Author: rgodfrey
Date: Thu Jul 24 11:27:03 2014
New Revision: 1613068
URL: http://svn.apache.org/r1613068
Log:
QPID-5922 : [Java Broker] restrict the use of PLAIN authentication to secure
channels
Added:
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainAdapterSaslServer.java
- copied, changed from r1612109,
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainSaslServer.java
Removed:
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AuthenticationManager.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/amqplain/AmqPlainInitialiser.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/amqplain/AmqPlainSaslServer.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/amqplain/AmqPlainSaslServerFactory.java
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/sasl/amqplain/AMQPlainSaslServerTest.java
Modified:
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/AuthenticationProvider.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/Broker.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/ExternalFileBasedAuthenticationManager.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/Transport.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/adapter/BrokerAdapter.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/SubjectCreator.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/AuthenticationResult.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/Base64MD5PasswordFilePrincipalDatabase.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/PrincipalDatabase.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/jmx/JMXPasswordAuthenticator.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractAuthenticationManager.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AnonymousAuthenticationManager.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/ExternalAuthenticationManagerImpl.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManager.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/PrincipalDatabaseAuthenticationManager.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManager.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerImpl.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/crammd5/CRAMMD5HexInitialiser.java
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/SubjectCreatorTest.java
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/jmx/JMXPasswordAuthenticatorTest.java
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/AnonymousAuthenticationManagerTest.java
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/ExternalAuthenticationManagerTest.java
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/PrincipalDatabaseAuthenticationManagerTest.java
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/ScramSHA1AuthenticationManagerTest.java
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManagerTest.java
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/sasl/TestPrincipalDatabase.java
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/util/BrokerTestHelper.java
qpid/trunk/qpid/java/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ProtocolEngineCreator_0_10.java
qpid/trunk/qpid/java/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerConnectionDelegate.java
qpid/trunk/qpid/java/broker-plugins/amqp-0-8-protocol/src/main/java/org/apache/qpid/server/protocol/v0_8/AMQProtocolEngine.java
qpid/trunk/qpid/java/broker-plugins/amqp-0-8-protocol/src/main/java/org/apache/qpid/server/protocol/v0_8/state/AMQStateManager.java
qpid/trunk/qpid/java/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/ProtocolEngine_1_0_0_SASL.java
qpid/trunk/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java
qpid/trunk/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.java
qpid/trunk/qpid/java/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/JMXManagedObjectRegistry.java
qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/ra/QpidRAConnectionTest.java
qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/ra/QpidRAXAResourceTest.java
qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/ra/admin/QpidConnectionFactoryProxyTest.java
qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/QpidRestTestCase.java
qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/SaslRestTest.java
qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/test/unit/client/connection/ConnectionTest.java
Modified:
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/AuthenticationProvider.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/AuthenticationProvider.java?rev=1613068&r1=1613067&r2=1613068&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/AuthenticationProvider.java
(original)
+++
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/AuthenticationProvider.java
Thu Jul 24 11:27:03 2014
@@ -22,6 +22,7 @@ package org.apache.qpid.server.model;
import java.security.Principal;
import java.util.Collection;
+import java.util.List;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
@@ -39,8 +40,9 @@ public interface AuthenticationProvider<
* A temporary method to create SubjectCreator.
*
* TODO: move all the functionality from SubjectCreator into
AuthenticationProvider
+ * @param secure
*/
- SubjectCreator getSubjectCreator();
+ SubjectCreator getSubjectCreator(final boolean secure);
/**
* Returns the preferences provider associated with this authentication
provider
@@ -61,8 +63,12 @@ public interface AuthenticationProvider<
*
* @return SASL mechanism names, space separated.
*/
- String getMechanisms();
+ @DerivedAttribute
+ List<String> getMechanisms();
+
+ @ManagedAttribute( defaultValue = "[ \"PLAIN\" ]")
+ List<String> getSecureOnlyMechanisms();
/**
* Creates a SASL server for the specified mechanism name for the given
* fully qualified domain name.
Modified:
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/Broker.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/Broker.java?rev=1613068&r1=1613067&r2=1613068&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/Broker.java
(original)
+++
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/Broker.java
Thu Jul 24 11:27:03 2014
@@ -170,8 +170,9 @@ public interface Broker<X extends Broker
* TODO: move the authentication related functionality into host aliases
and AuthenticationProviders
*
* @param localAddress The (listening) socket address for which the
AuthenticationManager is required
+ * @param secure
*/
- SubjectCreator getSubjectCreator(SocketAddress localAddress);
+ SubjectCreator getSubjectCreator(SocketAddress localAddress, final boolean
secure);
Collection<KeyStore<?>> getKeyStores();
Modified:
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/ExternalFileBasedAuthenticationManager.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/ExternalFileBasedAuthenticationManager.java?rev=1613068&r1=1613067&r2=1613068&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/ExternalFileBasedAuthenticationManager.java
(original)
+++
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/ExternalFileBasedAuthenticationManager.java
Thu Jul 24 11:27:03 2014
@@ -26,4 +26,6 @@ public interface ExternalFileBasedAuthen
@ManagedAttribute( mandatory = true, description = "File location")
public String getPath();
+
+
}
Modified:
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/Transport.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/Transport.java?rev=1613068&r1=1613067&r2=1613068&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/Transport.java
(original)
+++
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/Transport.java
Thu Jul 24 11:27:03 2014
@@ -24,12 +24,30 @@ import java.util.EnumSet;
public enum Transport
{
+
TCP,
- SSL,
+ SSL(true),
WS,
- WSS,
+ WSS(true),
SCTP;
+ Transport()
+ {
+ this(false);
+ }
+
+ Transport(boolean secure)
+ {
+ _secure = secure;
+ }
+
+ private boolean _secure;
+
+ public final boolean isSecure()
+ {
+ return _secure;
+ }
+
public static Transport valueOfObject(Object transportObject)
{
Transport transport;
Modified:
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/adapter/BrokerAdapter.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/adapter/BrokerAdapter.java?rev=1613068&r1=1613067&r2=1613068&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/adapter/BrokerAdapter.java
(original)
+++
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/adapter/BrokerAdapter.java
Thu Jul 24 11:27:03 2014
@@ -848,7 +848,7 @@ public class BrokerAdapter extends Abstr
}
@Override
- public SubjectCreator getSubjectCreator(SocketAddress localAddress)
+ public SubjectCreator getSubjectCreator(SocketAddress localAddress, final
boolean secure)
{
AuthenticationProvider provider =
getAuthenticationProvider(localAddress);
@@ -857,7 +857,7 @@ public class BrokerAdapter extends Abstr
throw new IllegalConfigurationException("Unable to determine
authentication provider for address: " + localAddress);
}
- return provider.getSubjectCreator();
+ return provider.getSubjectCreator(secure);
}
@Override
Modified:
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/SubjectCreator.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/SubjectCreator.java?rev=1613068&r1=1613067&r2=1613068&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/SubjectCreator.java
(original)
+++
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/SubjectCreator.java
Thu Jul 24 11:27:03 2014
@@ -21,45 +21,47 @@
package org.apache.qpid.server.security;
import java.security.Principal;
+import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
+import java.util.List;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
+import org.apache.qpid.server.model.AuthenticationProvider;
import org.apache.qpid.server.model.GroupProvider;
-import org.apache.qpid.server.security.auth.AuthenticatedPrincipal;
import org.apache.qpid.server.security.auth.AuthenticationResult;
import
org.apache.qpid.server.security.auth.AuthenticationResult.AuthenticationStatus;
import org.apache.qpid.server.security.auth.SubjectAuthenticationResult;
-import
org.apache.qpid.server.security.auth.manager.AnonymousAuthenticationManager;
-import org.apache.qpid.server.security.auth.manager.AuthenticationManager;
-import
org.apache.qpid.server.security.auth.manager.ExternalAuthenticationManager;
/**
* Creates a {@link Subject} formed by the {@link Principal}'s returned from:
* <ol>
- * <li>Authenticating using an {@link AuthenticationManager}</li>
- * <li>A {@link GroupPrincipalAccessor}</li>
+ * <li>Authenticating using an {@link AuthenticationProvider}</li>
* </ol>
*
* <p>
- * SubjectCreator is a facade to the {@link AuthenticationManager}, and is
intended to be
+ * SubjectCreator is a facade to the {@link AuthenticationProvider}, and is
intended to be
* the single place that {@link Subject}'s are created in the broker.
