[2/2] activemq-artemis git commit: ARTEMIS-1547 support referrals in LDAP login module

Sun, 10 Dec 2017 13:51:48 -0800 

ARTEMIS-1547 support referrals in LDAP login module


Project: http://git-wip-us.apache.org/repos/asf/activemq-artemis/repo
Commit: http://git-wip-us.apache.org/repos/asf/activemq-artemis/commit/84bedaf2
Tree: http://git-wip-us.apache.org/repos/asf/activemq-artemis/tree/84bedaf2
Diff: http://git-wip-us.apache.org/repos/asf/activemq-artemis/diff/84bedaf2

Branch: refs/heads/master
Commit: 84bedaf2e4e6cea95d21c15e97254ede5bfc4b66
Parents: 5817dad
Author: Justin Bertram <jbert...@apache.org>
Authored: Fri Dec 8 14:06:09 2017 -0600
Committer: Michael Pearce <michael.andre.pea...@me.com>
Committed: Sun Dec 10 21:50:47 2017 +0000

----------------------------------------------------------------------
 .../spi/core/security/jaas/LDAPLoginModule.java      | 15 ++++++++++++++-
 docs/user-manual/en/security.md                      |  2 ++
 2 files changed, 16 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/84bedaf2/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java
----------------------------------------------------------------------
diff --git 
a/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java
 
b/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java
index ee2c980..a1ba4e7 100644
--- 
a/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java
+++ 
b/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java
@@ -82,6 +82,7 @@ public class LDAPLoginModule implements LoginModule {
    private static final String EXPAND_ROLES_MATCHING = "expandRolesMatching";
    private static final String SASL_LOGIN_CONFIG_SCOPE = 
"saslLoginConfigScope";
    private static final String AUTHENTICATE_USER = "authenticateUser";
+   private static final String REFERRAL = "referral";
 
    protected DirContext context;
 
@@ -104,7 +105,7 @@ public class LDAPLoginModule implements LoginModule {
       this.subject = subject;
       this.handler = callbackHandler;
 
