Author: rgodfrey
Date: Fri May 18 20:54:25 2012
New Revision: 1340248
URL: http://svn.apache.org/viewvc?rev=1340248&view=rev
Log:
QPID-4010 : [Java broker] Add LDAP authentication
Added:
qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManager.java
- copied, changed from r1340158,
qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManager.java
Modified:
qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/plugins/PluginManager.java
qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManager.java
Modified:
qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/plugins/PluginManager.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/plugins/PluginManager.java?rev=1340248&r1=1340247&r2=1340248&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/plugins/PluginManager.java
(original)
+++
qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/plugins/PluginManager.java
Fri May 18 20:54:25 2012
@@ -24,6 +24,7 @@ import org.apache.felix.framework.util.S
import org.apache.log4j.Logger;
import
org.apache.qpid.server.security.auth.manager.AnonymousAuthenticationManager;
import
org.apache.qpid.server.security.auth.manager.KerberosAuthenticationManager;
+import
org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManager;
import org.osgi.framework.BundleActivator;
import org.osgi.framework.BundleContext;
import org.osgi.framework.BundleException;
@@ -160,7 +161,8 @@ public class PluginManager implements Cl
new SlowConsumerDetectionQueueConfigurationFactory(),
PrincipalDatabaseAuthenticationManager.PrincipalDatabaseAuthenticationManagerConfiguration.FACTORY,
AnonymousAuthenticationManager.AnonymousAuthenticationManagerConfiguration.FACTORY,
-
KerberosAuthenticationManager.KerberosAuthenticationManagerConfiguration.FACTORY))
+
KerberosAuthenticationManager.KerberosAuthenticationManagerConfiguration.FACTORY,
+
SimpleLDAPAuthenticationManager.SimpleLDAPAuthenticationManagerConfiguration.FACTORY))
{
_configPlugins.put(configFactory.getParentPaths(), configFactory);
}
@@ -177,7 +179,7 @@ public class PluginManager implements Cl
for (AuthenticationManagerPluginFactory<? extends Plugin>
pluginFactory : Arrays.asList(
PrincipalDatabaseAuthenticationManager.FACTORY,
AnonymousAuthenticationManager.FACTORY,
- KerberosAuthenticationManager.FACTORY))
+ KerberosAuthenticationManager.FACTORY,
SimpleLDAPAuthenticationManager.FACTORY))
{
_authenticationManagerPlugins.put(pluginFactory.getPluginName(),
pluginFactory);
}
Modified:
qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManager.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManager.java?rev=1340248&r1=1340247&r2=1340248&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManager.java
(original)
+++
qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManager.java
Fri May 18 20:54:25 2012
@@ -132,7 +132,7 @@ public class KerberosAuthenticationManag
{
try
{
- return Sasl.createSaslServer(GSSAPI_MECHANISM, "AMQP", "scrumpy",
+ return Sasl.createSaslServer(GSSAPI_MECHANISM, "AMQP", localFQDN,
new HashMap<String, Object>(),
_callbackHandler);
}
catch (SaslException e)
Copied:
qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManager.java
(from r1340158,
qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManager.java)
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManager.java?p2=qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManager.java&p1=qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManager.java&r1=1340158&r2=1340248&rev=1340248&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManager.java
(original)
+++
qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManager.java
Fri May 18 20:54:25 2012
@@ -16,15 +16,25 @@
* specific language governing permissions and limitations
* under the License.