* </p>
*/
public class SubjectCreator
{
- private AuthenticationManager _authenticationManager;
+ private final boolean _secure;
+ private AuthenticationProvider<?> _authenticationProvider;
private Collection<GroupProvider> _groupProviders;
- public SubjectCreator(AuthenticationManager authenticationManager,
Collection<GroupProvider> groupProviders)
+ public SubjectCreator(AuthenticationProvider<?> authenticationProvider,
+ Collection<GroupProvider> groupProviders,
+ final boolean secure)
{
- _authenticationManager = authenticationManager;
+ _authenticationProvider = authenticationProvider;
_groupProviders = groupProviders;
+ _secure = secure;
}
/**
@@ -67,17 +69,27 @@ public class SubjectCreator
*
* @return SASL mechanism names, space separated.
*/
- public String getMechanisms()
+ public List<String> getMechanisms()
{
- return _authenticationManager.getMechanisms();
+ List<String> mechanisms = _authenticationProvider.getMechanisms();
+ if(!_secure)
+ {
+ mechanisms = new ArrayList<>(mechanisms);
+
mechanisms.removeAll(_authenticationProvider.getSecureOnlyMechanisms());
+ }
+ return mechanisms;
}
/**
- * @see AuthenticationManager#createSaslServer(String, String, Principal)
+ * @see AuthenticationProvider#createSaslServer(String, String, Principal)
*/
public SaslServer createSaslServer(String mechanism, String localFQDN,
Principal externalPrincipal) throws SaslException
{
- return _authenticationManager.createSaslServer(mechanism, localFQDN,
externalPrincipal);
+ if(!getMechanisms().contains(mechanism))
+ {
+ throw new SaslException("Unsupported mechanism: " + mechanism +
".\nSupported mechanisms: " + getMechanisms());
+ }
+ return _authenticationProvider.createSaslServer(mechanism, localFQDN,
externalPrincipal);
}
/**
@@ -88,7 +100,7 @@ public class SubjectCreator
*/
public SubjectAuthenticationResult authenticate(SaslServer server, byte[]
response)
{
- AuthenticationResult authenticationResult =
_authenticationManager.authenticate(server, response);
+ AuthenticationResult authenticationResult =
_authenticationProvider.authenticate(server, response);
if(server.isComplete())
{
String username = server.getAuthorizationID();
@@ -106,7 +118,7 @@ public class SubjectCreator
*/
public SubjectAuthenticationResult authenticate(String username, String
password)
{
- final AuthenticationResult authenticationResult =
_authenticationManager.authenticate(username, password);
+ final AuthenticationResult authenticationResult =
_authenticationProvider.authenticate(username, password);
return createResultWithGroups(username, authenticationResult);
}
@@ -141,18 +153,7 @@ public class SubjectCreator
return authenticationSubject;
}
- public Subject createSubjectWithGroups(String username)
- {
- Subject authenticationSubject = new Subject();
-
- authenticationSubject.getPrincipals().add(new
AuthenticatedPrincipal(username));
-
authenticationSubject.getPrincipals().addAll(getGroupPrincipals(username));
- authenticationSubject.setReadOnly();
-
- return authenticationSubject;
- }
-
- public Set<Principal> getGroupPrincipals(String username)
+ Set<Principal> getGroupPrincipals(String username)
{
Set<Principal> principals = new HashSet<Principal>();
for (GroupProvider groupProvider : _groupProviders)
@@ -167,13 +168,4 @@ public class SubjectCreator
return Collections.unmodifiableSet(principals);
}
- public boolean isAnonymousAuthenticationAllowed()
- {
- return _authenticationManager instanceof
AnonymousAuthenticationManager;
- }
-
- public boolean isExternalAuthenticationAllowed()
- {
- return _authenticationManager instanceof ExternalAuthenticationManager;
- }
}
Modified:
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/AuthenticationResult.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/AuthenticationResult.java?rev=1613068&r1=1613067&r2=1613068&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/AuthenticationResult.java
(original)
+++
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/AuthenticationResult.java
Thu Jul 24 11:27:03 2014
@@ -25,10 +25,9 @@ import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
-import org.apache.qpid.server.security.auth.manager.AuthenticationManager;
/**
- * Encapsulates the result of an attempt to authenticate using an {@link
AuthenticationManager}.
+ * Encapsulates the result of an attempt to authenticate using an {@link
org.apache.qpid.server.model.AuthenticationProvider}.
* <p>
* The authentication status describes the overall outcome.
* <p>
Modified:
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/Base64MD5PasswordFilePrincipalDatabase.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/Base64MD5PasswordFilePrincipalDatabase.java?rev=1613068&r1=1613067&r2=1613068&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/Base64MD5PasswordFilePrincipalDatabase.java
(original)
+++
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/Base64MD5PasswordFilePrincipalDatabase.java
Thu Jul 24 11:27:03 2014
@@ -21,7 +21,10 @@
package org.apache.qpid.server.security.auth.database;
import java.security.Principal;
+import java.util.Arrays;
+import java.util.Collections;
import java.util.HashMap;
+import java.util.List;
import java.util.Map;
import javax.security.auth.callback.CallbackHandler;
@@ -30,10 +33,13 @@ import javax.security.sasl.SaslException
import javax.security.sasl.SaslServer;
import org.apache.log4j.Logger;
+
import
org.apache.qpid.server.security.auth.sasl.crammd5.CRAMMD5HashedInitialiser;
import
org.apache.qpid.server.security.auth.sasl.crammd5.CRAMMD5HashedSaslServer;
import org.apache.qpid.server.security.auth.sasl.crammd5.CRAMMD5HexInitialiser;
import org.apache.qpid.server.security.auth.sasl.crammd5.CRAMMD5HexSaslServer;
+import org.apache.qpid.server.security.auth.sasl.plain.PlainAdapterSaslServer;
+import org.apache.qpid.server.security.auth.sasl.plain.PlainSaslServer;
/**
* Represents a user database where the account information is stored in a
simple flat file.
