connection;
+import javax.jms.MessageConsumer;
+import javax.jms.MessageProducer;
+import javax.jms.Session;
+import javax.jms.TextMessage;
+
+import junit.framework.TestCase;
+
+import org.apache.activemq.ActiveMQConnectionFactory;
+import org.apache.activemq.broker.BrokerFactory;
+import org.apache.activemq.broker.BrokerService;
+import org.apache.activemq.command.ActiveMQQueue;
+
+public class JaasNetworkTest extends TestCase {
+    
+    BrokerService broker1;
+    BrokerService broker2;
+    
+    public void setUp() throws Exception {
+        System.setProperty("java.security.auth.login.config", "src/test/resources/login.config");
+        broker1 = BrokerFactory.createBroker(new URI("xbean:org/apache/activemq/security/broker1.xml"));
+        broker2 = BrokerFactory.createBroker(new URI("xbean:org/apache/activemq/security/broker2.xml"));
+        broker1.waitUntilStarted();
+        broker2.waitUntilStarted();
+        Thread.sleep(2000);
+    }
+    
+    protected void tearDown() throws Exception {
+        super.tearDown();
+        broker1.stop();
+        broker1.waitUntilStopped();
+        broker2.stop();
+        broker2.waitUntilStopped();
+    }
+
+
+
+    public void testNetwork() throws Exception {
+        
+        System.setProperty("javax.net.ssl.trustStore", "src/test/resources/org/apache/activemq/security/client.ts");
+        System.setProperty("javax.net.ssl.trustStorePassword", "password");
+        System.setProperty("javax.net.ssl.trustStoreType", "jks");
+        System.setProperty("javax.net.ssl.keyStore", "src/test/resources/org/apache/activemq/security/client.ks");
+        System.setProperty("javax.net.ssl.keyStorePassword", "password");
+        System.setProperty("javax.net.ssl.keyStoreType", "jks");  
+        
+        ActiveMQConnectionFactory producerFactory  = new ActiveMQConnectionFactory("ssl://localhost:61617");
+        Connection producerConn = producerFactory.createConnection();
+        Session producerSess = producerConn.createSession(false, Session.AUTO_ACKNOWLEDGE);
+        MessageProducer producer = producerSess.createProducer(new ActiveMQQueue("test"));
+        producerConn.start();
+        TextMessage sentMessage = producerSess.createTextMessage("test");
+        producer.send(sentMessage);
+        
+        ActiveMQConnectionFactory consumerFactory  = new ActiveMQConnectionFactory("ssl://localhost:61618");
+        Connection consumerConn = consumerFactory.createConnection();
+        Session consumerSess = consumerConn.createSession(false, Session.AUTO_ACKNOWLEDGE);
+        consumerConn.start();
+        MessageConsumer consumer = consumerSess.createConsumer(new ActiveMQQueue("test"));
+        TextMessage receivedMessage = (TextMessage)consumer.receive(100);
+        assertEquals(sentMessage, receivedMessage);
+
+    }
+    
+}

activemq-core/src/test/resources/login.config

@@ -29,3 +29,16 @@ cert-login {
 
 };
 
+broker1 {
+    org.apache.activemq.jaas.TextFileCertificateLoginModule required
+        debug=true
+        org.apache.activemq.jaas.textfiledn.user="org/apache/activemq/security/users1.properties"
+        org.apache.activemq.jaas.textfiledn.group="org/apache/activemq/security/groups.properties";
+};
+
+broker2 {
+    org.apache.activemq.jaas.TextFileCertificateLoginModule required
+        debug=true
+        org.apache.activemq.jaas.textfiledn.user="org/apache/activemq/security/users2.properties"
+        org.apache.activemq.jaas.textfiledn.group="org/apache/activemq/security/groups.properties";
+};

activemq-core/src/test/resources/org/apache/activemq/security/broker1.xml

@@ -0,0 +1,71 @@
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one or more
+    contributor license agreements.  See the NOTICE file distributed with
+    this work for additional information regarding copyright ownership.
+    The ASF licenses this file to You under the Apache License, Version 2.0
+    (the "License"); you may not use this file except in compliance with
+    the License.  You may obtain a copy of the License at
+   
+    http://www.apache.org/licenses/LICENSE-2.0
+   
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<!-- START SNIPPET: example -->
+<beans
+  xmlns="http://www.springframework.org/schema/beans"
+  xmlns:amq="http://activemq.apache.org/schema/core"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+  http://activemq.apache.org/schema/core http://activemq.apache.org/schema/core/activemq-core.xsd">
+  
+  <broker xmlns="http://activemq.apache.org/schema/core" brokerName="broker1" useJmx="false" persistent="false">
+
+    <sslContext>
+        <sslContext keyStore="org/apache/activemq/security/broker1.ks"
+                    keyStorePassword="password"
+                    trustStore="org/apache/activemq/security/broker1.ts"
+                    trustStorePassword="password"/>
+    </sslContext>
+
+  
+    <!-- The transport connectors ActiveMQ will listen to -->
+    <transportConnectors>
+       <transportConnector name="ssl" uri="ssl://0.0.0.0:61617?transport.closeAsync=false&amp;wantClientAuth=true&amp;needClientAuth=true"/>
+    </transportConnectors>
+
+    <networkConnectors>
+      <networkConnector uri="static://(ssl://localhost:61618)"
+         name="tobackbone"
+         duplex="true"
+         prefetchSize="1"
+         networkTTL="10">
+   </networkConnector>
+    </networkConnectors>
+    
+ <plugins>
+      <jaasCertificateAuthenticationPlugin configuration="broker1" />
+      <!--  lets configure a destination based authorization mechanism -->
+
+      <authorizationPlugin>
+        <map>
+          <authorizationMap>
+            <authorizationEntries>
+              <authorizationEntry queue=">" read="admins" write="admins" admin="admins" />
+
+              <authorizationEntry topic=">" read="admins" write="admins" admin="admins" />
+
+              <authorizationEntry topic="ActiveMQ.Advisory.>" read="guests,users" write="guests,users" admin="guests,users"/>
+            </authorizationEntries>
+             
+          </authorizationMap>
+        </map>
+      </authorizationPlugin>
+    </plugins>
+  </broker>
+  
+</beans>
+<!-- END SNIPPET: example -->

