[ https://issues.apache.org/jira/browse/QPIDJMS-303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16096445#comment-16096445 ]
ASF GitHub Bot commented on QPIDJMS-303: ---------------------------------------- Github user gtully commented on a diff in the pull request: https://github.com/apache/qpid-jms/pull/10#discussion_r128803960 --- Diff: qpid-jms-client/src/test/java/org/apache/qpid/jms/test/testpeer/TestAmqpPeer.java --- @@ -495,6 +512,169 @@ public void run() } } + public void expectGSSAPIFail(Symbol mech) throws Exception { + SaslMechanismsFrame saslMechanismsFrame = new SaslMechanismsFrame().setSaslServerMechanisms(mech); + + addHandler(new HeaderHandlerImpl(AmqpHeader.SASL_HEADER, AmqpHeader.SASL_HEADER, + new FrameSender( + this, FrameType.SASL, 0, + saslMechanismsFrame, null))); + + addHandler(new SaslInitMatcher().withMechanism(equalTo(mech))); + + } + + public void expectGSSAPI(Symbol mech, String serviceName) throws Exception { + + SaslMechanismsFrame saslMechanismsFrame = new SaslMechanismsFrame().setSaslServerMechanisms(mech); + + addHandler(new HeaderHandlerImpl(AmqpHeader.SASL_HEADER, AmqpHeader.SASL_HEADER, + new FrameSender( + this, FrameType.SASL, 0, + saslMechanismsFrame, null))); + + // setup server gss context + LoginContext loginContext = new LoginContext("", null, null, + kerb5InlineConfig(serviceName, false)); + loginContext.login(); + final Subject serverSubject =loginContext.getSubject(); + + LOGGER.info("saslServer subject:" + serverSubject.getPrivateCredentials()); + + Map<String, ?> config = new HashMap(); + final CallbackHandler handler = new CallbackHandler() { + @Override + public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { + LOGGER.info("Here with: " + Arrays.asList(callbacks)); + for (Callback callback :callbacks) { + if (callback instanceof AuthorizeCallback) { + AuthorizeCallback authorizeCallback = (AuthorizeCallback) callback; + authorizeCallback.setAuthorized(authorizeCallback.getAuthenticationID().equals(authorizeCallback.getAuthorizationID())); + } + } + } + }; + final SaslServer saslServer = Subject.doAs(serverSubject, new PrivilegedExceptionAction<SaslServer>() { + @Override + public SaslServer run() throws Exception { + return Sasl.createSaslServer(mech.toString(), null, null, config, handler); + } + }); + + final SaslChallengeFrame challengeFrame = new SaslChallengeFrame(); + + SaslInitMatcher saslInitMatcher = new SaslInitMatcher() + .withMechanism(equalTo(mech)) + .withInitialResponse(new BaseMatcher<Binary>() { + + @Override + public void describeTo(Description description) {} + + @Override + public boolean matches(Object o) { + if (o == null) { + LOGGER.error("Got null initial response!"); + return false; + } + final Binary binary = (Binary) o; + // validate via sasl + byte[] token = null; + try { + token = Subject.doAs(serverSubject, new PrivilegedExceptionAction<byte[]>() { + @Override + public byte[] run() throws Exception { + LOGGER.info("Evaluate Response.. size:" + binary.getLength()); + return saslServer.evaluateResponse(binary.getArray()); + } + }); + } catch (PrivilegedActionException e) { + e.printStackTrace(); + } + LOGGER.info("Complete:" + saslServer.isComplete()); + + if (token != null) { + // fling it back in on complete + challengeFrame.setChallenge(new Binary(token)); + } + return true; + } + }).onCompletion(new AmqpPeerRunnable() { + @Override + public void run() { + TestAmqpPeer.this.sendFrame( + FrameType.SASL, 0, + challengeFrame, + null, + false, 0); + } + }); + + AtomicBoolean response = new AtomicBoolean(false); + SaslResponseMatcher challengeMatcher = new SaslResponseMatcher().withResponse(new BaseMatcher<Binary>() { + + @Override + public void describeTo(Description description) {} + + @Override + public boolean matches(Object o) { + final Binary binary = (Binary) o; + if (!saslServer.isComplete()) { + // validate via sasl + byte[] token = null; + try { + token = Subject.doAs(serverSubject, new PrivilegedExceptionAction<byte[]>() { + @Override + public byte[] run() throws Exception { + LOGGER.info("Evaluate challenge response.. size:" + binary.getLength()); + return saslServer.evaluateResponse(binary.getArray()); + } + }); + } catch (PrivilegedActionException e) { + e.printStackTrace(); + } + LOGGER.info("Complete:" + saslServer.isComplete()); + if (token != null) { + // fling it back + challengeFrame.setChallenge(new Binary(token)); + response.set(true); + } + return true; + } + + return false; + } + }).onCompletion(new AmqpPeerRunnable() { + @Override + public void run() { + if (response.get()) { + TestAmqpPeer.this.sendFrame( + FrameType.SASL, 0, + challengeFrame, + null, + false, 0); + } + + if (saslServer.isComplete()) { --- End diff -- the response is gated on a boolean, I think it is ok, the outcome goes on its own. > Add support for SASL GSSAPI Kerberos mechanism > ---------------------------------------------- > > Key: QPIDJMS-303 > URL: https://issues.apache.org/jira/browse/QPIDJMS-303 > Project: Qpid JMS > Issue Type: Bug > Components: qpid-jms-client > Reporter: Gary Tully > > It would be great to be able to authenticate using kerberos credentials using > the SASL GSSAPI mechanism. > Authentication would be sufficient leaving TLS to do encryption of the > channel if that is necessary. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org