Author: rajith
Date: Fri Mar 19 15:45:16 2010
New Revision: 925288
URL: http://svn.apache.org/viewvc?rev=925288&view=rev
Log:
This is related to QPID-2444 and QPID-2445
If SASL EXTERNAL is used the CN and DC components will be extracted from the
clients certificate to construct a user ID which will then be set in the out
going
messages.
This also contains support for verifying the server when using SSL. The
hostname is checked against the server certificates CN.
Modified:
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/ClientDelegate.java
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/SecurityLayer.java
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLReceiver.java
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLSender.java
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
Modified:
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/ClientDelegate.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/ClientDelegate.java?rev=925288&r1=925287&r2=925288&view=diff
==============================================================================
---
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/ClientDelegate.java
(original)
+++
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/ClientDelegate.java
Fri Mar 19 15:45:16 2010
@@ -181,10 +181,25 @@ public class ClientDelegate extends Conn
@Override public void connectionOpenOk(Connection conn, ConnectionOpenOk
ok)
{
SaslClient sc = conn.getSaslClient();
- if (sc != null && sc.getMechanismName().equals("GSSAPI") &&
getUserID() != null)
+ if (sc != null)
{
- conn.setUserID(getUserID());
+ if (sc.getMechanismName().equals("GSSAPI"))
+ {
+ String id = getKerberosUser();
+ if (id != null)
+ {
+ conn.setUserID(id);
+ }
+ }
+ else if (sc.getMechanismName().equals("EXTERNAL"))
+ {
+ if (conn.getSecurityLayer() != null)
+ {
+ conn.setUserID(conn.getSecurityLayer().getUserID());
+ }
+ }
}
+
conn.setState(OPEN);
}
@@ -245,7 +260,7 @@ public class ClientDelegate extends Conn
}
- private String getUserID()
+ private String getKerberosUser()
{
log.debug("Obtaining userID from kerberos");
String service = conSettings.getSaslProtocol() + "@" +
conSettings.getSaslServerName();
Modified:
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/SecurityLayer.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/SecurityLayer.java?rev=925288&r1=925287&r2=925288&view=diff
==============================================================================
---
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/SecurityLayer.java
(original)
+++
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/SecurityLayer.java
Fri Mar 19 15:45:16 2010
@@ -156,7 +156,7 @@ public class SecurityLayer
public String getUserID()
{
- return null;
+ return SSLUtil.retriveIdentity(engine);
}
}
Modified:
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLReceiver.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLReceiver.java?rev=925288&r1=925287&r2=925288&view=diff
==============================================================================
---
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLReceiver.java
(original)
+++
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLReceiver.java
Fri Mar 19 15:45:16 2010
@@ -28,6 +28,7 @@ import javax.net.ssl.SSLException;
import javax.net.ssl.SSLEngineResult.HandshakeStatus;
import javax.net.ssl.SSLEngineResult.Status;
+import org.apache.qpid.transport.ConnectionSettings;
import org.apache.qpid.transport.Receiver;
import org.apache.qpid.transport.TransportException;
import org.apache.qpid.transport.util.Logger;
@@ -42,7 +43,8 @@ public class SSLReceiver implements Rece
private ByteBuffer localBuffer;
private boolean dataCached = false;
private final Object notificationToken;
-
+ private ConnectionSettings settings;
+
private static final Logger log = Logger.get(SSLReceiver.class);
public SSLReceiver(SSLEngine engine, Receiver<ByteBuffer>
delegate,SSLSender sender)
@@ -56,6 +58,11 @@ public class SSLReceiver implements Rece
notificationToken = sender.getNotificationToken();
}
+ public void setConnectionSettings(ConnectionSettings settings)
+ {
+ this.settings = settings;
+ }
+
public void closed()
{
delegate.closed();
@@ -159,8 +166,13 @@ public class SSLReceiver implements Rece
sender.doTasks();
handshakeStatus = engine.getHandshakeStatus();
- case NEED_WRAP:
case FINISHED:
+ if (this.settings != null &&
this.settings.isVerifyHostname() )
+ {
+ SSLUtil.verifyHostname(engine,
this.settings.getHost());
+ }
+
+ case NEED_WRAP:
case NOT_HANDSHAKING:
synchronized(notificationToken)
{
Modified:
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLSender.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLSender.java?rev=925288&r1=925287&r2=925288&view=diff
==============================================================================
---
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLSender.java
(original)
+++
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLSender.java
Fri Mar 19 15:45:16 2010
@@ -28,6 +28,7 @@ import javax.net.ssl.SSLException;
import javax.net.ssl.SSLEngineResult.HandshakeStatus;
import javax.net.ssl.SSLEngineResult.Status;
+import org.apache.qpid.transport.ConnectionSettings;
import org.apache.qpid.transport.Sender;
import org.apache.qpid.transport.SenderException;
import org.apache.qpid.transport.util.Logger;
@@ -39,7 +40,8 @@ public class SSLSender implements Sender
private int sslBufSize;
private ByteBuffer netData;
private long timeout = 30000;
-
+ private ConnectionSettings settings;
+
private final Object engineState = new Object();
private final AtomicBoolean closed = new AtomicBoolean(false);
@@ -53,6 +55,11 @@ public class SSLSender implements Sender
netData = ByteBuffer.allocate(sslBufSize);
timeout = Long.getLong("qpid.ssl_timeout", 60000);
}
+
+ public void setConnectionSettings(ConnectionSettings settings)
+ {
+ this.settings = settings;
+ }
public void close()
{
@@ -225,6 +232,11 @@ public class SSLSender implements Sender
break;
case FINISHED:
+ if (this.settings != null &&
this.settings.isVerifyHostname() )
+ {
+ SSLUtil.verifyHostname(engine,
this.settings.getHost());
+ }
+
case NOT_HANDSHAKING:
break; //do nothing
Modified:
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java?rev=925288&r1=925287&r2=925288&view=diff
==============================================================================
---
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
(original)
+++
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
Fri Mar 19 15:45:16 2010
@@ -38,7 +38,7 @@ public class SSLUtil
log.debug("Host Name obtained from DN : " + hostname);
}
- if (hostname != null && hostname.equalsIgnoreCase(hostnameExpected))
+ if (hostname != null && !hostname.equalsIgnoreCase(hostnameExpected))
{
throw new TransportException("SSL hostname verification failed."
+
" Expected : " + hostnameExpected +
@@ -50,7 +50,7 @@ public class SSLUtil
{
log.warn("Exception received while trying to verify hostname",e);
// For some reason the SSL engine sets the handshake status to
FINISH twice
- // in succession. For some reason the first time the peer
certificate
+ // in succession. The first time the peer certificate
// info is not available. The second time it works !
// Therefore have no choice but to ignore the exception here.
}
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:[email protected]
