Author: robbie
Date: Sun Sep 2 18:26:40 2012
New Revision: 1380016
URL: http://svn.apache.org/viewvc?rev=1380016&view=rev
Log:
QPID-4253: add configuration for basic-auth on http / https management and set
to disabled / enabled respectively by default
Added:
qpid/trunk/qpid/java/broker-plugins/management-http/src/test/java/org/apache/qpid/server/management/plugin/servlet/rest/BasicAuthRestTest.java
Modified:
qpid/trunk/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/AbstractServlet.java
qpid/trunk/qpid/java/broker-plugins/management-http/src/test/java/org/apache/qpid/systest/rest/acl/GroupRestACLTest.java
qpid/trunk/qpid/java/broker-plugins/management-http/src/test/java/org/apache/qpid/systest/rest/acl/UserRestACLTest.java
qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/configuration/ServerConfiguration.java
Modified:
qpid/trunk/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/AbstractServlet.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/AbstractServlet.java?rev=1380016&r1=1380015&r2=1380016&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/AbstractServlet.java
(original)
+++
qpid/trunk/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/AbstractServlet.java
Sun Sep 2 18:26:40 2012
@@ -255,17 +255,18 @@ public abstract class AbstractServlet ex
{
String header = request.getHeader("Authorization");
- /*
- * TODO - Should configure whether basic authentication is
allowed... and in particular whether it
- * should be allowed over non-ssl connections
- * */
-
if (header != null)
{
String[] tokens = header.split("\\s");
if(tokens.length >= 2
&& "BASIC".equalsIgnoreCase(tokens[0]))
{
+ if(!isBasicAuthSupported(request))
+ {
+ //TODO: write a return response indicating failure?
+ throw new IllegalArgumentException("BASIC
Authorization is not enabled.");
+ }
+
String[] credentials = (new
String(Base64.decodeBase64(tokens[1].getBytes()))).split(":",2);
if(credentials.length == 2)
{
@@ -299,6 +300,12 @@ public abstract class AbstractServlet ex
return subject;
}
+ private boolean isBasicAuthSupported(HttpServletRequest req)
+ {
+ return req.isSecure() ?
ApplicationRegistry.getInstance().getConfiguration().getHTTPSManagementBasicAuth()
+ :
ApplicationRegistry.getInstance().getConfiguration().getHTTPManagementBasicAuth();
+ }
+
private HttpManagementActor
getLogActorAndCacheInSession(HttpServletRequest req)
{
HttpSession session = req.getSession();
Added:
qpid/trunk/qpid/java/broker-plugins/management-http/src/test/java/org/apache/qpid/server/management/plugin/servlet/rest/BasicAuthRestTest.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/management-http/src/test/java/org/apache/qpid/server/management/plugin/servlet/rest/BasicAuthRestTest.java?rev=1380016&view=auto
==============================================================================
---
qpid/trunk/qpid/java/broker-plugins/management-http/src/test/java/org/apache/qpid/server/management/plugin/servlet/rest/BasicAuthRestTest.java
(added)
+++
qpid/trunk/qpid/java/broker-plugins/management-http/src/test/java/org/apache/qpid/server/management/plugin/servlet/rest/BasicAuthRestTest.java
Sun Sep 2 18:26:40 2012
@@ -0,0 +1,115 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.server.management.plugin.servlet.rest;
+
+import java.io.IOException;
+import java.net.HttpURLConnection;
+
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.configuration.ConfigurationException;
+
+public class BasicAuthRestTest extends QpidRestTestCase
+{
+ private static final String TRUSTSTORE =
"test-profiles/test_resources/ssl/java_client_truststore.jks";
+ private static final String TRUSTSTORE_PASSWORD = "password";
+ private static final String USERNAME = "admin";
+
+ @Override
+ public void setUp() throws Exception
+ {
+ setSystemProperty("javax.net.debug", "ssl");
+
+ //don't call super method, we will configure the broker in the test
before doing so
+ }
+
+ @Override
+ protected void customizeConfiguration() throws ConfigurationException,
IOException
+ {
+ //do nothing, we will configure this locally
+ }
+
+ private void configure(boolean useSsl) throws ConfigurationException,
IOException
+ {
+ getRestTestHelper().setUseSsl(useSsl);
+ setConfigurationProperty("management.http.enabled",
String.valueOf(!useSsl));
+ setConfigurationProperty("management.http.port",
Integer.toString(getRestTestHelper().getHttpPort()));
+ setConfigurationProperty("management.https.enabled",
String.valueOf(useSsl));
+ setConfigurationProperty("management.https.port",
Integer.toString(getRestTestHelper().getHttpPort()));
+ setConfigurationProperty("management.enabled", "false"); //JMX
+ }
+
+ private void verifyGetBrokerAttempt(int responseCode) throws IOException
+ {
+ HttpURLConnection conn =
getRestTestHelper().openManagementConnection("/rest/broker", "GET");
+ assertEquals(responseCode, conn.getResponseCode());
+ }
+
+ public void testDefaultEnabledWithHttps() throws Exception
+ {
+ configure(true);
+ super.setUp();
+ setSystemProperty("javax.net.ssl.trustStore", TRUSTSTORE);
+ setSystemProperty("javax.net.ssl.trustStorePassword",
TRUSTSTORE_PASSWORD);
+
+ // Try the attempt with authentication, it should succeed because
+ // BASIC auth is enabled by default on secure connections.