activemq-core/src/test/resources/org/apache/activemq/security/broker2.xml

@@ -0,0 +1,62 @@
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one or more
+    contributor license agreements.  See the NOTICE file distributed with
+    this work for additional information regarding copyright ownership.
+    The ASF licenses this file to You under the Apache License, Version 2.0
+    (the "License"); you may not use this file except in compliance with
+    the License.  You may obtain a copy of the License at
+   
+    http://www.apache.org/licenses/LICENSE-2.0
+   
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<!-- START SNIPPET: example -->
+<beans
+  xmlns="http://www.springframework.org/schema/beans"
+  xmlns:amq="http://activemq.apache.org/schema/core"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+  http://activemq.apache.org/schema/core http://activemq.apache.org/schema/core/activemq-core.xsd">
+  
+  <broker xmlns="http://activemq.apache.org/schema/core" brokerName="broker2" useJmx="false" persistent="false">
+
+    <sslContext>
+        <sslContext keyStore="org/apache/activemq/security/broker2.ks"
+                    keyStorePassword="password"
+                    trustStore="org/apache/activemq/security/broker2.ts"
+                    trustStorePassword="password"/>
+    </sslContext>
+
+
+    <!-- The transport connectors ActiveMQ will listen to -->
+    <transportConnectors>
+       <transportConnector name="ssl"     uri="ssl://0.0.0.0:61618?transport.closeAsync=false&amp;wantClientAuth=true&amp;needClientAuth=true"/>
+    </transportConnectors>
+
+ <plugins>
+      <jaasCertificateAuthenticationPlugin configuration="broker2" />
+
+      <authorizationPlugin>
+        <map>
+          <authorizationMap>
+            <authorizationEntries>
+              <authorizationEntry queue=">" read="admins" write="admins" admin="admins" />
+              
+              <authorizationEntry topic=">" read="admins" write="admins" admin="admins" />
+              
+              <authorizationEntry topic="ActiveMQ.Advisory.>" read="guests,users" write="guests,users" admin="guests,users"/>
+            </authorizationEntries>
+            
+          </authorizationMap>
+        </map>
+      </authorizationPlugin>
+    </plugins>
+
+  </broker>
+  
+</beans>
+<!-- END SNIPPET: example -->

activemq-core/src/test/resources/org/apache/activemq/security/groups.properties

@@ -15,7 +15,7 @@
 ## limitations under the License.
 ## ---------------------------------------------------------------------------
 
-admins=system,sslclient
+admins=system,sslclient,client,broker1,broker2
-tempDestinationAdmins=system,user,sslclient
+tempDestinationAdmins=system,user,sslclient,client,broker1,broker2
-users=system,user,sslclient
+users=system,user,sslclient,client,broker1,broker2
 guests=guest

activemq-core/src/test/resources/org/apache/activemq/security/users1.properties

@@ -0,0 +1,19 @@
+## ---------------------------------------------------------------------------
+## Licensed to the Apache Software Foundation (ASF) under one or more
+## contributor license agreements.  See the NOTICE file distributed with
+## this work for additional information regarding copyright ownership.
+## The ASF licenses this file to You under the Apache License, Version 2.0
+## (the "License"); you may not use this file except in compliance with
+## the License.  You may obtain a copy of the License at
+## 
+## http://www.apache.org/licenses/LICENSE-2.0
+## 
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+## ---------------------------------------------------------------------------
+
+client=CN=client, OU=activemq, O=apache, L=Unknown, ST=Unknown, C=Unknown
+broker2=CN=broker2, OU=activemq, O=apache, L=Unknown, ST=Unknown, C=Unknown

activemq-core/src/test/resources/org/apache/activemq/security/users2.properties

@@ -0,0 +1,19 @@
+## ---------------------------------------------------------------------------
+## Licensed to the Apache Software Foundation (ASF) under one or more
+## contributor license agreements.  See the NOTICE file distributed with
+## this work for additional information regarding copyright ownership.
+## The ASF licenses this file to You under the Apache License, Version 2.0
+## (the "License"); you may not use this file except in compliance with
+## the License.  You may obtain a copy of the License at
+## 
+## http://www.apache.org/licenses/LICENSE-2.0
+## 
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+## ---------------------------------------------------------------------------
+
+client=CN=client, OU=activemq, O=apache, L=Unknown, ST=Unknown, C=Unknown
+broker1=CN=broker1, OU=activemq, O=apache, L=Unknown, ST=Unknown, C=Unknown