mirror of https://github.com/apache/activemq.git
AMQ-7457 - Support wider password encryption schemes
This commit is contained in:
parent
05c43fe347
commit
9599ad8d95
|
@ -19,6 +19,7 @@ package org.apache.activemq.console.command;
|
|||
import java.util.List;
|
||||
|
||||
import org.jasypt.exceptions.EncryptionOperationNotPossibleException;
|
||||
import org.jasypt.iv.RandomIvGenerator;
|
||||
|
||||
public class DecryptCommand extends EncryptCommand {
|
||||
|
||||
|
@ -30,6 +31,7 @@ public class DecryptCommand extends EncryptCommand {
|
|||
" --password <password> Password to be used by the encryptor. Defaults to",
|
||||
" the value in the ACTIVEMQ_ENCRYPTION_PASSWORD env variable.",
|
||||
" --input <input> Text to be encrypted.",
|
||||
" --algorithm <algorithm> Algorithm to use.",
|
||||
" --version Display the version information.",
|
||||
" -h,-?,--help Display the stop broker help information.",
|
||||
""
|
||||
|
@ -55,6 +57,13 @@ public class DecryptCommand extends EncryptCommand {
|
|||
return;
|
||||
}
|
||||
encryptor.setPassword(password);
|
||||
if (algorithm != null) {
|
||||
encryptor.setAlgorithm(algorithm);
|
||||
// From Jasypt: for PBE-AES-based algorithms, the IV generator is MANDATORY"
|
||||
if (algorithm.startsWith("PBE") && algorithm.contains("AES")) {
|
||||
encryptor.setIvGenerator(new RandomIvGenerator());
|
||||
}
|
||||
}
|
||||
try {
|
||||
context.print("Decrypted text: " + encryptor.decrypt(input));
|
||||
} catch (EncryptionOperationNotPossibleException e) {
|
||||
|
|
|
@ -19,6 +19,7 @@ package org.apache.activemq.console.command;
|
|||
import java.util.List;
|
||||
|
||||
import org.jasypt.encryption.pbe.StandardPBEStringEncryptor;
|
||||
import org.jasypt.iv.RandomIvGenerator;
|
||||
|
||||
public class EncryptCommand extends AbstractCommand {
|
||||
|
||||
|
@ -30,6 +31,7 @@ public class EncryptCommand extends AbstractCommand {
|
|||
" --password <password> Password to be used by the encryptor. Defaults to",
|
||||
" the value in the ACTIVEMQ_ENCRYPTION_PASSWORD env variable.",
|
||||
" --input <input> Text to be encrypted.",
|
||||
" --algorithm <algorithm> Algorithm to use.",
|
||||
" --version Display the version information.",
|
||||
" -h,-?,--help Display the stop broker help information.",
|
||||
""
|
||||
|
@ -38,6 +40,7 @@ public class EncryptCommand extends AbstractCommand {
|
|||
StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
|
||||
String input;
|
||||
String password;
|
||||
String algorithm;
|
||||
|
||||
@Override
|
||||
public String getName() {
|
||||
|
@ -64,6 +67,13 @@ public class EncryptCommand extends AbstractCommand {
|
|||
return;
|
||||
}
|
||||
encryptor.setPassword(password);
|
||||
if (algorithm != null) {
|
||||
encryptor.setAlgorithm(algorithm);
|
||||
// From Jasypt: for PBE-AES-based algorithms, the IV generator is MANDATORY"
|
||||
if (algorithm.startsWith("PBE") && algorithm.contains("AES")) {
|
||||
encryptor.setIvGenerator(new RandomIvGenerator());
|
||||
}
|
||||
}
|
||||
context.print("Encrypted text: " + encryptor.encrypt(input));
|
||||
}
|
||||
|
||||
|
@ -83,6 +93,13 @@ public class EncryptCommand extends AbstractCommand {
|
|||
}
|
||||
|
||||
password=(String)tokens.remove(0);
|
||||
} else if (token.startsWith("--algorithm")) {
|
||||
if (tokens.isEmpty() || ((String)tokens.get(0)).startsWith("-")) {
|
||||
context.printException(new IllegalArgumentException("algorithm not specified"));
|
||||
return;
|
||||
}
|
||||
|
||||
algorithm=(String)tokens.remove(0);
|
||||
} else {
|
||||
super.handleOption(token, tokens);
|
||||
}
|
||||
|
|
|
@ -56,6 +56,9 @@
|
|||
</property>
|
||||
-->
|
||||
</systemProperties>
|
||||
<environmentVariables>
|
||||
<ACTIVEMQ_ENCRYPTION_PASSWORD>activemq</ACTIVEMQ_ENCRYPTION_PASSWORD>
|
||||
</environmentVariables>
|
||||
</configuration>
|
||||
</plugin>
|
||||
</plugins>
|
||||
|
|
|
@ -19,6 +19,7 @@ package org.apache.activemq.jaas;
|
|||
import org.jasypt.encryption.pbe.StandardPBEStringEncryptor;