*/
+
package org.apache.qpid.server.security.auth.manager;
import java.io.IOException;
import java.util.Arrays;
import java.util.HashMap;
+import java.util.Hashtable;
import java.util.List;
+import javax.naming.Context;
+import javax.naming.NamingEnumeration;
+import javax.naming.NamingException;
+import javax.naming.directory.DirContext;
+import javax.naming.directory.InitialDirContext;
+import javax.naming.directory.SearchControls;
+import javax.naming.directory.SearchResult;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.Sasl;
@@ -37,15 +47,21 @@ import org.apache.qpid.server.configurat
import org.apache.qpid.server.configuration.plugins.ConfigurationPluginFactory;
import org.apache.qpid.server.security.auth.AuthenticationResult;
import org.apache.qpid.server.security.auth.sasl.UsernamePrincipal;
+import org.apache.qpid.server.security.auth.sasl.plain.PlainPasswordCallback;
-public class KerberosAuthenticationManager implements AuthenticationManager
+public class SimpleLDAPAuthenticationManager implements AuthenticationManager
{
- private static final Logger _logger =
Logger.getLogger(KerberosAuthenticationManager.class);
+ private static final Logger _logger =
Logger.getLogger(SimpleLDAPAuthenticationManager.class);
- private static final String GSSAPI_MECHANISM = "GSSAPI";
- private final CallbackHandler _callbackHandler = new
GssApiCallbackHandler();
+ private static final String PLAIN_MECHANISM = "PLAIN";
+ private static final String DEFAULT_LDAP_CONTEXT_FACTORY =
"com.sun.jndi.ldap.LdapCtxFactory";
+ private String _providerSearchURL;
+ private String _searchContext;
+ private String _searchFilter;
+ private String _providerAuthURL;
+ private String _ldapContextFactory;
- public static class KerberosAuthenticationManagerConfiguration extends
ConfigurationPlugin
+ public static class SimpleLDAPAuthenticationManagerConfiguration extends
ConfigurationPlugin
{
public static final ConfigurationPluginFactory FACTORY =
@@ -53,63 +69,101 @@ public class KerberosAuthenticationManag
{
public List<String> getParentPaths()
{
- return Arrays.asList("security.kerberos-auth-manager");
+ return
Arrays.asList("security.simple-ldap-auth-manager");
}
public ConfigurationPlugin newInstance(final String path,
final Configuration config) throws ConfigurationException
{
- final ConfigurationPlugin instance = new
KerberosAuthenticationManagerConfiguration();
+ final ConfigurationPlugin instance = new
SimpleLDAPAuthenticationManagerConfiguration();
instance.setConfiguration(path, config);
return instance;
}
};
+ private static final String PROVIDER_URL = "provider-url";
+ private static final String PROVIDER_SEARCH_URL =
"provider-search-url";
+ private static final String PROVIDER_AUTH_URL = "provider-auth-url";
+ private static final String SEARCH_CONTEXT = "search-context";
+ private static final String SEARCH_FILTER = "search-filter";
+ private static final String LDAP_CONTEXT_FACTORY =
"ldap-context-factory";
+
public String[] getElementsProcessed()
{
- return new String[0];
+ return new String[] {PROVIDER_URL, PROVIDER_SEARCH_URL,
PROVIDER_AUTH_URL, SEARCH_CONTEXT, SEARCH_FILTER,
+ LDAP_CONTEXT_FACTORY};
}
public void validateConfiguration() throws ConfigurationException
{
}
+ public String getLDAPContextFactory()
+ {
+ return getConfig().getString(LDAP_CONTEXT_FACTORY,
DEFAULT_LDAP_CONTEXT_FACTORY);
+ }
+
+
+ public String getProviderURL()
+ {
+ return getConfig().getString(PROVIDER_URL);
+ }
+
+ public String getProviderSearchURL()
+ {
+ return getConfig().getString(PROVIDER_SEARCH_URL,
getProviderURL());
+ }
+
+ public String getSearchContext()
+ {
+ return getConfig().getString(SEARCH_CONTEXT);
+ }
+
+ public String getSearchFilter()
+ {
+ return getConfig().getString(SEARCH_FILTER);
+ }
+
+ public String getProviderAuthURL()
+ {
+ return getConfig().getString(PROVIDER_AUTH_URL, getProviderURL());
+ }
}
- public static final
AuthenticationManagerPluginFactory<KerberosAuthenticationManager> FACTORY = new
AuthenticationManagerPluginFactory<KerberosAuthenticationManager>()
+ public static final
AuthenticationManagerPluginFactory<SimpleLDAPAuthenticationManager> FACTORY =
new AuthenticationManagerPluginFactory<SimpleLDAPAuthenticationManager>()
{
- public KerberosAuthenticationManager newInstance(final
ConfigurationPlugin config) throws ConfigurationException
+ public SimpleLDAPAuthenticationManager newInstance(final
ConfigurationPlugin config) throws ConfigurationException
{
- KerberosAuthenticationManagerConfiguration configuration =
+ SimpleLDAPAuthenticationManagerConfiguration configuration =
config == null
? null
- : (KerberosAuthenticationManagerConfiguration)
config.getConfiguration(KerberosAuthenticationManagerConfiguration.class.getName());
+ : (SimpleLDAPAuthenticationManagerConfiguration)
config.getConfiguration(SimpleLDAPAuthenticationManagerConfiguration.class.getName());
// If there is no configuration for this plugin then don't load it.