@@ -45,7 +51,9 @@ import org.apache.qpid.server.security.a
public class Base64MD5PasswordFilePrincipalDatabase extends
AbstractPasswordFilePrincipalDatabase<HashedUser>
{
private final Logger _logger =
Logger.getLogger(Base64MD5PasswordFilePrincipalDatabase.class);
- private String _mechanismsString;
+ private List<String> _mechanisms =
Collections.unmodifiableList(Arrays.asList(CRAMMD5HashedSaslServer.MECHANISM,
+
CRAMMD5HexSaslServer.MECHANISM,
+
PlainSaslServer.MECHANISM));
private final Map<String, CallbackHandler> _callbackHandlerMap = new
HashMap<String, CallbackHandler>();
public Base64MD5PasswordFilePrincipalDatabase()
@@ -58,7 +66,6 @@ public class Base64MD5PasswordFilePrinci
crammd5HexInitialiser.initialise(this);
_callbackHandlerMap.put(CRAMMD5HexSaslServer.MECHANISM,
crammd5HexInitialiser.getCallbackHandler());
- _mechanismsString = CRAMMD5HashedSaslServer.MECHANISM + " " +
CRAMMD5HexSaslServer.MECHANISM;
}
@@ -127,9 +134,9 @@ public class Base64MD5PasswordFilePrinci
}
@Override
- public String getMechanisms()
+ public List<String> getMechanisms()
{
- return _mechanismsString;
+ return _mechanisms;
}
@Override
@@ -150,6 +157,24 @@ public class Base64MD5PasswordFilePrinci
{
return new CRAMMD5HexSaslServer(mechanism, "AMQP", localFQDN,
null, callbackHandler);
}
+ else if(PlainSaslServer.MECHANISM.equals(mechanism))
+ {
+ return new PlainAdapterSaslServer(new
PlainAdapterSaslServer.PasswordValidator()
+ {
+ @Override
+ public boolean validatePassword(final String user, final
String password)
+ {
+ try
+ {
+ return verifyPassword(user, password.toCharArray());
+ }
+ catch (AccountNotFoundException e)
+ {
+ return false;
+ }
+ }
+ });
+ }
throw new SaslException("Unsupported mechanism: " + mechanism);
}
Modified:
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java?rev=1613068&r1=1613067&r2=1613068&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java
(original)
+++
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java
Thu Jul 24 11:27:03 2014
@@ -21,7 +21,10 @@
package org.apache.qpid.server.security.auth.database;
import java.security.Principal;
+import java.util.Arrays;
+import java.util.Collections;
import java.util.HashMap;
+import java.util.List;
import java.util.Map;
import javax.security.auth.callback.CallbackHandler;
@@ -31,8 +34,7 @@ import javax.security.sasl.SaslException
import javax.security.sasl.SaslServer;
import org.apache.log4j.Logger;
-import org.apache.qpid.server.security.auth.sasl.amqplain.AmqPlainInitialiser;
-import org.apache.qpid.server.security.auth.sasl.amqplain.AmqPlainSaslServer;
+
import org.apache.qpid.server.security.auth.sasl.crammd5.CRAMMD5Initialiser;
import org.apache.qpid.server.security.auth.sasl.plain.PlainInitialiser;
import org.apache.qpid.server.security.auth.sasl.plain.PlainSaslServer;
@@ -49,14 +51,11 @@ public class PlainPasswordFilePrincipalD
private final Logger _logger =
Logger.getLogger(PlainPasswordFilePrincipalDatabase.class);
private final Map<String, CallbackHandler> _callbackHandlerMap = new
HashMap<String, CallbackHandler>();
- private String _mechanismsString;
+ private final List<String> _mechanisms =
Collections.unmodifiableList(Arrays.asList(PlainSaslServer.MECHANISM,
+
CRAMMD5Initialiser.MECHANISM));
public PlainPasswordFilePrincipalDatabase()
{
- AmqPlainInitialiser amqPlainInitialiser = new AmqPlainInitialiser();
- amqPlainInitialiser.initialise(this);
- _callbackHandlerMap.put(AmqPlainSaslServer.MECHANISM,
amqPlainInitialiser.getCallbackHandler());
-
PlainInitialiser plainInitialiser = new PlainInitialiser();
plainInitialiser.initialise(this);
_callbackHandlerMap.put(PlainSaslServer.MECHANISM,
plainInitialiser.getCallbackHandler());
@@ -65,7 +64,6 @@ public class PlainPasswordFilePrincipalD
crammd5Initialiser.initialise(this);
_callbackHandlerMap.put(CRAMMD5Initialiser.MECHANISM,
crammd5Initialiser.getCallbackHandler());
- _mechanismsString = AmqPlainSaslServer.MECHANISM + " " +
PlainSaslServer.MECHANISM + " " + CRAMMD5Initialiser.MECHANISM;
}
@@ -113,9 +111,9 @@ public class PlainPasswordFilePrincipalD
@Override
- public String getMechanisms()
+ public List<String> getMechanisms()
{
- return _mechanismsString;
+ return _mechanisms;
}
@Override
@@ -136,10 +134,6 @@ public class PlainPasswordFilePrincipalD
{
return new PlainSaslServer(callbackHandler);
}
- else if(AmqPlainSaslServer.MECHANISM.equals(mechanism))
- {
- return new AmqPlainSaslServer(callbackHandler);
- }
throw new SaslException("Unsupported mechanism: " + mechanism);
}
Modified:
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/PrincipalDatabase.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/PrincipalDatabase.java?rev=1613068&r1=1613067&r2=1613068&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/PrincipalDatabase.java
(original)
+++
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/PrincipalDatabase.java
Thu Jul 24 11:27:03 2014
@@ -20,19 +20,16 @@
*/
package org.apache.qpid.server.security.auth.database;
-import
org.apache.qpid.server.security.auth.sasl.AuthenticationProviderInitialiser;
+import java.io.File;
+import java.io.IOException;
+import java.security.Principal;
+import java.util.List;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.login.AccountNotFoundException;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
-import java.io.File;
-import java.io.IOException;
-import java.security.Principal;
-import java.util.List;
-import java.util.Map;
-
/** Represents a "user database" which is really a way of storing principals
(i.e. usernames) and passwords. */
public interface PrincipalDatabase
{
@@ -108,7 +105,7 @@ public interface PrincipalDatabase
* Get the list of mechanisms supported for use with the PrincipalDatabase
* @return space separated list of supported Sasl mechanisms
*/
- public String getMechanisms();
+ public List<String> getMechanisms();
public SaslServer createSaslServer(String mechanism, String localFQDN,
Principal externalPrincipal) throws SaslException;
}
Modified:
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/jmx/JMXPasswordAuthenticator.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/jmx/JMXPasswordAuthenticator.java?rev=1613068&r1=1613067&r2=1613068&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/jmx/JMXPasswordAuthenticator.java
(original)
+++
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/jmx/JMXPasswordAuthenticator.java
Thu Jul 24 11:27:03 2014
@@ -25,14 +25,14 @@ import java.rmi.server.RemoteServer;
import java.rmi.server.ServerNotActiveException;
import java.security.PrivilegedAction;
+import javax.management.remote.JMXAuthenticator;
+import javax.security.auth.Subject;
+
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.security.SubjectCreator;
import
org.apache.qpid.server.security.auth.AuthenticationResult.AuthenticationStatus;
import org.apache.qpid.server.security.auth.SubjectAuthenticationResult;
-import javax.management.remote.JMXAuthenticator;
-import javax.security.auth.Subject;
-
public class JMXPasswordAuthenticator implements JMXAuthenticator
{
static final String UNABLE_TO_LOOKUP = "The broker was unable to lookup
the user details";
@@ -45,11 +45,13 @@ public class JMXPasswordAuthenticator im
private final Broker _broker;
private final SocketAddress _address;
+ private final boolean _secure;
- public JMXPasswordAuthenticator(Broker broker, SocketAddress address)
+ public JMXPasswordAuthenticator(Broker broker, SocketAddress address,
final boolean secure)
{
_broker = broker;
_address = address;
+ _secure = secure;
}
public Subject authenticate(Object credentials) throws SecurityException
@@ -95,7 +97,7 @@ public class JMXPasswordAuthenticator im
throw new SecurityException(SHOULD_BE_NON_NULL);
}
- SubjectCreator subjectCreator = _broker.getSubjectCreator(_address);
+ SubjectCreator subjectCreator = _broker.getSubjectCreator(_address,
_secure);
if (subjectCreator == null)
{
throw new SecurityException("Can't get subject creator for " +
_address);
@@ -149,4 +151,4 @@ public class JMXPasswordAuthenticator im
}
-}
\ No newline at end of file
+}
Modified:
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractAuthenticationManager.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractAuthenticationManager.java?rev=1613068&r1=1613067&r2=1613068&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractAuthenticationManager.java
(original)
+++
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractAuthenticationManager.java
Thu Jul 24 11:27:03 2014
@@ -24,6 +24,7 @@ import java.security.AccessControlExcept
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
