Author: chirino
Date: Fri Jan 13 17:50:08 2012
New Revision: 1231207
URL: http://svn.apache.org/viewvc?rev=1231207&view=rev
Log:
Fixes APLO-125: Improve client authentication error messages
Modified:
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authenticator.scala
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/JaasAuthenticator.scala
activemq/activemq-apollo/trunk/apollo-openwire/src/main/scala/org/apache/activemq/apollo/openwire/OpenwireProtocolHandler.scala
activemq/activemq-apollo/trunk/apollo-stomp/src/main/scala/org/apache/activemq/apollo/stomp/StompProtocolHandler.scala
activemq/activemq-apollo/trunk/apollo-web/src/main/scala/org/apache/activemq/apollo/web/resources/Support.scala
Modified:
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authenticator.scala
URL:
http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authenticator.scala?rev=1231207&r1=1231206&r2=1231207&view=diff
==============================================================================
---
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authenticator.scala
(original)
+++
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authenticator.scala
Fri Jan 13 17:50:08 2012
@@ -29,9 +29,10 @@ trait Authenticator {
* If the authentication succeeds, then the subject and
* principles fields of the SecurityContext should be populated.
*
- * @returns true if the SecurityContext was authenticated.
+ * @returns null if the SecurityContext was authenticated. Otherwise
+ * returns an error message that can be given to a client.
*/
- def authenticate(ctx:SecurityContext):Boolean @suspendable
+ def authenticate(ctx:SecurityContext):String @suspendable
/**
* Extracts the user name of the logged in user.
Modified:
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/JaasAuthenticator.scala
URL:
http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/JaasAuthenticator.scala?rev=1231207&r1=1231206&r2=1231207&view=diff
==============================================================================
---
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/JaasAuthenticator.scala
(original)
+++
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/JaasAuthenticator.scala
Fri Jan 13 17:50:08 2012
@@ -16,7 +16,6 @@
*/
package org.apache.activemq.apollo.broker.security
-import javax.security.auth.login.LoginContext
import javax.security.auth.callback.Callback
import javax.security.auth.callback.CallbackHandler
@@ -30,6 +29,8 @@ import org.fusesource.hawtdispatch._
import org.apache.activemq.apollo.dto.AuthenticationDTO
import org.apache.activemq.apollo.util.Log
import collection.JavaConversions._
+import javax.security.auth.login._
+import javax.security.auth.message.AuthException
/**
* <p>
@@ -78,7 +79,7 @@ class JaasAuthenticator(val config: Auth
}
}
- def _authenticate(security_ctx: SecurityContext): Boolean = {
+ def _authenticate(security_ctx: SecurityContext): String = {
val original = Thread.currentThread().getContextClassLoader()
Thread.currentThread().setContextClassLoader(getClass.getClassLoader())
JaasAuthenticator._log.set(log)
@@ -103,12 +104,27 @@ class JaasAuthenticator(val config: Auth
security_ctx.login_context.login()
security_ctx.subject = security_ctx.login_context.getSubject()
- true
+ null
+
} catch {
case x: Exception =>
+ val (reported, actual) = x match {
+ case x:AccountLockedException =>
+ ("Account locked", "Account locked: "+x.getMessage)
+ case x:AccountExpiredException =>
+ ("Account expired", "Account expired: "+x.getMessage)
+ case x:CredentialExpiredException =>
+ ("Creditial expired", "Creditial expired: "+x.getMessage)
+ case x:FailedLoginException =>
+ ("Authentication failed", "Failed login: "+x.getMessage)
+ case x:AccountNotFoundException =>
+ ("Authentication failed", "Account not found: "+x.getMessage)
+ case _ =>
+ ("Authentication failed", x.getMessage)
+ }
security_ctx.login_context = null
- log.info("authentication failed: local:%s, remote:%s, reason:%s ",
security_ctx.local_address, security_ctx.remote_address, x.getMessage)
- false
+ log.info("authentication failed: local:%s, remote:%s, reason:%s ",
security_ctx.local_address, security_ctx.remote_address, actual)
+ reported
} finally {
JaasAuthenticator._log.remove
Thread.currentThread().setContextClassLoader(original)
Modified:
activemq/activemq-apollo/trunk/apollo-openwire/src/main/scala/org/apache/activemq/apollo/openwire/OpenwireProtocolHandler.scala
URL:
http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-openwire/src/main/scala/org/apache/activemq/apollo/openwire/OpenwireProtocolHandler.scala?rev=1231207&r1=1231206&r2=1231207&view=diff
==============================================================================
---
activemq/activemq-apollo/trunk/apollo-openwire/src/main/scala/org/apache/activemq/apollo/openwire/OpenwireProtocolHandler.scala
(original)
+++
activemq/activemq-apollo/trunk/apollo-openwire/src/main/scala/org/apache/activemq/apollo/openwire/OpenwireProtocolHandler.scala
Fri Jan 13 17:50:08 2012
@@ -430,8 +430,9 @@ class OpenwireProtocolHandler extends Pr
reset {
if( host.authenticator!=null && host.authorizer!=null ) {
suspend_read("authenticating and authorizing connect")
- if( !host.authenticator.authenticate(security_context) ) {
- async_die("Authentication failed.
