[jira] [Commented] (ARTEMIS-1740) Add support for regex based certificate authentication

Thu, 12 Apr 2018 01:15:23 -0700 

    [ 
https://issues.apache.org/jira/browse/ARTEMIS-1740?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16435132#comment-16435132
 ] 

ASF GitHub Bot commented on ARTEMIS-1740:
-----------------------------------------

Github user franz1981 commented on a diff in the pull request:

    https://github.com/apache/activemq-artemis/pull/2011#discussion_r180998219
  
    --- Diff: 
artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/TextFileCertificateLoginModule.java
 ---
    @@ -71,8 +79,12 @@ protected String getUserNameForCertificates(final 
X509Certificate[] certs) throw
           if (certs == null) {
              throw new LoginException("Client certificates not found. Cannot 
authenticate.");
           }
    -
    -      return usersByDn.get(getDistinguishedName(certs));
    +      String dn = getDistinguishedName(certs);
    +      String name = usersByDn.get(dn);
    +      if (name == null && regexpByUser != null) {
    +         name = getUserByRegexp(dn);
    --- End diff --
    
    `getUserByRegexp` is synchronized but there are uses of `usersByDn` and 
`regexpByUser`, like these ones, that are not: what is the reason to have 
`String getUserByRegexp(String dn)` synchronized?


> Add support for regex based certificate authentication
> ------------------------------------------------------
>
>                 Key: ARTEMIS-1740
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-1740
>             Project: ActiveMQ Artemis
>          Issue Type: Improvement
>            Reporter: Lionel Cons
>            Priority: Major
>
> The current certificate authentication module 
> ({{TextFileCertificateLoginModule}}) uses a file mapping user names to DNs.
> In some cases, the list of known DNs can be large and dynamic. This is the 
> case for instance when using host certificates.
> Host certificates could be very dynamic (when new virtual machines get 
> created) while keeping a fixed structure such as {{CN=hostxyz.acme.org, 
> OU=computers, DC=acme, DC=org}}. It is impractical to generate all the 
> possible DNs and feed this to Artemis.
> It would be very useful to have regular expression based certificate 
> authentication. With the example above, we could have a single line:
> {quote}
> acme.computers=/^CN=\w+\.acme\.org, OU=computers, DC=acme, DC=org$/
> {quote}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to