+import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.atomic.AtomicReference;
@@ -36,6 +37,7 @@ import org.apache.qpid.server.model.Auth
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.ConfiguredObject;
import org.apache.qpid.server.model.IntegrityViolationException;
+import org.apache.qpid.server.model.ManagedAttributeField;
import org.apache.qpid.server.model.Port;
import org.apache.qpid.server.model.PreferencesProvider;
import org.apache.qpid.server.model.State;
@@ -48,7 +50,7 @@ import org.apache.qpid.server.security.a
public abstract class AbstractAuthenticationManager<T extends
AbstractAuthenticationManager<T>>
extends AbstractConfiguredObject<T>
- implements AuthenticationProvider<T>, AuthenticationManager
+ implements AuthenticationProvider<T>
{
private static final Logger LOGGER =
Logger.getLogger(AbstractAuthenticationManager.class);
@@ -56,6 +58,9 @@ public abstract class AbstractAuthentica
private PreferencesProvider _preferencesProvider;
private AtomicReference<State> _state = new
AtomicReference<State>(State.UNINITIALIZED);
+ @ManagedAttributeField
+ private List<String> _secureOnlyMechanisms;
+
protected AbstractAuthenticationManager(final Map<String, Object>
attributes, final Broker broker)
{
super(parentsMap(broker), attributes);
@@ -111,9 +116,9 @@ public abstract class AbstractAuthentica
}
@Override
- public SubjectCreator getSubjectCreator()
+ public SubjectCreator getSubjectCreator(final boolean secure)
{
- return new SubjectCreator(this, _broker.getGroupProviders());
+ return new SubjectCreator(this, _broker.getGroupProviders(), secure);
}
@Override
@@ -248,4 +253,10 @@ public abstract class AbstractAuthentica
}
return super.getAttribute(name);
}
+
+ @Override
+ public final List<String> getSecureOnlyMechanisms()
+ {
+ return _secureOnlyMechanisms;
+ }
}
Modified:
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java?rev=1613068&r1=1613067&r2=1613068&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java
(original)
+++
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java
Thu Jul 24 11:27:03 2014
@@ -29,6 +29,7 @@ import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
+import java.util.List;
import java.util.Map;
import java.util.UUID;
import java.util.concurrent.ConcurrentHashMap;
@@ -49,6 +50,7 @@ import org.apache.qpid.server.model.User
import org.apache.qpid.server.security.access.Operation;
import org.apache.qpid.server.security.auth.AuthenticationResult;
import org.apache.qpid.server.security.auth.UsernamePrincipal;
+import org.apache.qpid.server.security.auth.sasl.plain.PlainAdapterSaslServer;
import org.apache.qpid.server.security.auth.sasl.scram.ScramSaslServer;
public abstract class AbstractScramAuthenticationManager<X extends
AbstractScramAuthenticationManager<X>>
@@ -57,6 +59,7 @@ public abstract class AbstractScramAuthe
{
static final Charset ASCII = Charset.forName("ASCII");
+ public static final String PLAIN = "PLAIN";
private final SecureRandom _random = new SecureRandom();
private int _iterationCount = 4096;
@@ -70,15 +73,9 @@ public abstract class AbstractScramAuthe
}
@Override
- public void initialise()
+ public List<String> getMechanisms()
{
-
- }
-
- @Override
- public String getMechanisms()
- {
- return getMechanismName();
+ return Collections.unmodifiableList(Arrays.asList(getMechanismName(),
PLAIN));
}
protected abstract String getMechanismName();
@@ -89,7 +86,18 @@ public abstract class AbstractScramAuthe
final Principal externalPrincipal)
throws SaslException
{
- return new ScramSaslServer(this, getMechanismName(), getHmacName(),
getDigestName());
+ if(getMechanismName().equals(mechanism))
+ {
+ return new ScramSaslServer(this, getMechanismName(),
getHmacName(), getDigestName());
+ }
+ else if(PLAIN.equals(mechanism))
+ {
+ return new PlainAdapterSaslServer(this);
+ }
+ else
+ {
+ throw new SaslException("Unknown mechanism: " + mechanism);
+ }
}
protected abstract String getDigestName();
Modified:
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AnonymousAuthenticationManager.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AnonymousAuthenticationManager.java?rev=1613068&r1=1613067&r2=1613068&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AnonymousAuthenticationManager.java
(original)
+++
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AnonymousAuthenticationManager.java
Thu Jul 24 11:27:03 2014
@@ -21,6 +21,8 @@
package org.apache.qpid.server.security.auth.manager;
import java.security.Principal;
+import java.util.Collections;
+import java.util.List;
import java.util.Map;
import javax.security.auth.Subject;
@@ -59,15 +61,9 @@ public class AnonymousAuthenticationMana
}
@Override
- public void initialise()
+ public List<String> getMechanisms()
{
-
- }
-
- @Override
- public String getMechanisms()
- {
- return ANONYMOUS;
+ return Collections.singletonList(ANONYMOUS);
}
@Override
Modified:
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/ExternalAuthenticationManagerImpl.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/ExternalAuthenticationManagerImpl.java?rev=1613068&r1=1613067&r2=1613068&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/ExternalAuthenticationManagerImpl.java
(original)
+++
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/ExternalAuthenticationManagerImpl.java
Thu Jul 24 11:27:03 2014
@@ -19,6 +19,8 @@
package org.apache.qpid.server.security.auth.manager;
import java.security.Principal;
+import java.util.Collections;
+import java.util.List;
import java.util.Map;
import javax.security.sasl.SaslException;
@@ -45,13 +47,6 @@ public class ExternalAuthenticationManag
super(attributes, broker);
}
-
- @Override
- public void initialise()
- {
-
- }
-
@Override
public boolean getUseFullDN()
{
@@ -59,9 +54,9 @@ public class ExternalAuthenticationManag
}
@Override
- public String getMechanisms()
+ public List<String> getMechanisms()
{
- return EXTERNAL;
+ return Collections.singletonList(EXTERNAL);
}
@Override
Modified:
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManager.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManager.java?rev=1613068&r1=1613067&r2=1613068&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManager.java
(original)
+++
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManager.java
Thu Jul 24 11:27:03 2014
@@ -20,7 +20,9 @@ package org.apache.qpid.server.security.
import java.io.IOException;
import java.security.Principal;
+import java.util.Collections;
import java.util.HashMap;
+import java.util.List;
import java.util.Map;
import javax.security.auth.callback.Callback;
@@ -50,17 +52,10 @@ public class KerberosAuthenticationManag
super(attributes, broker);
}
-
- @Override
- public void initialise()
- {
-
- }
-
@Override
- public String getMechanisms()
+ public List<String> getMechanisms()
{
- return GSSAPI_MECHANISM;
+ return Collections.singletonList(GSSAPI_MECHANISM);
}
@Override
Modified:
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/PrincipalDatabaseAuthenticationManager.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/PrincipalDatabaseAuthenticationManager.java?rev=1613068&r1=1613067&r2=1613068&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/PrincipalDatabaseAuthenticationManager.java
(original)
+++
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/PrincipalDatabaseAuthenticationManager.java
Thu Jul 24 11:27:03 2014
@@ -147,7 +147,7 @@ public abstract class PrincipalDatabaseA
}
}
- public String getMechanisms()
+ public List<String> getMechanisms()
{
return _principalDatabase.getMechanisms();
}
@@ -158,7 +158,7 @@ public abstract class PrincipalDatabaseA
}
/**
- * @see
org.apache.qpid.server.security.auth.manager.AuthenticationManager#authenticate(SaslServer,
byte[])
+ * @see
org.apache.qpid.server.model.AuthenticationProvider#authenticate(SaslServer,
byte[])
*/
public AuthenticationResult authenticate(SaslServer server, byte[]
response)
{
@@ -184,7 +184,7 @@ public abstract class PrincipalDatabaseA
}
/**
- * @see
org.apache.qpid.server.security.auth.manager.AuthenticationManager#authenticate(String,
String)
+ * @see
org.apache.qpid.server.model.AuthenticationProvider#authenticate(String, String)
*/
public AuthenticationResult authenticate(final String username, final
String password)
{
Modified:
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManager.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManager.java?rev=1613068&r1=1613067&r2=1613068&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManager.java
(original)
+++
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManager.java
Thu Jul 24 11:27:03 2014
@@ -21,8 +21,10 @@ package org.apache.qpid.server.security.