Credentials="+security_context.credential_dump)
+ val auth_failure = host.authenticator.authenticate(security_context)
+ if( auth_failure!=null ) {
+ async_die(auth_failure+".
Credentials="+security_context.credential_dump)
noop // to make the cps compiler plugin happy.
} else if( !host.authorizer.can(security_context, "connect",
connection.connector) ) {
async_die("Not authorized to connect to connector '%s'.
Principals=".format(connection.connector.id, security_context.principal_dump))
Modified:
activemq/activemq-apollo/trunk/apollo-stomp/src/main/scala/org/apache/activemq/apollo/stomp/StompProtocolHandler.scala
URL:
http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-stomp/src/main/scala/org/apache/activemq/apollo/stomp/StompProtocolHandler.scala?rev=1231207&r1=1231206&r2=1231207&view=diff
==============================================================================
---
activemq/activemq-apollo/trunk/apollo-stomp/src/main/scala/org/apache/activemq/apollo/stomp/StompProtocolHandler.scala
(original)
+++
activemq/activemq-apollo/trunk/apollo-stomp/src/main/scala/org/apache/activemq/apollo/stomp/StompProtocolHandler.scala
Fri Jan 13 17:50:08 2012
@@ -916,8 +916,9 @@ class StompProtocolHandler extends Proto
connection_log = host.connection_log
if( host.authenticator!=null && host.authorizer!=null ) {
suspend_read("authenticating and authorizing connect")
- if( !host.authenticator.authenticate(security_context) ) {
- async_die("Authentication failed.
Credentials="+security_context.credential_dump)
+ var auth_failure = host.authenticator.authenticate(security_context)
+ if( auth_failure!=null ) {
+ async_die(auth_failure+".
Credentials="+security_context.credential_dump)
noop // to make the cps compiler plugin happy.
} else if( !host.authorizer.can(security_context, "connect",
connection.connector) ) {
async_die("Not authorized to connect to connector '%s'.
Principals=".format(connection.connector.id, security_context.principal_dump))
Modified:
activemq/activemq-apollo/trunk/apollo-web/src/main/scala/org/apache/activemq/apollo/web/resources/Support.scala
URL:
http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-web/src/main/scala/org/apache/activemq/apollo/web/resources/Support.scala?rev=1231207&r1=1231206&r2=1231207&view=diff
==============================================================================
---
activemq/activemq-apollo/trunk/apollo-web/src/main/scala/org/apache/activemq/apollo/web/resources/Support.scala
(original)
+++
activemq/activemq-apollo/trunk/apollo-web/src/main/scala/org/apache/activemq/apollo/web/resources/Support.scala
Fri Jan 13 17:50:08 2012
@@ -251,7 +251,7 @@ abstract class Resource(parent:Resource=
}
reset {
- if( authenticator.authenticate(security_context) ) {
+ if( authenticator.authenticate(security_context)==null ) {
call_func_with_security
} else {
func(null)