This is an automated email from the ASF dual-hosted git repository. orudyy pushed a commit to branch 7.1.x in repository https://gitbox.apache.org/repos/asf/qpid-broker-j.git
commit 14b5537017b3123570d4830b3227bf7f74678b72 Author: Alex Rudyy <[email protected]> AuthorDate: Tue Jan 28 16:46:07 2020 +0000 QPID-8403: [Broker-J][WMC] Add interactive authenticator for certificate based authentication (cherry picked from commit ee4bcd43c110bfd5ac8bc110a55dd2a3f549c925) --- .../SSLClientCertInteractiveAuthenticator.java | 78 ++++++++++++++++++++++ .../PreemptiveAuthenticationTest.java | 26 +++++++- 2 files changed, 102 insertions(+), 2 deletions(-) diff --git a/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/SSLClientCertInteractiveAuthenticator.java b/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/SSLClientCertInteractiveAuthenticator.java new file mode 100644 index 0000000..a2ebde0 --- /dev/null +++ b/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/SSLClientCertInteractiveAuthenticator.java @@ -0,0 +1,78 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.qpid.server.management.plugin.auth; +import javax.security.auth.Subject; +import javax.servlet.http.HttpServletRequest; + +import org.apache.qpid.server.management.plugin.HttpManagement; +import org.apache.qpid.server.management.plugin.HttpManagementConfiguration; +import org.apache.qpid.server.management.plugin.HttpManagementUtil; +import org.apache.qpid.server.management.plugin.HttpRequestInteractiveAuthenticator; +import org.apache.qpid.server.model.AuthenticationProvider; +import org.apache.qpid.server.model.Broker; +import org.apache.qpid.server.plugin.PluggableService; +import org.apache.qpid.server.security.auth.manager.ExternalAuthenticationManager; + +@PluggableService +public class SSLClientCertInteractiveAuthenticator implements HttpRequestInteractiveAuthenticator +{ + private static final LogoutHandler LOGOUT_HANDLER = + response -> response.sendRedirect(HttpManagement.DEFAULT_LOGOUT_URL); + + private SSLClientCertPreemptiveAuthenticator _preemptiveAuthenticator = new SSLClientCertPreemptiveAuthenticator(); + + @Override + public AuthenticationHandler getAuthenticationHandler(final HttpServletRequest request, + final HttpManagementConfiguration configuration) + { + final AuthenticationProvider authenticationProvider = configuration.getAuthenticationProvider(request); + if (authenticationProvider instanceof ExternalAuthenticationManager) + { + return response -> { + final Subject subject = _preemptiveAuthenticator.attemptAuthentication(request, configuration); + if (subject != null) + { + final Subject servletSubject = HttpManagementUtil.createServletConnectionSubject(request, subject); + HttpManagementUtil.assertManagementAccess((Broker) authenticationProvider.getParent(), servletSubject); + HttpManagementUtil.saveAuthorisedSubject(request, servletSubject); + response.sendRedirect("/"); + } + else + { + response.sendError(401); + } + }; + } + return null; + } + + @Override + public LogoutHandler getLogoutHandler(final HttpServletRequest request, + final HttpManagementConfiguration configuration) + { + return LOGOUT_HANDLER; + } + + @Override + public String getType() + { + return "SSLClientAuth"; + } +} diff --git a/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/authentication/PreemptiveAuthenticationTest.java b/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/authentication/PreemptiveAuthenticationTest.java index 466e2da..ded03df 100644 --- a/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/authentication/PreemptiveAuthenticationTest.java +++ b/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/authentication/PreemptiveAuthenticationTest.java @@ -40,18 +40,17 @@ import java.io.ByteArrayOutputStream; import java.net.HttpURLConnection; import java.net.InetAddress; import java.net.SocketException; +import java.net.URL; import java.security.KeyStore; import java.security.cert.Certificate; import java.time.Duration; import java.time.Instant; import java.time.temporal.ChronoUnit; import java.util.ArrayDeque; -import java.util.Arrays; import java.util.Base64; import java.util.Collections; import java.util.Deque; import java.util.HashMap; -import java.util.HashSet; import java.util.Map; import javax.net.ssl.SSLException; @@ -120,6 +119,29 @@ public class PreemptiveAuthenticationTest extends HttpTestBase } @Test + public void clientAuthenticationWebManagementConsole() throws Exception + { + assumeThat(canGenerateCerts(), is(true)); + HttpTestHelper helper = configForClientAuth("CN=foo"); + + HttpURLConnection authenticateConnection = helper.openManagementConnection("/index.html", "GET"); + authenticateConnection.setInstanceFollowRedirects(false); + + int status = authenticateConnection.getResponseCode(); + final String cookies = authenticateConnection.getHeaderField("Set-Cookie"); + authenticateConnection.disconnect(); + + assertThat(status, is(equalTo(HttpURLConnection.HTTP_MOVED_TEMP))); + + authenticateConnection = helper.openManagementConnection("/index.html", "GET"); + authenticateConnection.setRequestProperty("Cookie", cookies); + status = authenticateConnection.getResponseCode(); + authenticateConnection.disconnect(); + + assertThat(status, is(equalTo(HttpURLConnection.HTTP_OK))); + } + + @Test public void clientAuthUnrecognisedCert() throws Exception { assumeThat(canGenerateCerts(), is(true)); --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
