Repository: activemq-artemis Updated Branches: refs/heads/master c8982d775 -> 125bd41f9
ARTEMIS-1372 ARTEMIS-1373 documentation updates Project: http://git-wip-us.apache.org/repos/asf/activemq-artemis/repo Commit: http://git-wip-us.apache.org/repos/asf/activemq-artemis/commit/125bd41f Tree: http://git-wip-us.apache.org/repos/asf/activemq-artemis/tree/125bd41f Diff: http://git-wip-us.apache.org/repos/asf/activemq-artemis/diff/125bd41f Branch: refs/heads/master Commit: 125bd41f9ddcd7fda64a3833597387d9ee5cfbf2 Parents: c8982d7 Author: gtully <gary.tu...@gmail.com> Authored: Wed Sep 6 10:22:08 2017 +0100 Committer: gtully <gary.tu...@gmail.com> Committed: Wed Sep 6 10:22:28 2017 +0100 ---------------------------------------------------------------------- .../spi/core/security/jaas/LDAPLoginModule.java | 6 +++--- docs/user-manual/en/security.md | 13 ++++++++++--- .../tests/integration/amqp/JMSSaslGssapiTest.java | 14 ++++++++++++++ .../integration-tests/src/test/resources/login.config | 2 +- 4 files changed, 28 insertions(+), 7 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/125bd41f/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java ---------------------------------------------------------------------- diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java b/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java index 65dc5ad..7338e19 100644 --- a/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java +++ b/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java @@ -78,7 +78,7 @@ public class LDAPLoginModule implements LoginModule { private static final String USER_ROLE_NAME = "userRoleName"; private static final String EXPAND_ROLES = "expandRoles"; private static final String EXPAND_ROLES_MATCHING = "expandRolesMatching"; - private static final String LOGIN_CONFIG_SCOPE = "loginConfigScope"; + private static final String SASL_LOGIN_CONFIG_SCOPE = "saslLoginConfigScope"; private static final String AUTHENTICATE_USER = "authenticateUser"; protected DirContext context; @@ -100,7 +100,7 @@ public class LDAPLoginModule implements LoginModule { this.subject = subject; this.handler = callbackHandler; - config = new LDAPLoginProperty[]{new LDAPLoginProperty(INITIAL_CONTEXT_FACTORY, (String) options.get(INITIAL_CONTEXT_FACTORY)), new LDAPLoginProperty(CONNECTION_URL, (String) options.get(CONNECTION_URL)), new LDAPLoginProperty(CONNECTION_USERNAME, (String) options.get(CONNECTION_USERNAME)), new LDAPLoginProperty(CONNECTION_PASSWORD, (String) options.get(CONNECTION_PASSWORD)), new LDAPLoginProperty(CONNECTION_PROTOCOL, (String) options.get(CONNECTION_PROTOCOL)), new LDAPLoginProperty(AUTHENTICATION, (String) options.get(AUTHENTICATION)), new LDAPLoginProperty(USER_BASE, (String) options.get(USER_BASE)), new LDAPLoginProperty(USER_SEARCH_MATCHING, (String) options.get(USER_SEARCH_MATCHING)), new LDAPLoginProperty(USER_SEARCH_SUBTREE, (String) options.get(USER_SEARCH_SUBTREE)), new LDAPLoginProperty(ROLE_BASE, (String) options.get(ROLE_BASE)), new LDAPLoginProperty(ROLE_NAME, (String) options.get(ROLE_NAME)), new LDAPLoginProperty(ROLE_SEARCH_MATCHING, (String) options.get(ROLE_S