if (configuration == null)
{
- _logger.info("No authentication-manager configuration found
for AnonymousAuthenticationManager");
+ _logger.info("No authentication-manager configuration found
for SimpleLDAPAuthenticationManager");
return null;
}
- KerberosAuthenticationManager kerberosAuthenticationManager = new
KerberosAuthenticationManager();
- kerberosAuthenticationManager.configure(configuration);
- return kerberosAuthenticationManager;
+ SimpleLDAPAuthenticationManager simpleLDAPAuthenticationManager =
new SimpleLDAPAuthenticationManager();
+ simpleLDAPAuthenticationManager.configure(configuration);
+ return simpleLDAPAuthenticationManager;
}
- public Class<KerberosAuthenticationManager> getPluginClass()
+ public Class<SimpleLDAPAuthenticationManager> getPluginClass()
{
- return KerberosAuthenticationManager.class;
+ return SimpleLDAPAuthenticationManager.class;
}
public String getPluginName()
{
- return KerberosAuthenticationManager.class.getName();
+ return SimpleLDAPAuthenticationManager.class.getName();
}
};
- private KerberosAuthenticationManager()
+ private SimpleLDAPAuthenticationManager()
{
}
@@ -122,24 +176,17 @@ public class KerberosAuthenticationManag
@Override
public String getMechanisms()
{
- return GSSAPI_MECHANISM;
+ return PLAIN_MECHANISM;
}
@Override
public SaslServer createSaslServer(String mechanism, String localFQDN)
throws SaslException
{
- if(GSSAPI_MECHANISM.equals(mechanism))
+ if(PLAIN_MECHANISM.equals(mechanism))
{
- try
- {
- return Sasl.createSaslServer(GSSAPI_MECHANISM, "AMQP", "scrumpy",
- new HashMap<String, Object>(),
_callbackHandler);
- }
- catch (SaslException e)
- {
- e.printStackTrace(System.err);
- throw e;
- }
+ return Sasl.createSaslServer(PLAIN_MECHANISM, "AMQP", localFQDN,
+ new HashMap<String, Object>(), new
PlainCallbackHandler());
+
}
else
{
@@ -169,7 +216,6 @@ public class KerberosAuthenticationManag
}
catch (SaslException e)
{
- e.printStackTrace(System.err);
return new
AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, e);
}
}
@@ -177,15 +223,42 @@ public class KerberosAuthenticationManag
@Override
public AuthenticationResult authenticate(String username, String password)
{
- return new
AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR);
+
+ try
+ {
+ return doLDAPNameAuthentication(getNameFromId(username), password);
+ }
+ catch (NamingException e)
+ {
+
+ return new
AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, e);
+
+ }
+ }
+
+ private AuthenticationResult doLDAPNameAuthentication(String username,
String password) throws NamingException
+ {
+ Hashtable<Object,Object> env = new Hashtable<Object,Object>();
+ env.put(Context.INITIAL_CONTEXT_FACTORY, _ldapContextFactory);
+ env.put(Context.PROVIDER_URL, _providerAuthURL);
+
+ env.put(Context.SECURITY_AUTHENTICATION, "simple");
+
+ env.put(Context.SECURITY_PRINCIPAL, username);
+ env.put(Context.SECURITY_CREDENTIALS, password);
+ DirContext ctx = new InitialDirContext(env);
+ ctx.close();
+ final Subject subject = new Subject();
+ subject.getPrincipals().add(new UsernamePrincipal(username));
+ return new AuthenticationResult(subject);
}
@Override
public CallbackHandler getHandler(String mechanism)
{
- if(GSSAPI_MECHANISM.equals(mechanism))
+ if(PLAIN_MECHANISM.equals(mechanism))
{
- return _callbackHandler;
+ return new PlainCallbackHandler();
}
else
{
@@ -201,19 +274,86 @@ public class KerberosAuthenticationManag
@Override
public void configure(ConfigurationPlugin config) throws
ConfigurationException
{
