[
https://issues.apache.org/jira/browse/ARTEMIS-6037?focusedWorklogId=1018111&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1018111
]
ASF GitHub Bot logged work on ARTEMIS-6037:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 30/Apr/26 13:49
Start Date: 30/Apr/26 13:49
Worklog Time Spent: 10m
Work Description: clebertsuconic commented on code in PR #6396:
URL: https://github.com/apache/artemis/pull/6396#discussion_r3168388988
##########
artemis-server/src/main/java/org/apache/activemq/artemis/core/security/impl/SecurityStoreImpl.java:
##########
@@ -384,6 +375,38 @@ public boolean hasPermission(final SimpleString address,
}
}
+ private String handleClusterAuthentication(String user, String password,
RemotingConnection connection) throws ActiveMQSecurityException {
+ ClusterCredentialsCheckResult checkResult =
checkClusterCredentials(user, password);
+
+ if (checkResult == ClusterCredentialsCheckResult.VALID) {
+ AUTHENTICATION_SUCCESS_COUNT_UPDATER.incrementAndGet(this);
+ return user;
+ } else if (checkResult == ClusterCredentialsCheckResult.INVALID) {
+ AUTHENTICATION_FAILURE_COUNT_UPDATER.incrementAndGet(this);
+ throw ActiveMQMessageBundle.BUNDLE.unableToValidateUser(connection ==
null ? "null" : connection.getRemoteAddress(), user, null);
+ } else {
+ return null;
+ }
+ }
+
+ private ClusterCredentialsCheckResult checkClusterCredentials(String user,
String password) {
+ if ((getDefaultClusterUser().equals(user) &&
getDefaultClusterPassword().equals(password)) ||
+ (managementClusterUser.equals(user) &&
!managementClusterPassword.equals(password))) {
Review Comment:
I would make this a separate branch on the if... I think it would be clearer
Issue Time Tracking
-------------------
Worklog Id: (was: 1018111)
Time Spent: 1h (was: 50m)
> Refactor handling of cluster credentials
> ----------------------------------------
>
> Key: ARTEMIS-6037
> URL: https://issues.apache.org/jira/browse/ARTEMIS-6037
> Project: Artemis
> Issue Type: Task
> Reporter: Justin Bertram
> Assignee: Justin Bertram
> Priority: Major
> Labels: pull-request-available
> Time Spent: 1h
> Remaining Estimate: 0h
>
> To strengthen broker security out-of-the-box we should reject any connection
> using the default cluster credentials. We already force users to explicitly
> select a custom username and password when a non-clustered broker instance is
> created. Additionally, we force them to explicitly select custom cluster
> credentials when creating a clustered broker instance. However, there are
> still default values for cluster credentials that we should categorically
> reject.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