import java.io.IOException;
import java.security.Principal;
+import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
+import java.util.List;
import java.util.Map;
import javax.security.auth.callback.Callback;
@@ -66,14 +68,9 @@ public class SimpleAuthenticationManager
}
@Override
- public void initialise()
+ public List<String> getMechanisms()
{
- }
-
- @Override
- public String getMechanisms()
- {
- return PLAIN_MECHANISM + " " + CRAM_MD5_MECHANISM;
+ return Collections.unmodifiableList(Arrays.asList(PLAIN_MECHANISM,
CRAM_MD5_MECHANISM));
}
@Override
Modified:
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerImpl.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerImpl.java?rev=1613068&r1=1613067&r2=1613068&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerImpl.java
(original)
+++
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerImpl.java
Thu Jul 24 11:27:03 2014
@@ -24,7 +24,9 @@ import java.security.GeneralSecurityExce
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
+import java.util.Collections;
import java.util.Hashtable;
+import java.util.List;
import java.util.Map;
import javax.naming.AuthenticationException;
@@ -111,11 +113,13 @@ public class SimpleLDAPAuthenticationMan
@Override
- public void initialise()
+ protected void onOpen()
{
+ super.onOpen();
+
_sslSocketFactoryOverrideClass = createSslSocketFactoryOverrideClass();
- validateInitialDirContext();
+ // validateInitialDirContext();
}
@Override
@@ -168,9 +172,9 @@ public class SimpleLDAPAuthenticationMan
@Override
- public String getMechanisms()
+ public List<String> getMechanisms()
{
- return PlainSaslServer.MECHANISM;
+ return Collections.singletonList(PlainSaslServer.MECHANISM);
}
@Override
Modified:
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/crammd5/CRAMMD5HexInitialiser.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/crammd5/CRAMMD5HexInitialiser.java?rev=1613068&r1=1613067&r2=1613068&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/crammd5/CRAMMD5HexInitialiser.java
(original)
+++
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/crammd5/CRAMMD5HexInitialiser.java
Thu Jul 24 11:27:03 2014
@@ -133,7 +133,7 @@ public class CRAMMD5HexInitialiser exten
}
@Override
- public String getMechanisms()
+ public List<String> getMechanisms()
{
return _realPrincipalDatabase.getMechanisms();
}
Copied:
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainAdapterSaslServer.java
(from r1612109,
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainSaslServer.java)
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainAdapterSaslServer.java?p2=qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainAdapterSaslServer.java&p1=qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainSaslServer.java&r1=1612109&r2=1613068&rev=1613068&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainSaslServer.java
(original)
+++
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainAdapterSaslServer.java
Thu Jul 24 11:27:03 2014
@@ -20,28 +20,47 @@
*/
package org.apache.qpid.server.security.auth.sasl.plain;
-import javax.security.auth.callback.Callback;
-import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.callback.NameCallback;
-import javax.security.auth.callback.UnsupportedCallbackException;
+import java.io.IOException;
+
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
-import java.io.IOException;
-public class PlainSaslServer implements SaslServer
+import org.apache.qpid.server.model.AuthenticationProvider;
+import org.apache.qpid.server.security.auth.AuthenticationResult;
+
+public class PlainAdapterSaslServer implements SaslServer
{
- public static final String MECHANISM = "PLAIN";
+ public static interface PasswordValidator
+ {
+ boolean validatePassword(String user, String password);
+ }
+
- private CallbackHandler _cbh;
+
+ public static final String MECHANISM = "PLAIN";
+ private final PasswordValidator _passwordValidator;
private String _authorizationId;
private boolean _complete = false;
- public PlainSaslServer(CallbackHandler cbh)
+ public PlainAdapterSaslServer(final PasswordValidator passwordValidator)
{
- _cbh = cbh;
+ _passwordValidator = passwordValidator;
+ }
+
+ public PlainAdapterSaslServer(final AuthenticationProvider authProvider)
+ {
+ this(new PasswordValidator()
+ {
+ @Override
+ public boolean validatePassword(final String user, final
String password)
+ {
+ AuthenticationResult authenticationResult =
authProvider.authenticate(user, password);
+ return authenticationResult != null &&
authenticationResult.getStatus() ==
AuthenticationResult.AuthenticationStatus.SUCCESS;
+ }
+ });
}
public String getMechanismName()
@@ -74,13 +93,18 @@ public class PlainSaslServer implements
int passwordLen = response.length - authcidNullPosition - 1;
String pwd = new String(response, authcidNullPosition + 1,
passwordLen, "utf8");
- // we do not care about the prompt but it throws if null
- NameCallback nameCb = new NameCallback("prompt", authzid);
- passwordCb = new PlainPasswordCallback("prompt", false, pwd);
- authzCb = new AuthorizeCallback(authzid, authzid);
- Callback[] callbacks = new Callback[]{nameCb, passwordCb, authzCb};
- _cbh.handle(callbacks);
+ if(_passwordValidator.validatePassword(authzid, pwd))
+ {
+ _authorizationId = authzid;
+ _complete = true;
+ }
+ else
+ {
+ throw new SaslException("Authentication failed");
+ }
+
+ return null;
}
catch (IOException e)
@@ -91,25 +115,8 @@ public class PlainSaslServer implements
}
throw new SaslException("Error processing data: " + e, e);
}
- catch (UnsupportedCallbackException e)
- {
- throw new SaslException("Unable to obtain data from callback
handler: " + e, e);
- }
- if (passwordCb.isAuthenticated())
- {
- _complete = true;
- }
- if (authzCb.isAuthorized() && _complete)
- {
- _authorizationId = authzCb.getAuthenticationID();
- return null;
- }
- else
- {
- throw new SaslException("Authentication failed");
- }
}
@@ -155,7 +162,6 @@ public class PlainSaslServer implements
public void dispose() throws SaslException
{
- _cbh = null;
}
}
Modified:
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/SubjectCreatorTest.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/SubjectCreatorTest.java?rev=1613068&r1=1613067&r2=1613068&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/SubjectCreatorTest.java
(original)
+++
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/SubjectCreatorTest.java
Thu Jul 24 11:27:03 2014
@@ -32,19 +32,19 @@ import javax.security.sasl.SaslServer;
import junit.framework.TestCase;
+import org.apache.qpid.server.model.AuthenticationProvider;
import org.apache.qpid.server.model.GroupProvider;
import org.apache.qpid.server.security.auth.AuthenticatedPrincipal;
import org.apache.qpid.server.security.auth.AuthenticationResult;
import
org.apache.qpid.server.security.auth.AuthenticationResult.AuthenticationStatus;
import org.apache.qpid.server.security.auth.SubjectAuthenticationResult;
-import org.apache.qpid.server.security.auth.manager.AuthenticationManager;
public class SubjectCreatorTest extends TestCase
{
private static final String USERNAME = "username";
private static final String PASSWORD = "password";
- private AuthenticationManager _authenticationManager =
mock(AuthenticationManager.class);
+ private AuthenticationProvider _authenticationProvider =
mock(AuthenticationProvider.class);
private GroupProvider _groupManager1 = mock(GroupProvider.class);
private GroupProvider _groupManager2 = mock(GroupProvider.class);
@@ -64,9 +64,10 @@ public class SubjectCreatorTest extends
when(_groupManager1.getGroupPrincipalsForUser(USERNAME)).thenReturn(Collections.singleton(_group1));
when(_groupManager2.getGroupPrincipalsForUser(USERNAME)).thenReturn(Collections.singleton(_group2));
- _subjectCreator = new SubjectCreator(_authenticationManager, new
HashSet<GroupProvider>(Arrays.asList(_groupManager1, _groupManager2)));
+ _subjectCreator = new SubjectCreator(_authenticationProvider, new
HashSet<GroupProvider>(Arrays.asList(_groupManager1, _groupManager2)),
+ false);
_authenticationResult = new AuthenticationResult(_userPrincipal);
- when(_authenticationManager.authenticate(USERNAME,
PASSWORD)).thenReturn(_authenticationResult);
+ when(_authenticationProvider.authenticate(USERNAME,
PASSWORD)).thenReturn(_authenticationResult);
}
public void
testAuthenticateUsernameAndPasswordReturnsSubjectWithUserAndGroupPrincipals()
@@ -88,7 +89,7 @@ public class SubjectCreatorTest extends
public void
testSaslAuthenticationSuccessReturnsSubjectWithUserAndGroupPrincipals() throws
Exception
{
- when(_authenticationManager.authenticate(_testSaslServer,
_saslResponseBytes)).thenReturn(_authenticationResult);
+ when(_authenticationProvider.authenticate(_testSaslServer,
_saslResponseBytes)).thenReturn(_authenticationResult);
when(_testSaslServer.isComplete()).thenReturn(true);
when(_testSaslServer.getAuthorizationID()).thenReturn(USERNAME);
@@ -114,7 +115,7 @@ public class SubjectCreatorTest extends
{
AuthenticationResult failedAuthenticationResult = new
AuthenticationResult(expectedStatus);
- when(_authenticationManager.authenticate(USERNAME,
PASSWORD)).thenReturn(failedAuthenticationResult);
+ when(_authenticationProvider.authenticate(USERNAME,
PASSWORD)).thenReturn(failedAuthenticationResult);
SubjectAuthenticationResult subjectAuthenticationResult =
_subjectCreator.authenticate(USERNAME, PASSWORD);
@@ -132,7 +133,8 @@ public class SubjectCreatorTest extends
{
AuthenticationResult failedAuthenticationResult = new
AuthenticationResult(expectedStatus);
- when(_authenticationManager.authenticate(_testSaslServer,
_saslResponseBytes)).thenReturn(failedAuthenticationResult);
