ARTEMIS-1102 cert-based auth impl for OpenWire
Project: http://git-wip-us.apache.org/repos/asf/activemq-artemis/repo Commit: http://git-wip-us.apache.org/repos/asf/activemq-artemis/commit/004eda42 Tree: http://git-wip-us.apache.org/repos/asf/activemq-artemis/tree/004eda42 Diff: http://git-wip-us.apache.org/repos/asf/activemq-artemis/diff/004eda42 Branch: refs/heads/master Commit: 004eda42a292ab2a9f7900cf8ff657a4fecc5712 Parents: e81fb16 Author: Justin Bertram <[email protected]> Authored: Thu Apr 6 12:19:42 2017 -0500 Committer: Martyn Taylor <[email protected]> Committed: Fri Apr 28 10:11:25 2017 +0100 ---------------------------------------------------------------------- .../openwire/OpenWireProtocolManager.java | 26 +++++--------- .../integration/security/SecurityTest.java | 36 ++++++++++++++++++++ 2 files changed, 45 insertions(+), 17 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/004eda42/artemis-protocols/artemis-openwire-protocol/src/main/java/org/apache/activemq/artemis/core/protocol/openwire/OpenWireProtocolManager.java ---------------------------------------------------------------------- diff --git a/artemis-protocols/artemis-openwire-protocol/src/main/java/org/apache/activemq/artemis/core/protocol/openwire/OpenWireProtocolManager.java b/artemis-protocols/artemis-openwire-protocol/src/main/java/org/apache/activemq/artemis/core/protocol/openwire/OpenWireProtocolManager.java index c0affb6..61eeb1c 100644 --- a/artemis-protocols/artemis-openwire-protocol/src/main/java/org/apache/activemq/artemis/core/protocol/openwire/OpenWireProtocolManager.java +++ b/artemis-protocols/artemis-openwire-protocol/src/main/java/org/apache/activemq/artemis/core/protocol/openwire/OpenWireProtocolManager.java @@ -17,6 +17,7 @@ package org.apache.activemq.artemis.core.protocol.openwire; import javax.jms.InvalidClientIDException; +import javax.security.cert.X509Certificate; import java.io.IOException; import java.util.ArrayList; import java.util.Collections; @@ -42,6 +43,7 @@ import org.apache.activemq.artemis.api.core.client.TopologyMember; import org.apache.activemq.artemis.core.protocol.openwire.amq.AMQConnectionContext; import org.apache.activemq.artemis.core.protocol.openwire.amq.AMQProducerBrokerExchange; import org.apache.activemq.artemis.core.protocol.openwire.amq.AMQSession; +import org.apache.activemq.artemis.core.remoting.impl.netty.NettyConnection; import org.apache.activemq.artemis.core.remoting.impl.netty.NettyServerConnection; import org.apache.activemq.artemis.core.server.ActiveMQServer; import org.apache.activemq.artemis.core.server.ActiveMQServerLogger; @@ -54,8 +56,7 @@ import org.apache.activemq.artemis.spi.core.protocol.ProtocolManagerFactory; import org.apache.activemq.artemis.spi.core.protocol.RemotingConnection; import org.apache.activemq.artemis.spi.core.remoting.Acceptor; import org.apache.activemq.artemis.spi.core.remoting.Connection; -import org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager; -import org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager3; +import org.apache.activemq.artemis.utils.CertificateUtil; import org.apache.activemq.artemis.utils.DataConstants; import org.apache.activemq.command.ActiveMQMessage; import org.apache.activemq.command.ActiveMQTopic; @@ -288,9 +289,7 @@ public class OpenWireProtocolManager implements ProtocolManager<Interceptor>, Cl String username = info.getUserName(); String password = info.getPassword(); - if (!this.validateUser(username, password)) { - throw new SecurityException("User name [" + username + "] or password is invalid."); - } + validateUser(username, password, connection); String clientId = info.getClientId(); if (clientId == null) { @@ -454,20 +453,13 @@ public class OpenWireProtocolManager implements ProtocolManager<Interceptor>, Cl return false; } - public boolean validateUser(String login, String passcode) { - boolean validated = true; - - ActiveMQSecurityManager sm = server.getSecurityManager(); - - if (sm != null && server.getConfiguration().isSecurityEnabled()) { - if (sm instanceof ActiveMQSecurityManager3) { - validated = ((ActiveMQSecurityManager3) sm).validateUser(login, passcode, null) != null; - } else { - validated = sm.validateUser(login, passcode); - } + public void validateUser(String login, String passcode, OpenWireConnection connection) throws Exception { + X509Certificate[] certificates = null; + if (connection.getTransportConnection() instanceof NettyConnection) { + certificates = CertificateUtil.getCertsFromChannel(((NettyConnection) connection.getTransportConnection()).getChannel()); } - return validated; + server.getSecurityStore().authenticate(login, passcode, certificates); } public void sendBrokerInfo(OpenWireConnection connection) throws Exception { http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/004eda42/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/SecurityTest.java ---------------------------------------------------------------------- diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/SecurityTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/SecurityTest.java index 30b2dbc..06cfc38 100644 --- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/SecurityTest.java +++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/SecurityTest.java @@ -16,6 +16,8 @@ */ package org.apache.activemq.artemis.tests.integration.security; +import javax.jms.MessageProducer; +import javax.jms.Session; import javax.security.cert.X509Certificate; import javax.transaction.xa.XAResource; import javax.transaction.xa.Xid; @@ -26,6 +28,8 @@ import java.util.HashSet; import java.util.Map; import java.util.Set; +import org.apache.activemq.ActiveMQConnection; +import org.apache.activemq.ActiveMQSslConnectionFactory; import org.apache.activemq.artemis.api.core.ActiveMQException; import org.apache.activemq.artemis.api.core.ActiveMQExceptionType; import org.apache.activemq.artemis.api.core.ActiveMQSecurityException; @@ -176,6 +180,38 @@ public class SecurityTest extends ActiveMQTestBase { } @Test + public void testJAASSecurityManagerAuthenticationWithCertsAndOpenWire() throws Exception { + ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager("CertLogin"); + ActiveMQServer server = addServer(ActiveMQServers.newActiveMQServer(createDefaultInVMConfig().setSecurityEnabled(true), ManagementFactory.getPlatformMBeanServer(), securityManager, false)); + + Map<String, Object> params = new HashMap<>(); + params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true); + params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-side-keystore.jks"); + params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample"); + params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-side-truststore.jks"); + params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample"); + params.put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true); + + server.getConfiguration().addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params)); + + server.start(); + + ActiveMQSslConnectionFactory factory = new ActiveMQSslConnectionFactory("ssl://localhost:61616"); + factory.setTrustStore("client-side-truststore.jks"); + factory.setTrustStorePassword("secureexample"); + factory.setKeyStore("client-side-keystore.jks"); + factory.setKeyStorePassword("secureexample"); + + try (ActiveMQConnection connection = (ActiveMQConnection) factory.createConnection()) { + Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE); + session.close(); + } catch (Throwable e) { + e.printStackTrace(); + Assert.fail("should not throw exception"); + } + } + + @Test public void testJAASSecurityManagerAuthenticationBadPassword() throws Exception { ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager("PropertiesLogin"); ActiveMQServer server = addServer(ActiveMQServers.newActiveMQServer(createDefaultInVMConfig().setSecurityEnabled(true), ManagementFactory.getPlatformMBeanServer(), securityManager, false));