+ SimpleLDAPAuthenticationManagerConfiguration ldapConfig =
(SimpleLDAPAuthenticationManagerConfiguration) config;
+
+ _ldapContextFactory = ldapConfig.getLDAPContextFactory();
+ _providerSearchURL = ldapConfig.getProviderSearchURL();
+ _providerAuthURL = ldapConfig.getProviderAuthURL();
+ _searchContext = ldapConfig.getSearchContext();
+ _searchFilter = ldapConfig.getSearchFilter();
+
+ Hashtable<String,Object> env = new Hashtable<String, Object>();
+ env.put(Context.INITIAL_CONTEXT_FACTORY, _ldapContextFactory);
+ env.put(Context.PROVIDER_URL, _providerSearchURL);
+ env.put(Context.SECURITY_AUTHENTICATION, "none");
+
+ try
+ {
+ new InitialDirContext(env);
+ }
+ catch (NamingException e)
+ {
+ throw new ConfigurationException("Unable to establish anonymous
connection to the ldap server at " + _providerSearchURL, e);
+ }
}
- private static class GssApiCallbackHandler implements CallbackHandler
+ private class PlainCallbackHandler implements CallbackHandler
{
@Override
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException
{
+ String name = null;
+ String password = null;
+ AuthenticationResult authenticated = null;
for(Callback callback : callbacks)
{
- if (callback instanceof AuthorizeCallback)
+ if (callback instanceof NameCallback)
+ {
+ String id = ((NameCallback) callback).getDefaultName();
+ try
+ {
+ name = getNameFromId(id);
+ }
+ catch (NamingException e)
+ {
+ _logger.info("SASL Authentication Error", e);
+ }
+ if(password != null)
+ {
+ try
+ {
+ authenticated = doLDAPNameAuthentication(name,
password);
+
+ }
+ catch (NamingException e)
+ {
+ authenticated = new
AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, e);
+ }
+ }
+ }
+ else if (callback instanceof PlainPasswordCallback)
+ {
+ password =
((PlainPasswordCallback)callback).getPlainPassword();
+ if(name != null)
+ {
+ try
+ {
+ authenticated = doLDAPNameAuthentication(name,
password);
+ if(authenticated.getStatus()==
AuthenticationResult.AuthenticationStatus.SUCCESS)
+ {
+
((PlainPasswordCallback)callback).setAuthenticated(true);
+ }
+ }
+ catch (NamingException e)
+ {
+ authenticated = new
AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, e);
+ }
+ }
+ }
+ else if (callback instanceof AuthorizeCallback)
{
- ((AuthorizeCallback) callback).setAuthorized(true);
+ ((AuthorizeCallback) callback).setAuthorized(authenticated
!= null && authenticated.getStatus() ==
AuthenticationResult.AuthenticationStatus.SUCCESS);
}
else
{
@@ -222,4 +362,40 @@ public class KerberosAuthenticationManag
}
}
}
+
+ private String getNameFromId(String id) throws NamingException
+ {
+ Hashtable<Object,Object> env = new Hashtable<Object,Object>();
+ env.put(Context.INITIAL_CONTEXT_FACTORY, _ldapContextFactory);
+ env.put(Context.PROVIDER_URL, _providerSearchURL);
+
+
+ env.put(Context.SECURITY_AUTHENTICATION, "none");
+ DirContext ctx = null;
+
+ ctx = new InitialDirContext(env);
+
+ try
+ {
+ SearchControls searchControls = new SearchControls();
+ searchControls.setReturningAttributes(new String[] {});
+ searchControls.setCountLimit(1l);
+ searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);
+ NamingEnumeration<?> namingEnum = null;
+ String name = null;
+
+ namingEnum = ctx.search(_searchContext, _searchFilter, new
String[] { id }, searchControls);
+ if(namingEnum.hasMore())
+ {
+ SearchResult result = (SearchResult) namingEnum.next();
+ name = result.getNameInNamespace();
+ }
+ return name;
+ }
+ finally
+ {
+ ctx.close();
+ }
+
+ }
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