+ when(_authenticationProvider.authenticate(_testSaslServer,
_saslResponseBytes)).thenReturn(
+ failedAuthenticationResult);
when(_testSaslServer.isComplete()).thenReturn(false);
SubjectAuthenticationResult subjectAuthenticationResult =
_subjectCreator.authenticate(_testSaslServer, _saslResponseBytes);
Modified:
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/jmx/JMXPasswordAuthenticatorTest.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/jmx/JMXPasswordAuthenticatorTest.java?rev=1613068&r1=1613067&r2=1613068&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/jmx/JMXPasswordAuthenticatorTest.java
(original)
+++
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/jmx/JMXPasswordAuthenticatorTest.java
Thu Jul 24 11:27:03 2014
@@ -20,6 +20,7 @@
*/
package org.apache.qpid.server.security.auth.jmx;
+import static org.mockito.Matchers.anyBoolean;
import static org.mockito.Matchers.anyString;
import static org.mockito.Matchers.any;
import static org.mockito.Mockito.doThrow;
@@ -66,7 +67,7 @@ public class JMXPasswordAuthenticatorTes
protected void setUp() throws Exception
{
when(_broker.getSecurityManager()).thenReturn(_securityManager);
- _rmipa = new JMXPasswordAuthenticator(_broker, new
InetSocketAddress(8999));
+ _rmipa = new JMXPasswordAuthenticator(_broker, new
InetSocketAddress(8999), false);
}
/**
@@ -74,7 +75,7 @@ public class JMXPasswordAuthenticatorTes
*/
public void testAuthenticationSuccess()
{
-
when(_broker.getSubjectCreator(any(SocketAddress.class))).thenReturn(_usernamePasswordOkaySubjectCreator);
+ when(_broker.getSubjectCreator(any(SocketAddress.class),
anyBoolean())).thenReturn(_usernamePasswordOkaySubjectCreator);
Subject newSubject = _rmipa.authenticate(_credentials);
assertSame("Subject must be unchanged", _loginSubject, newSubject);
@@ -85,7 +86,7 @@ public class JMXPasswordAuthenticatorTes
*/
public void testUsernameOrPasswordInvalid()
{
-
when(_broker.getSubjectCreator(any(SocketAddress.class))).thenReturn(_badPasswordSubjectCreator);
+ when(_broker.getSubjectCreator(any(SocketAddress.class),
anyBoolean())).thenReturn(_badPasswordSubjectCreator);
try
{
@@ -101,7 +102,7 @@ public class JMXPasswordAuthenticatorTes
public void testAuthorisationFailure()
{
-
when(_broker.getSubjectCreator(any(SocketAddress.class))).thenReturn(_usernamePasswordOkaySubjectCreator);
+ when(_broker.getSubjectCreator(any(SocketAddress.class),
anyBoolean())).thenReturn(_usernamePasswordOkaySubjectCreator);
doThrow(new
AccessControlException(USER_NOT_AUTHORISED_FOR_MANAGEMENT)).when(_securityManager).accessManagement();
try
@@ -120,7 +121,7 @@ public class JMXPasswordAuthenticatorTes
{
final Exception mockAuthException = new Exception("Mock Auth system
failure");
SubjectCreator subjectCreator = createMockSubjectCreator(false,
mockAuthException);
-
when(_broker.getSubjectCreator(any(SocketAddress.class))).thenReturn(subjectCreator);
+ when(_broker.getSubjectCreator(any(SocketAddress.class),
anyBoolean())).thenReturn(subjectCreator);
try
{
@@ -138,7 +139,7 @@ public class JMXPasswordAuthenticatorTes
*/
public void testNullSubjectCreator() throws Exception
{
-
when(_broker.getSubjectCreator(any(SocketAddress.class))).thenReturn(null);
+ when(_broker.getSubjectCreator(any(SocketAddress.class),
anyBoolean())).thenReturn(null);
try
{
Modified:
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/AnonymousAuthenticationManagerTest.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/AnonymousAuthenticationManagerTest.java?rev=1613068&r1=1613067&r2=1613068&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/AnonymousAuthenticationManagerTest.java
(original)
+++
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/AnonymousAuthenticationManagerTest.java
Thu Jul 24 11:27:03 2014
@@ -22,6 +22,7 @@ package org.apache.qpid.server.security.
import static
org.apache.qpid.server.security.auth.AuthenticatedPrincipalTestHelper.assertOnlyContainsWrapped;
+import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.UUID;
@@ -36,7 +37,7 @@ import org.apache.qpid.test.utils.QpidTe
public class AnonymousAuthenticationManagerTest extends QpidTestCase
{
- private AuthenticationManager _manager;
+ private AuthenticationProvider _manager;
@Override
public void setUp() throws Exception
@@ -59,7 +60,7 @@ public class AnonymousAuthenticationMana
public void testGetMechanisms() throws Exception
{
- assertEquals("ANONYMOUS", _manager.getMechanisms());
+ assertEquals(Collections.singletonList("ANONYMOUS"),
_manager.getMechanisms());
}
public void testCreateSaslServer() throws Exception
Modified:
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/ExternalAuthenticationManagerTest.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/ExternalAuthenticationManagerTest.java?rev=1613068&r1=1613067&r2=1613068&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/ExternalAuthenticationManagerTest.java
(original)
+++
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/ExternalAuthenticationManagerTest.java
Thu Jul 24 11:27:03 2014
@@ -20,6 +20,7 @@ package org.apache.qpid.server.security.
import static
org.apache.qpid.server.security.auth.AuthenticatedPrincipalTestHelper.assertOnlyContainsWrapped;
+import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.UUID;
@@ -60,7 +61,7 @@ public class ExternalAuthenticationManag
public void testGetMechanisms() throws Exception
{
- assertEquals("EXTERNAL", _manager.getMechanisms());
+ assertEquals(Collections.singletonList("EXTERNAL"),
_manager.getMechanisms());
}
public void testCreateSaslServer() throws Exception
Modified:
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/PrincipalDatabaseAuthenticationManagerTest.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/PrincipalDatabaseAuthenticationManagerTest.java?rev=1613068&r1=1613067&r2=1613068&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/PrincipalDatabaseAuthenticationManagerTest.java
(original)
+++
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/PrincipalDatabaseAuthenticationManagerTest.java
Thu Jul 24 11:27:03 2014
@@ -28,6 +28,7 @@ import java.io.File;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.security.Principal;
+import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
@@ -91,7 +92,7 @@ public class PrincipalDatabaseAuthentica
{
_principalDatabase = mock(PrincipalDatabase.class);
- when(_principalDatabase.getMechanisms()).thenReturn(MOCK_MECH_NAME);
+
when(_principalDatabase.getMechanisms()).thenReturn(Collections.singletonList(MOCK_MECH_NAME));
when(_principalDatabase.createSaslServer(MOCK_MECH_NAME, LOCALHOST,
null)).thenReturn(new MySaslServer(false, true));
setupManager(false);
Modified:
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/ScramSHA1AuthenticationManagerTest.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/ScramSHA1AuthenticationManagerTest.java?rev=1613068&r1=1613067&r2=1613068&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/ScramSHA1AuthenticationManagerTest.java
(original)
+++
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/ScramSHA1AuthenticationManagerTest.java
Thu Jul 24 11:27:03 2014
@@ -29,6 +29,8 @@ import java.util.Map;
import java.util.UUID;
import javax.security.auth.login.AccountNotFoundException;
+import javax.security.sasl.SaslException;
+import javax.security.sasl.SaslServer;
import org.apache.qpid.server.configuration.updater.CurrentThreadTaskExecutor;
import org.apache.qpid.server.configuration.updater.TaskExecutor;
@@ -36,6 +38,7 @@ import org.apache.qpid.server.model.Auth
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.User;
import org.apache.qpid.server.security.SecurityManager;
+import org.apache.qpid.server.security.SubjectCreator;
import org.apache.qpid.server.security.auth.AuthenticationResult;
import org.apache.qpid.server.util.BrokerTestHelper;
import org.apache.qpid.test.utils.QpidTestCase;
@@ -61,6 +64,7 @@ public class ScramSHA1AuthenticationMana
attributesMap.put(AuthenticationProvider.NAME, getTestName());
attributesMap.put(AuthenticationProvider.ID, UUID.randomUUID());
_authManager = new ScramSHA1AuthenticationManager(attributesMap,
_broker);
+ _authManager.open();
}
@Override
@@ -70,6 +74,35 @@ public class ScramSHA1AuthenticationMana
super.tearDown();
}
+ public void testMechanisms()
+ {
+ SubjectCreator insecureCreator = _authManager.getSubjectCreator(false);
+ assertFalse("PLAIN authentication should not be available on an
insecure connection", insecureCreator.getMechanisms().contains("PLAIN"));
+ SubjectCreator secureCreator = _authManager.getSubjectCreator(true);
+ assertTrue("PLAIN authentication should be available on a secure
connection", secureCreator.getMechanisms().contains("PLAIN"));
+
+ try
+ {
+ SaslServer saslServer = secureCreator.createSaslServer("PLAIN",
"127.0.0.1", null);
+ assertNotNull(saslServer);
+ }
+ catch (SaslException e)
+ {
+ fail("Unable to create a SaslServer for PLAIN authentication on a
secure connection" + e.getMessage());
+ }
+
+ try
+ {
+ SaslServer saslServer = insecureCreator.createSaslServer("PLAIN",
"127.0.0.1", null);
+ fail("Erroneously created a SaslServer for PLAIN authentication on
an insecure connection");
+ }
+ catch (SaslException e)
+ {
+ // Pass
+ }
+
+ }
+
public void testAddChildAndThenDelete()
{
// No children should be present before the test starts
Modified:
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManagerTest.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManagerTest.java?rev=1613068&r1=1613067&r2=1613068&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManagerTest.java
(original)
+++
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManagerTest.java
Thu Jul 24 11:27:03 2014
@@ -22,6 +22,7 @@ package org.apache.qpid.server.security.