+ getRestTestHelper().setUsernameAndPassword(USERNAME, USERNAME);
+ verifyGetBrokerAttempt(HttpServletResponse.SC_OK);
+ }
+
+ public void testDefaultDisabledWithHttp() throws Exception
+ {
+ configure(false);
+ super.setUp();
+
+ // Try the attempt with authentication, it should fail because
+ // BASIC auth is disabled by default on non-secure connections.
+ getRestTestHelper().setUsernameAndPassword(USERNAME, USERNAME);
+ verifyGetBrokerAttempt(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
+ }
+
+ public void testEnablingForHttp() throws Exception
+ {
+ configure(false);
+ setConfigurationProperty("management.http.basic-auth", "true");
+ super.setUp();
+
+ // Try the attempt with authentication, it should succeed because
+ // BASIC auth is now enabled on non-secure connections.
+ getRestTestHelper().setUsernameAndPassword(USERNAME, USERNAME);
+ verifyGetBrokerAttempt(HttpServletResponse.SC_OK);
+ }
+
+ public void testDisablingForHttps() throws Exception
+ {
+ configure(true);
+ setConfigurationProperty("management.https.basic-auth", "false");
+ super.setUp();
+ setSystemProperty("javax.net.ssl.trustStore", TRUSTSTORE);
+ setSystemProperty("javax.net.ssl.trustStorePassword",
TRUSTSTORE_PASSWORD);
+
+ // Try the attempt with authentication, it should fail because
+ // BASIC auth is now disabled on secure connections.
+ getRestTestHelper().setUsernameAndPassword(USERNAME, USERNAME);
+ verifyGetBrokerAttempt(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
+ }
+}
Modified:
qpid/trunk/qpid/java/broker-plugins/management-http/src/test/java/org/apache/qpid/systest/rest/acl/GroupRestACLTest.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/management-http/src/test/java/org/apache/qpid/systest/rest/acl/GroupRestACLTest.java?rev=1380016&r1=1380015&r2=1380016&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-plugins/management-http/src/test/java/org/apache/qpid/systest/rest/acl/GroupRestACLTest.java
(original)
+++
qpid/trunk/qpid/java/broker-plugins/management-http/src/test/java/org/apache/qpid/systest/rest/acl/GroupRestACLTest.java
Sun Sep 2 18:26:40 2012
@@ -50,6 +50,7 @@ public class GroupRestACLTest extends Qp
{
_groupFile = createTemporaryGroupFile();
+ setConfigurationProperty("management.http.basic-auth", "true");
setConfigurationProperty("security.file-group-manager.attributes.attribute.name",
"groupFile");
setConfigurationProperty("security.file-group-manager.attributes.attribute.value",
_groupFile.getAbsolutePath());
Modified:
qpid/trunk/qpid/java/broker-plugins/management-http/src/test/java/org/apache/qpid/systest/rest/acl/UserRestACLTest.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/management-http/src/test/java/org/apache/qpid/systest/rest/acl/UserRestACLTest.java?rev=1380016&r1=1380015&r2=1380016&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-plugins/management-http/src/test/java/org/apache/qpid/systest/rest/acl/UserRestACLTest.java
(original)
+++
qpid/trunk/qpid/java/broker-plugins/management-http/src/test/java/org/apache/qpid/systest/rest/acl/UserRestACLTest.java
Sun Sep 2 18:26:40 2012
@@ -50,6 +50,7 @@ public class UserRestACLTest extends Qpi
{
_groupFile = createTemporaryGroupFile();
+ setConfigurationProperty("management.http.basic-auth", "true");
setConfigurationProperty("security.file-group-manager.attributes.attribute.name",
"groupFile");
setConfigurationProperty("security.file-group-manager.attributes.attribute.value",
_groupFile.getAbsolutePath());
Modified:
qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/configuration/ServerConfiguration.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/configuration/ServerConfiguration.java?rev=1380016&r1=1380015&r2=1380016&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/configuration/ServerConfiguration.java
(original)
+++
qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/configuration/ServerConfiguration.java
Sun Sep 2 18:26:40 2012
@@ -585,6 +585,11 @@ public class ServerConfiguration extends
return getIntValue("management.http.port",
DEFAULT_HTTP_MANAGEMENT_PORT);
}
+ public boolean getHTTPManagementBasicAuth()
+ {
+ return getBooleanValue("management.http.basic-auth", false);
+ }
+
public boolean getHTTPSManagementEnabled()
{
return getBooleanValue("management.https.enabled", false);
@@ -595,6 +600,11 @@ public class ServerConfiguration extends
return getIntValue("management.https.port",
DEFAULT_HTTPS_MANAGEMENT_PORT);
}
+ public boolean getHTTPSManagementBasicAuth()
+ {
+ return getBooleanValue("management.https.basic-auth", true);
+ }
+
public String[] getVirtualHosts()
{
return _virtualHosts.keySet().toArray(new
String[_virtualHosts.size()]);
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