|
||||
import org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig;
|
||||
import org.jasypt.properties.PropertyValueEncryptionUtils;
|
||||
import org.jasypt.iv.RandomIvGenerator;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.Properties;
|
||||
|
@ -28,8 +29,8 @@ import java.util.Properties;
|
|||
*/
|
||||
public class EncryptionSupport {
|
||||
|
||||
static public void decrypt(Properties props) {
|
||||
StandardPBEStringEncryptor encryptor = createEncryptor();
|
||||
static public void decrypt(Properties props, String algorithm) {
|
||||
StandardPBEStringEncryptor encryptor = createEncryptor(algorithm);
|
||||
for (Object k : new ArrayList(props.keySet())) {
|
||||
String key = (String) k;
|
||||
String value = props.getProperty(key);
|
||||
|
@ -40,10 +41,16 @@ public class EncryptionSupport {
|
|||
}
|
||||
|
||||
}
|
||||
public static StandardPBEStringEncryptor createEncryptor() {
|
||||
public static StandardPBEStringEncryptor createEncryptor(String algorithm) {
|
||||
StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
|
||||
EnvironmentStringPBEConfig config = new EnvironmentStringPBEConfig();
|
||||
config.setAlgorithm("PBEWithMD5AndDES");
|
||||
if (algorithm != null) {
|
||||
encryptor.setAlgorithm(algorithm);
|
||||
// From Jasypt: for PBE-AES-based algorithms, the IV generator is MANDATORY"
|
||||
if (algorithm.startsWith("PBE") && algorithm.contains("AES")) {
|
||||
encryptor.setIvGenerator(new RandomIvGenerator());
|
||||
}
|
||||
}
|
||||
config.setPasswordEnvName("ACTIVEMQ_ENCRYPTION_PASSWORD");
|
||||
encryptor.setConfig(config);
|
||||
return encryptor;
|
||||
|
|
|
@ -53,12 +53,14 @@ public class PropertiesLoader {
|
|||
final boolean reload;
|
||||
private boolean decrypt;
|
||||
private boolean debug;
|
||||
private String algorithm;
|
||||
|
||||
public FileNameKey(String nameProperty, String fallbackName, Map options) {
|
||||
this.file = new File(baseDir(options), stringOption(nameProperty, fallbackName, options));
|
||||
absPath = file.getAbsolutePath();
|
||||
reload = booleanOption("reload", options);
|
||||
decrypt = booleanOption("decrypt", options);
|
||||
algorithm = stringOption("algorithm", "PBEWithMD5AndDES", options);
|
||||
}
|
||||
|
||||
@Override
|
||||
|
@ -87,6 +89,10 @@ public class PropertiesLoader {
|
|||
this.decrypt = decrypt;
|
||||
}
|
||||
|
||||
public String getAlgorithm() {
|
||||
return algorithm;
|
||||
}
|
||||
|
||||
private String stringOption(String key, String nameDefault, Map options) {
|
||||
Object result = options.get(key);
|
||||
return result != null ? result.toString() : nameDefault;
|
||||
|
|
|
@ -124,7 +124,7 @@ public class ReloadableProperties {
|
|||
props.load(in);
|
||||
if (key.isDecrypt()) {
|
||||
try {
|
||||
EncryptionSupport.decrypt(this.props);
|
||||
EncryptionSupport.decrypt(this.props, key.getAlgorithm());
|
||||
} catch (NoClassDefFoundError e) {
|
||||
// this Happens whe jasypt is not on the classpath..
|
||||
key.setDecrypt(false);
|
||||
|
|
|
@ -0,0 +1,25 @@
|
|||
/**
|
||||
* Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
* contributor license agreements. See the NOTICE file distributed with
|
||||
* this work for additional information regarding copyright ownership.
|
||||
* The ASF licenses this file to You under the Apache License, Version 2.0
|
||||
* (the "License"); you may not use this file except in compliance with
|
||||
* the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.apache.activemq.jaas;
|
||||
|
||||
public class EncryptedAESPropertiesLoginModuleTest extends EncryptedPropertiesLoginModuleTest {
|
||||
|
||||
@Override
|
||||
protected String getLoginModule() {
|
||||
return "EncryptedAESPropertiesLogin";
|
||||
}
|
||||
}
|
|
@ -0,0 +1,30 @@
|
|||
/**
|
||||
* Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
* contributor license agreements. See the NOTICE file distributed with
|
||||
* this work for additional information regarding copyright ownership.