import java.security.Principal;
import java.util.HashMap;
+import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
@@ -41,7 +42,7 @@ public class SimpleAuthenticationManager
{
private static final String TEST_USER = "testUser";
private static final String TEST_PASSWORD = "testPassword";
- private AuthenticationManager _authenticationManager;
+ private AuthenticationProvider _authenticationManager;
public void setUp() throws Exception
{
@@ -58,7 +59,10 @@ public class SimpleAuthenticationManager
public void testGetMechanisms()
{
- assertEquals("Unexpected mechanisms", "PLAIN CRAM-MD5",
_authenticationManager.getMechanisms());
+ List<String> mechanisms = _authenticationManager.getMechanisms();
+ assertEquals("Unexpected number of mechanisms", 2, mechanisms.size());
+ assertTrue("PLAIN was not present", mechanisms.contains("PLAIN"));
+ assertTrue("CRAM-MD5 was not present",
mechanisms.contains("CRAM-MD5"));
}
public void testCreateSaslServerForUnsupportedMechanisms() throws Exception
Modified:
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/sasl/TestPrincipalDatabase.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/sasl/TestPrincipalDatabase.java?rev=1613068&r1=1613067&r2=1613068&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/sasl/TestPrincipalDatabase.java
(original)
+++
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/auth/sasl/TestPrincipalDatabase.java
Thu Jul 24 11:27:03 2014
@@ -90,7 +90,7 @@ public class TestPrincipalDatabase imple
}
@Override
- public String getMechanisms()
+ public List<String> getMechanisms()
{
// TODO Auto-generated method stub
return null;
Modified:
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/util/BrokerTestHelper.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/util/BrokerTestHelper.java?rev=1613068&r1=1613067&r2=1613068&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/util/BrokerTestHelper.java
(original)
+++
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/util/BrokerTestHelper.java
Thu Jul 24 11:27:03 2014
@@ -21,11 +21,13 @@
package org.apache.qpid.server.util;
import static org.mockito.Matchers.any;
+import static org.mockito.Matchers.anyBoolean;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;
import java.net.SocketAddress;
import java.security.PrivilegedAction;
+import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.UUID;
@@ -78,13 +80,13 @@ public class BrokerTestHelper
when(systemContext.getCategoryClass()).thenReturn(SystemContext.class);
SubjectCreator subjectCreator = mock(SubjectCreator.class);
- when(subjectCreator.getMechanisms()).thenReturn("");
+
when(subjectCreator.getMechanisms()).thenReturn(Collections.<String>emptyList());
Broker broker = mock(Broker.class);
when(broker.getConnection_sessionCountLimit()).thenReturn(1);
when(broker.getConnection_closeWhenNoRoute()).thenReturn(false);
when(broker.getId()).thenReturn(UUID.randomUUID());
-
when(broker.getSubjectCreator(any(SocketAddress.class))).thenReturn(subjectCreator);
+ when(broker.getSubjectCreator(any(SocketAddress.class),
anyBoolean())).thenReturn(subjectCreator);
when(broker.getSecurityManager()).thenReturn(new
SecurityManager(broker, false));
when(broker.getObjectFactory()).thenReturn(objectFactory);
when(broker.getModel()).thenReturn(objectFactory.getModel());
Modified:
qpid/trunk/qpid/java/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ProtocolEngineCreator_0_10.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ProtocolEngineCreator_0_10.java?rev=1613068&r1=1613067&r2=1613068&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ProtocolEngineCreator_0_10.java
(original)
+++
qpid/trunk/qpid/java/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ProtocolEngineCreator_0_10.java
Thu Jul 24 11:27:03 2014
@@ -77,7 +77,8 @@ public class ProtocolEngineCreator_0_10
fqdn = ((InetSocketAddress) address).getHostName();
}
final ConnectionDelegate connDelegate = new
ServerConnectionDelegate(broker,
- fqdn, broker.getSubjectCreator(address));
+ fqdn, broker.getSubjectCreator(address, transport.isSecure())
+ );
ServerConnection conn = new ServerConnection(id,broker);
Modified:
qpid/trunk/qpid/java/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerConnectionDelegate.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerConnectionDelegate.java?rev=1613068&r1=1613067&r2=1613068&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerConnectionDelegate.java
(original)
+++
qpid/trunk/qpid/java/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerConnectionDelegate.java
Thu Jul 24 11:27:03 2014
@@ -31,7 +31,6 @@ import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
-import java.util.StringTokenizer;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
@@ -84,12 +83,12 @@ public class ServerConnectionDelegate ex
}
private ServerConnectionDelegate(Map<String, Object> properties,
- List<Object> locales,
- Broker broker,
- String localFQDN,
- SubjectCreator subjectCreator)
+ List<Object> locales,
+ Broker broker,
+ String localFQDN,
+ SubjectCreator subjectCreator)
{
- super(properties, parseToList(subjectCreator.getMechanisms()),
locales);
+ super(properties, (List) subjectCreator.getMechanisms(), locales);
_broker = broker;
_localFQDN = localFQDN;
@@ -128,17 +127,6 @@ public class ServerConnectionDelegate ex
return map;
}
- private static List<Object> parseToList(String mechanisms)
- {
- List<Object> list = new ArrayList<Object>();
- StringTokenizer tokenizer = new StringTokenizer(mechanisms, " ");
- while(tokenizer.hasMoreTokens())
- {
- list.add(tokenizer.nextToken());
- }
- return list;
- }
-
public ServerSession getSession(Connection conn, SessionAttach atc)
{
SessionDelegate serverSessionDelegate = new ServerSessionDelegate();
Modified:
qpid/trunk/qpid/java/broker-plugins/amqp-0-8-protocol/src/main/java/org/apache/qpid/server/protocol/v0_8/AMQProtocolEngine.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/amqp-0-8-protocol/src/main/java/org/apache/qpid/server/protocol/v0_8/AMQProtocolEngine.java?rev=1613068&r1=1613067&r2=1613068&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-plugins/amqp-0-8-protocol/src/main/java/org/apache/qpid/server/protocol/v0_8/AMQProtocolEngine.java
(original)
+++
qpid/trunk/qpid/java/broker-plugins/amqp-0-8-protocol/src/main/java/org/apache/qpid/server/protocol/v0_8/AMQProtocolEngine.java
Thu Jul 24 11:27:03 2014
@@ -496,7 +496,16 @@ public class AMQProtocolEngine implement
// This sets the protocol version (and hence framing classes) for
this session.
