[qpid-broker-j] branch master updated: QPID-8403: [Broker-J][WMC] Add interactive authenticator for certificate based authentication

Tue, 28 Jan 2020 08:46:53 -0800 

This is an automated email from the ASF dual-hosted git repository.

orudyy pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/qpid-broker-j.git


The following commit(s) were added to refs/heads/master by this push:
     new ee4bcd4  QPID-8403: [Broker-J][WMC] Add interactive authenticator for 
certificate based authentication
ee4bcd4 is described below

commit ee4bcd43c110bfd5ac8bc110a55dd2a3f549c925
Author: Alex Rudyy <[email protected]>
AuthorDate: Tue Jan 28 16:46:07 2020 +0000

    QPID-8403: [Broker-J][WMC] Add interactive authenticator for certificate 
based authentication
---
 .../SSLClientCertInteractiveAuthenticator.java     | 78 ++++++++++++++++++++++
 .../PreemptiveAuthenticationTest.java              | 26 +++++++-
 2 files changed, 102 insertions(+), 2 deletions(-)

diff --git 
a/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/SSLClientCertInteractiveAuthenticator.java
 
b/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/SSLClientCertInteractiveAuthenticator.java
new file mode 100644
index 0000000..a2ebde0
--- /dev/null
+++ 
b/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/SSLClientCertInteractiveAuthenticator.java
@@ -0,0 +1,78 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.qpid.server.management.plugin.auth;
+import javax.security.auth.Subject;
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.qpid.server.management.plugin.HttpManagement;
+import org.apache.qpid.server.management.plugin.HttpManagementConfiguration;
+import org.apache.qpid.server.management.plugin.HttpManagementUtil;
+import 
org.apache.qpid.server.management.plugin.HttpRequestInteractiveAuthenticator;
+import org.apache.qpid.server.model.AuthenticationProvider;
+import org.apache.qpid.server.model.Broker;
+import org.apache.qpid.server.plugin.PluggableService;
+import 
org.apache.qpid.server.security.auth.manager.ExternalAuthenticationManager;
+
+@PluggableService
+public class SSLClientCertInteractiveAuthenticator implements 
HttpRequestInteractiveAuthenticator
+{
+    private static final LogoutHandler LOGOUT_HANDLER =
+            response -> 
response.sendRedirect(HttpManagement.DEFAULT_LOGOUT_URL);
+
+    private SSLClientCertPreemptiveAuthenticator _preemptiveAuthenticator = 
new SSLClientCertPreemptiveAuthenticator();
+
+    @Override
+    public AuthenticationHandler getAuthenticationHandler(final 
HttpServletRequest request,
+                                                          final 
HttpManagementConfiguration configuration)
+    {
+        final AuthenticationProvider authenticationProvider = 
configuration.getAuthenticationProvider(request);
+        if (authenticationProvider instanceof ExternalAuthenticationManager)
+        {
+            return response -> {
+                final Subject subject = 
_preemptiveAuthenticator.attemptAuthentication(request, configuration);
+                if (subject != null)
+                {
+                    final Subject servletSubject = 
HttpManagementUtil.createServletConnectionSubject(request, subject);
+                    HttpManagementUtil.assertManagementAccess((Broker) 
authenticationProvider.getParent(), servletSubject);
+                    HttpManagementUtil.saveAuthorisedSubject(request, 
servletSubject);
+                    response.sendRedirect("/");
+                }
+                else
+                {
+                    response.sendError(401);
+                }
+            };
+        }
+        return null;
+    }
+
+    @Override
+    public LogoutHandler getLogoutHandler(final HttpServletRequest request,
+                                          final HttpManagementConfiguration 
configuration)
+    {
+        return LOGOUT_HANDLER;
+    }
+
+    @Override
+    public String getType()
+    {
+        return "SSLClientAuth";
+    }
+}
diff --git 
a/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/authentication/PreemptiveAuthenticationTest.java
 
b/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/authentication/PreemptiveAuthenticationTest.java
index 466e2da..ded03df 100644
--- 
a/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/authentication/PreemptiveAuthenticationTest.java
+++ 
b/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/authentication/PreemptiveAuthenticationTest.java
@@ -40,18 +40,17 @@ import java.io.ByteArrayOutputStream;
 import java.net.HttpURLConnection;
 import java.net.InetAddress;
 import java.net.SocketException;
+import java.net.URL;
 import java.security.KeyStore;
 import java.security.cert.Certificate;
 import java.time.Duration;
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
 import java.util.ArrayDeque;
-import java.util.Arrays;
 import java.util.Base64;
 import java.util.Collections;
 import java.util.Deque;
 import java.util.HashMap;
-import java.util.HashSet;
 import java.util.Map;
 
 import javax.net.ssl.SSLException;
@@ -120,6 +119,29 @@ public class PreemptiveAuthenticationTest extends 
HttpTestBase
     }
 
     @Test
+    public void clientAuthenticationWebManagementConsole() throws Exception
+    {
+        assumeThat(canGenerateCerts(), is(true));
+        HttpTestHelper helper = configForClientAuth("CN=foo");
+
+        HttpURLConnection authenticateConnection = 
helper.openManagementConnection("/index.html", "GET");
+        authenticateConnection.setInstanceFollowRedirects(false);
+
+        int status = authenticateConnection.getResponseCode();
+        final String cookies = 
authenticateConnection.getHeaderField("Set-Cookie");
+        authenticateConnection.disconnect();
+
+        assertThat(status, is(equalTo(HttpURLConnection.HTTP_MOVED_TEMP)));
+
+        authenticateConnection = 
helper.openManagementConnection("/index.html", "GET");
+        authenticateConnection.setRequestProperty("Cookie", cookies);
+        status = authenticateConnection.getResponseCode();
+        authenticateConnection.disconnect();
+
+        assertThat(status, is(equalTo(HttpURLConnection.HTTP_OK)));
+    }
+
+    @Test
     public void clientAuthUnrecognisedCert() throws Exception
     {
         assumeThat(canGenerateCerts(), is(true));


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to