|
||||
* The ASF licenses this file to You under the Apache License, Version 2.0
|
||||
* (the "License"); you may not use this file except in compliance with
|
||||
* the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.apache.activemq.jaas;
|
||||
|
||||
public class EncryptedPropertiesLoginModuleTest extends PropertiesLoginModuleTest {
|
||||
|
||||
@Override
|
||||
protected String getLoginModule() {
|
||||
return "EncryptedPropertiesLogin";
|
||||
}
|
||||
|
||||
@Override
|
||||
public void testLoginReload() throws Exception {
|
||||
// Ignore
|
||||
}
|
||||
}
|
|
@ -52,7 +52,7 @@ public class PropertiesLoginModuleTest extends TestCase {
|
|||
}
|
||||
|
||||
public void testLogin() throws LoginException {
|
||||
LoginContext context = new LoginContext("PropertiesLogin", new UserPassHandler("first", "secret"));
|
||||
LoginContext context = new LoginContext(getLoginModule(), new UserPassHandler("first", "secret"));
|
||||
context.login();
|
||||
|
||||
Subject subject = context.getSubject();
|
||||
|
@ -113,7 +113,7 @@ public class PropertiesLoginModuleTest extends TestCase {
|
|||
}
|
||||
|
||||
public void testBadUseridLogin() throws Exception {
|
||||
LoginContext context = new LoginContext("PropertiesLogin", new UserPassHandler("BAD", "secret"));
|
||||
LoginContext context = new LoginContext(getLoginModule(), new UserPassHandler("BAD", "secret"));
|
||||
|
||||
try {
|
||||
context.login();
|
||||
|
@ -124,7 +124,7 @@ public class PropertiesLoginModuleTest extends TestCase {
|
|||
}
|
||||
|
||||
public void testBadPWLogin() throws Exception {
|
||||
LoginContext context = new LoginContext("PropertiesLogin", new UserPassHandler("first", "BAD"));
|
||||
LoginContext context = new LoginContext(getLoginModule(), new UserPassHandler("first", "BAD"));
|
||||
|
||||
try {
|
||||
context.login();
|
||||
|
@ -157,4 +157,8 @@ public class PropertiesLoginModuleTest extends TestCase {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
protected String getLoginModule() {
|
||||
return "PropertiesLogin";
|
||||
}
|
||||
}
|
||||
|
|
|
@ -30,6 +30,23 @@ PropertiesLoginReload {
|
|||
org.apache.activemq.jaas.properties.group="groups.properties";
|
||||
};
|
||||
|
||||
EncryptedPropertiesLogin {
|
||||
org.apache.activemq.jaas.PropertiesLoginModule required
|
||||
debug=true
|
||||
org.apache.activemq.jaas.properties.user="users-encrypted.properties"
|
||||
org.apache.activemq.jaas.properties.group="groups.properties"
|
||||
decrypt=true;
|
||||
};
|
||||
|
||||
EncryptedAESPropertiesLogin {
|
||||
org.apache.activemq.jaas.PropertiesLoginModule required
|
||||
debug=true
|
||||
org.apache.activemq.jaas.properties.user="users-encrypted-aes.properties"
|
||||
org.apache.activemq.jaas.properties.group="groups.properties"
|
||||
algorithm=PBEWITHHMACSHA1ANDAES_128
|
||||
decrypt=true;
|
||||
};
|
||||
|
||||
LDAPLogin {
|
||||
org.apache.activemq.jaas.LDAPLoginModule required
|
||||
debug=true
|
||||
|
|
|
@ -0,0 +1,19 @@
|
|||
## ---------------------------------------------------------------------------
|
||||
## Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
## contributor license agreements. See the NOTICE file distributed with
|
||||
## this work for additional information regarding copyright ownership.
|
||||
## The ASF licenses this file to You under the Apache License, Version 2.0
|
||||
## (the "License"); you may not use this file except in compliance with
|
||||
## the License. You may obtain a copy of the License at
|
||||
##
|
||||
## http://www.apache.org/licenses/LICENSE-2.0
|
||||
##
|
||||
## Unless required by applicable law or agreed to in writing, software
|
||||
## distributed under the License is distributed on an "AS IS" BASIS,
|
||||
## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
## See the License for the specific language governing permissions and
|
||||
## limitations under the License.
|
||||
## ---------------------------------------------------------------------------
|
||||
|
||||
first=ENC(Gk9Rdv1x9AybEf2w2OBIYALTFHbe97eVbOLRkG8btwIDdCtotcdBfnuGsDRmQpDx)
|
||||
second=ENC(/Z7qx1/BDlA14exodJiQKMaGJi70kJ7GIntyDYvVvVjpDW7j2piwJHEUFTtJ/HVG)