setProtocolVersion(pv);
- String mechanisms =
_broker.getSubjectCreator(getLocalAddress()).getMechanisms();
+ StringBuilder mechanismBuilder = new StringBuilder();
+ for(String mechanismName :
_broker.getSubjectCreator(getLocalAddress(),
_transport.isSecure()).getMechanisms())
+ {
+ if(mechanismBuilder.length() != 0)
+ {
+ mechanismBuilder.append(' ');
+ }
+ mechanismBuilder.append(mechanismName);
+ }
+ String mechanisms = mechanismBuilder.toString();
String locales = "en_US";
Modified:
qpid/trunk/qpid/java/broker-plugins/amqp-0-8-protocol/src/main/java/org/apache/qpid/server/protocol/v0_8/state/AMQStateManager.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/amqp-0-8-protocol/src/main/java/org/apache/qpid/server/protocol/v0_8/state/AMQStateManager.java?rev=1613068&r1=1613067&r2=1613068&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-plugins/amqp-0-8-protocol/src/main/java/org/apache/qpid/server/protocol/v0_8/state/AMQStateManager.java
(original)
+++
qpid/trunk/qpid/java/broker-plugins/amqp-0-8-protocol/src/main/java/org/apache/qpid/server/protocol/v0_8/state/AMQStateManager.java
Thu Jul 24 11:27:03 2014
@@ -20,6 +20,11 @@
*/
package org.apache.qpid.server.protocol.v0_8.state;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+
+import javax.security.auth.Subject;
+
import org.apache.log4j.Logger;
import org.apache.qpid.AMQException;
@@ -37,11 +42,6 @@ import org.apache.qpid.server.protocol.v
import org.apache.qpid.server.security.SubjectCreator;
import org.apache.qpid.server.util.ServerScopedRuntimeException;
-import javax.security.auth.Subject;
-
-import java.security.PrivilegedActionException;
-import java.security.PrivilegedExceptionAction;
-
/**
* The state manager is responsible for managing the state of the protocol
session. <p/> For each AMQProtocolHandler
* there is a separate state manager.
@@ -147,6 +147,6 @@ public class AMQStateManager implements
public SubjectCreator getSubjectCreator()
{
- return
_broker.getSubjectCreator(getProtocolSession().getLocalAddress());
+ return
_broker.getSubjectCreator(getProtocolSession().getLocalAddress(),
getProtocolSession().getTransport().isSecure());
}
}
Modified:
qpid/trunk/qpid/java/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/ProtocolEngine_1_0_0_SASL.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/ProtocolEngine_1_0_0_SASL.java?rev=1613068&r1=1613067&r2=1613068&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/ProtocolEngine_1_0_0_SASL.java
(original)
+++
qpid/trunk/qpid/java/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/ProtocolEngine_1_0_0_SASL.java
Thu Jul 24 11:27:03 2014
@@ -27,6 +27,7 @@ import java.nio.ByteBuffer;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.util.LinkedHashMap;
+import java.util.List;
import java.util.Map;
import javax.security.auth.Subject;
@@ -184,7 +185,7 @@ public class ProtocolEngine_1_0_0_SASL i
Container container = new Container(_broker.getId().toString());
- SubjectCreator subjectCreator =
_broker.getSubjectCreator(getLocalAddress());
+ SubjectCreator subjectCreator =
_broker.getSubjectCreator(getLocalAddress(), _transport.isSecure());
_endpoint = new ConnectionEndpoint(container,
asSaslServerProvider(subjectCreator));
_endpoint.setLogger(new ConnectionEndpoint.FrameReceiptLogger()
{
@@ -236,7 +237,8 @@ public class ProtocolEngine_1_0_0_SASL i
_sender.send(HEADER.duplicate());
_sender.flush();
- _endpoint.initiateSASL(subjectCreator.getMechanisms().split(" "));
+ List<String> mechanisms = subjectCreator.getMechanisms();
+ _endpoint.initiateSASL(mechanisms.toArray(new
String[mechanisms.size()]));
}
Modified:
qpid/trunk/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java?rev=1613068&r1=1613067&r2=1613068&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java
(original)
+++
qpid/trunk/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java
Thu Jul 24 11:27:03 2014
@@ -45,6 +45,7 @@ import org.apache.qpid.server.security.a
import
org.apache.qpid.server.security.auth.AuthenticationResult.AuthenticationStatus;
import org.apache.qpid.server.security.auth.SubjectAuthenticationResult;
import org.apache.qpid.server.security.auth.UsernamePrincipal;
+import
org.apache.qpid.server.security.auth.manager.AnonymousAuthenticationManager;
import
org.apache.qpid.server.security.auth.manager.ExternalAuthenticationManager;
import org.apache.qpid.transport.network.security.ssl.SSLUtil;
@@ -146,14 +147,14 @@ public class HttpManagementUtil
Subject subject = null;
SocketAddress localAddress = getSocketAddress(request);
final AuthenticationProvider authenticationProvider =
managementConfig.getAuthenticationProvider(localAddress);
- SubjectCreator subjectCreator =
authenticationProvider.getSubjectCreator();
+ SubjectCreator subjectCreator =
authenticationProvider.getSubjectCreator(request.isSecure());
String remoteUser = request.getRemoteUser();
- if (remoteUser != null ||
subjectCreator.isAnonymousAuthenticationAllowed())
+ if (remoteUser != null || authenticationProvider instanceof
AnonymousAuthenticationManager)
{
subject = authenticateUser(subjectCreator, remoteUser, null);
}
- else if(subjectCreator.isExternalAuthenticationAllowed()
+ else if(authenticationProvider instanceof ExternalAuthenticationManager
&&
Collections.list(request.getAttributeNames()).contains("javax.servlet.request.X509Certificate"))
{
Principal principal = null;
Modified:
qpid/trunk/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.java?rev=1613068&r1=1613067&r2=1613068&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.java
(original)
+++
qpid/trunk/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.java
Thu Jul 24 11:27:03 2014
@@ -20,34 +20,36 @@
*/
package org.apache.qpid.server.management.plugin.servlet.rest;
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.net.SocketAddress;
+import java.security.Principal;
+import java.security.SecureRandom;
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Random;
+
+import javax.security.auth.Subject;
+import javax.security.sasl.SaslException;
+import javax.security.sasl.SaslServer;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+
import org.apache.commons.codec.binary.Base64;
-import
org.apache.qpid.server.management.plugin.servlet.ServletConnectionPrincipal;
-import org.apache.qpid.server.util.ConnectionScopedRuntimeException;
+import org.apache.log4j.Logger;
import org.codehaus.jackson.map.ObjectMapper;
import org.codehaus.jackson.map.SerializationConfig;
-import org.apache.log4j.Logger;
import org.apache.qpid.server.management.plugin.HttpManagementConfiguration;
import org.apache.qpid.server.management.plugin.HttpManagementUtil;
+import
org.apache.qpid.server.management.plugin.servlet.ServletConnectionPrincipal;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.security.SubjectCreator;
import org.apache.qpid.server.security.auth.AuthenticatedPrincipal;
-
-import javax.security.auth.Subject;
-import javax.security.sasl.SaslException;
-import javax.security.sasl.SaslServer;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpSession;
-import java.io.IOException;
-import java.io.PrintWriter;
-import java.net.SocketAddress;
-import java.security.Principal;
-import java.security.SecureRandom;
-import java.util.LinkedHashMap;
-import java.util.Map;
-import java.util.Random;
+import org.apache.qpid.server.util.ConnectionScopedRuntimeException;
public class SaslServlet extends AbstractServlet
{
@@ -81,7 +83,8 @@ public class SaslServlet extends Abstrac
getRandom(session);
SubjectCreator subjectCreator = getSubjectCreator(request);
- String[] mechanisms = subjectCreator.getMechanisms().split(" ");
+ List<String> mechanismsList = subjectCreator.getMechanisms();
+ String[] mechanisms = mechanismsList.toArray(new
String[mechanismsList.size()]);
Map<String, Object> outputObject = new LinkedHashMap<String, Object>();
final Subject subject = getAuthorisedSubject(request);
@@ -237,7 +240,7 @@ public class SaslServlet extends Abstrac
if(saslServer.isComplete())
{
- Subject originalSubject =
subjectCreator.createSubjectWithGroups(saslServer.getAuthorizationID());
+ Subject originalSubject =
subjectCreator.createSubjectWithGroups(new
AuthenticatedPrincipal(saslServer.getAuthorizationID()));
Subject subject = new Subject(false,
originalSubject.getPrincipals(),
originalSubject.getPublicCredentials(),
@@ -298,7 +301,8 @@ public class SaslServlet extends Abstrac
private SubjectCreator getSubjectCreator(HttpServletRequest request)
{
SocketAddress localAddress =
HttpManagementUtil.getSocketAddress(request);
- return
HttpManagementUtil.getManagementConfiguration(getServletContext()).getAuthenticationProvider(localAddress).getSubjectCreator();
+ return
HttpManagementUtil.getManagementConfiguration(getServletContext()).getAuthenticationProvider(localAddress).getSubjectCreator(
+ request.isSecure());
}
@Override
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