-      config = new LDAPLoginProperty[]{new 
LDAPLoginProperty(INITIAL_CONTEXT_FACTORY, (String) 
options.get(INITIAL_CONTEXT_FACTORY)), new LDAPLoginProperty(CONNECTION_URL, 
(String) options.get(CONNECTION_URL)), new 
LDAPLoginProperty(CONNECTION_USERNAME, (String) 
options.get(CONNECTION_USERNAME)), new LDAPLoginProperty(CONNECTION_PASSWORD, 
(String) options.get(CONNECTION_PASSWORD)), new 
LDAPLoginProperty(CONNECTION_PROTOCOL, (String) 
options.get(CONNECTION_PROTOCOL)), new LDAPLoginProperty(AUTHENTICATION, 
(String) options.get(AUTHENTICATION)), new LDAPLoginProperty(USER_BASE, 
(String) options.get(USER_BASE)), new LDAPLoginProperty(USER_SEARCH_MATCHING, 
(String) options.get(USER_SEARCH_MATCHING)), new 
LDAPLoginProperty(USER_SEARCH_SUBTREE, (String) 
options.get(USER_SEARCH_SUBTREE)), new LDAPLoginProperty(ROLE_BASE, (String) 
options.get(ROLE_BASE)), new LDAPLoginProperty(ROLE_NAME, (String) 
options.get(ROLE_NAME)), new LDAPLoginProperty(ROLE_SEARCH_MATCHING, (String) 
options.get(ROLE_S
 EARCH_MATCHING)), new LDAPLoginProperty(ROLE_SEARCH_SUBTREE, (String) 
options.get(ROLE_SEARCH_SUBTREE)), new LDAPLoginProperty(USER_ROLE_NAME, 
(String) options.get(USER_ROLE_NAME)), new LDAPLoginProperty(EXPAND_ROLES, 
(String) options.get(EXPAND_ROLES)), new 
LDAPLoginProperty(EXPAND_ROLES_MATCHING, (String) 
options.get(EXPAND_ROLES_MATCHING)), new 
LDAPLoginProperty(SASL_LOGIN_CONFIG_SCOPE, (String) 
options.get(SASL_LOGIN_CONFIG_SCOPE)), new LDAPLoginProperty(AUTHENTICATE_USER, 
(String) options.get(AUTHENTICATE_USER))};
+      config = new LDAPLoginProperty[]{new 
LDAPLoginProperty(INITIAL_CONTEXT_FACTORY, (String) 
options.get(INITIAL_CONTEXT_FACTORY)), new LDAPLoginProperty(CONNECTION_URL, 
(String) options.get(CONNECTION_URL)), new 
LDAPLoginProperty(CONNECTION_USERNAME, (String) 
options.get(CONNECTION_USERNAME)), new LDAPLoginProperty(CONNECTION_PASSWORD, 
(String) options.get(CONNECTION_PASSWORD)), new 
LDAPLoginProperty(CONNECTION_PROTOCOL, (String) 
options.get(CONNECTION_PROTOCOL)), new LDAPLoginProperty(AUTHENTICATION, 
(String) options.get(AUTHENTICATION)), new LDAPLoginProperty(USER_BASE, 
(String) options.get(USER_BASE)), new LDAPLoginProperty(USER_SEARCH_MATCHING, 
(String) options.get(USER_SEARCH_MATCHING)), new 
LDAPLoginProperty(USER_SEARCH_SUBTREE, (String) 
options.get(USER_SEARCH_SUBTREE)), new LDAPLoginProperty(ROLE_BASE, (String) 
options.get(ROLE_BASE)), new LDAPLoginProperty(ROLE_NAME, (String) 
options.get(ROLE_NAME)), new LDAPLoginProperty(ROLE_SEARCH_MATCHING, (String) 
options.get(ROLE_S
 EARCH_MATCHING)), new LDAPLoginProperty(ROLE_SEARCH_SUBTREE, (String) 
options.get(ROLE_SEARCH_SUBTREE)), new LDAPLoginProperty(USER_ROLE_NAME, 
(String) options.get(USER_ROLE_NAME)), new LDAPLoginProperty(EXPAND_ROLES, 
(String) options.get(EXPAND_ROLES)), new 
LDAPLoginProperty(EXPAND_ROLES_MATCHING, (String) 
options.get(EXPAND_ROLES_MATCHING)), new LDAPLoginProperty(REFERRAL, (String) 
options.get(REFERRAL))};
       if (isLoginPropertySet(AUTHENTICATE_USER)) {
          authenticateUser = 
Boolean.valueOf(getLDAPPropertyValue(AUTHENTICATE_USER));
       }
@@ -539,6 +540,18 @@ public class LDAPLoginModule implements LoginModule {
             env.put(Context.PROVIDER_URL, 
getLDAPPropertyValue(CONNECTION_URL));
             env.put(Context.SECURITY_AUTHENTICATION, 
getLDAPPropertyValue(AUTHENTICATION));
 
+            // handle LDAP referrals
+            // valid values are "throw", "ignore" and "follow"
+            String referral = "ignore";
+            if (getLDAPPropertyValue(REFERRAL) != null) {
+               referral = getLDAPPropertyValue(REFERRAL);
+            }
+
+            env.put(Context.REFERRAL, referral);
+            if (logger.isDebugEnabled()) {
+               logger.debug("Referral handling: " + referral);
+            }
+
             if 
("GSSAPI".equalsIgnoreCase(getLDAPPropertyValue(AUTHENTICATION))) {
 
                final String configScope = 
isLoginPropertySet(SASL_LOGIN_CONFIG_SCOPE) ? 
getLDAPPropertyValue(SASL_LOGIN_CONFIG_SCOPE) : "broker-sasl-gssapi";

http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/84bedaf2/docs/user-manual/en/security.md
----------------------------------------------------------------------
diff --git a/docs/user-manual/en/security.md b/docs/user-manual/en/security.md
index b14aee6..5a7f63a 100644
--- a/docs/user-manual/en/security.md
+++ b/docs/user-manual/en/security.md
@@ -543,6 +543,8 @@ managed using the X.500 system. It is implemented by 
`org.apache.activemq.artemi
 -   `authenticateUser` - boolean flag to disable authentication. Useful as an 
optimisation when this module is used just for
     role mapping of a Subject's existing authenticated principals; default is 
`false`.
 
+-   `referral` - specify how to handle referrals; valid values: `ignore`, 
`follow`, `throw`; default is `ignore`.
+
 -   `debug` - boolean flag; if `true`, enable debugging; this is used only for 
testing or debugging; normally, it
     should be set to `false`, or omitted; default is `false`

Reply via email to