|
|
@ -0,0 +1,19 @@
|
|||
## ---------------------------------------------------------------------------
|
||||
## Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
## contributor license agreements. See the NOTICE file distributed with
|
||||
## this work for additional information regarding copyright ownership.
|
||||
## The ASF licenses this file to You under the Apache License, Version 2.0
|
||||
## (the "License"); you may not use this file except in compliance with
|
||||
## the License. You may obtain a copy of the License at
|
||||
##
|
||||
## http://www.apache.org/licenses/LICENSE-2.0
|
||||
##
|
||||
## Unless required by applicable law or agreed to in writing, software
|
||||
## distributed under the License is distributed on an "AS IS" BASIS,
|
||||
## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
## See the License for the specific language governing permissions and
|
||||
## limitations under the License.
|
||||
## ---------------------------------------------------------------------------
|
||||
|
||||
first=ENC(Z5ZVpKZrgHL8M58yqlVTWA==)
|
||||
second=ENC(4mCibprDoilo4CHjFkXOTdOOA1jXEx+X)
|
|
@ -222,7 +222,7 @@
|
|||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.jasypt</groupId>
|
||||
<artifactId>jasypt-spring31</artifactId>
|
||||
<artifactId>jasypt-spring4</artifactId>
|
||||
<version>${jasypt-version}</version>
|
||||
<optional>true</optional>
|
||||
</dependency>
|
||||
|
|
|
@ -30,7 +30,7 @@
|
|||
<property name="password" value="activemq"/>
|
||||
</bean>
|
||||
|
||||
<bean id="propertyConfigurer" class="org.jasypt.spring31.properties.EncryptablePropertyPlaceholderConfigurer">
|
||||
<bean id="propertyConfigurer" class="org.jasypt.spring4.properties.EncryptablePropertyPlaceholderConfigurer">
|
||||
<constructor-arg ref="configurationEncryptor" />
|
||||
<property name="location" value="classpath:credentials.properties"/>
|
||||
</bean>
|
||||
|
|
|
@ -30,7 +30,7 @@
|
|||
<property name="password" value="activemq"/>
|
||||
</bean>
|
||||
|
||||
<bean id="propertyConfigurer" class="org.jasypt.spring31.properties.EncryptablePropertyPlaceholderConfigurer">
|
||||
<bean id="propertyConfigurer" class="org.jasypt.spring4.properties.EncryptablePropertyPlaceholderConfigurer">
|
||||
<constructor-arg ref="configurationEncryptor" />
|
||||
<property name="location" value="classpath:credentials.properties"/>
|
||||
</bean>
|
||||
|
|
|
@ -30,7 +30,7 @@
|
|||
<property name="password" value="activemq"/>
|
||||
</bean>
|
||||
|
||||
<bean id="propertyConfigurer" class="org.jasypt.spring31.properties.EncryptablePropertyPlaceholderConfigurer">
|
||||
<bean id="propertyConfigurer" class="org.jasypt.spring4.properties.EncryptablePropertyPlaceholderConfigurer">
|
||||
<constructor-arg ref="configurationEncryptor" />
|
||||
<property name="location" value="classpath:credentials.properties"/>
|
||||
</bean>
|
||||
|
|
|
@ -400,7 +400,7 @@
|
|||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.jasypt</groupId>
|
||||
<artifactId>jasypt-spring31</artifactId>
|
||||
<artifactId>jasypt-spring4</artifactId>
|
||||
<version>${jasypt-version}</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
|
|
|
@ -207,7 +207,7 @@
|
|||
<include>org.apache.velocity:velocity-engine-core</include>
|
||||
<include>org.apache.servicemix.bundles:org.apache.servicemix.bundles.josql</include>
|
||||
<include>org.jasypt:jasypt</include>
|
||||
<include>org.jasypt:jasypt-spring31</include>
|
||||
<include>org.jasypt:jasypt-spring4</include>
|
||||
<include>javax.jmdns:jmdns</include>
|
||||
<include>org.apache.qpid:proton-j</include>
|
||||
<include>${pom.groupId}:activemq-runtime-config</include>
|
||||
|
|
|
@ -48,7 +48,7 @@
|
|||
<property name="config" ref="environmentVariablesConfiguration" />
|
||||
</bean>
|
||||
|
||||
<bean id="propertyConfigurer" class="org.jasypt.spring31.properties.EncryptablePropertyPlaceholderConfigurer">
|
||||
<bean id="propertyConfigurer" class="org.jasypt.spring4.properties.EncryptablePropertyPlaceholderConfigurer">
|
||||
<constructor-arg ref="configurationEncryptor" />
|
||||
<property name="location" value="file:${activemq.conf}/credentials-enc.properties"/>
|
||||
</bean>
|
||||
|
|
Loading…
Reference in New Issue