EARCH_MATCHING)), new LDAPLoginProperty(ROLE_SEARCH_SUBTREE, (String) options.get(ROLE_SEARCH_SUBTREE)), new LDAPLoginProperty(USER_ROLE_NAME, (String) options.get(USER_ROLE_NAME)), new LDAPLoginProperty(EXPAND_ROLES, (String) options.get(EXPAND_ROLES)), new LDAPLoginProperty(EXPAND_ROLES_MATCHING, (String) options.get(EXPAND_ROLES_MATCHING)), new LDAPLoginProperty(LOGIN_CONFIG_SCOPE, (String) options.get(LOGIN_CONFIG_SCOPE)), new LDAPLoginProperty(AUTHENTICATE_USER, (String) options.get(AUTHENTICATE_USER))}; + config = new LDAPLoginProperty[]{new LDAPLoginProperty(INITIAL_CONTEXT_FACTORY, (String) options.get(INITIAL_CONTEXT_FACTORY)), new LDAPLoginProperty(CONNECTION_URL, (String) options.get(CONNECTION_URL)), new LDAPLoginProperty(CONNECTION_USERNAME, (String) options.get(CONNECTION_USERNAME)), new LDAPLoginProperty(CONNECTION_PASSWORD, (String) options.get(CONNECTION_PASSWORD)), new LDAPLoginProperty(CONNECTION_PROTOCOL, (String) options.get(CONNECTION_PROTOCOL)), new LDAPLoginProperty(AUTHENTICATION, (String) options.get(AUTHENTICATION)), new LDAPLoginProperty(USER_BASE, (String) options.get(USER_BASE)), new LDAPLoginProperty(USER_SEARCH_MATCHING, (String) options.get(USER_SEARCH_MATCHING)), new LDAPLoginProperty(USER_SEARCH_SUBTREE, (String) options.get(USER_SEARCH_SUBTREE)), new LDAPLoginProperty(ROLE_BASE, (String) options.get(ROLE_BASE)), new LDAPLoginProperty(ROLE_NAME, (String) options.get(ROLE_NAME)), new LDAPLoginProperty(ROLE_SEARCH_MATCHING, (String) options.get(ROLE_S EARCH_MATCHING)), new LDAPLoginProperty(ROLE_SEARCH_SUBTREE, (String) options.get(ROLE_SEARCH_SUBTREE)), new LDAPLoginProperty(USER_ROLE_NAME, (String) options.get(USER_ROLE_NAME)), new LDAPLoginProperty(EXPAND_ROLES, (String) options.get(EXPAND_ROLES)), new LDAPLoginProperty(EXPAND_ROLES_MATCHING, (String) options.get(EXPAND_ROLES_MATCHING)), new LDAPLoginProperty(SASL_LOGIN_CONFIG_SCOPE, (String) options.get(SASL_LOGIN_CONFIG_SCOPE)), new LDAPLoginProperty(AUTHENTICATE_USER, (String) options.get(AUTHENTICATE_USER))}; if (isLoginPropertySet(AUTHENTICATE_USER)) { authenticateUser = Boolean.valueOf(getLDAPPropertyValue(AUTHENTICATE_USER)); } @@ -526,7 +526,7 @@ public class LDAPLoginModule implements LoginModule { if ("GSSAPI".equalsIgnoreCase(getLDAPPropertyValue(AUTHENTICATION))) { - final String configScope = isLoginPropertySet(LOGIN_CONFIG_SCOPE) ? getLDAPPropertyValue(LOGIN_CONFIG_SCOPE) : "broker-sasl-gssapi"; + final String configScope = isLoginPropertySet(SASL_LOGIN_CONFIG_SCOPE) ? getLDAPPropertyValue(SASL_LOGIN_CONFIG_SCOPE) : "broker-sasl-gssapi"; try { LoginContext loginContext = new LoginContext(configScope); loginContext.login(); http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/125bd41f/docs/user-manual/en/security.md ---------------------------------------------------------------------- diff --git a/docs/user-manual/en/security.md b/docs/user-manual/en/security.md index 91a3d33..1d7f314 100644 --- a/docs/user-manual/en/security.md +++ b/docs/user-manual/en/security.md @@ -459,7 +459,7 @@ managed using the X.500 system. It is implemented by `org.apache.activemq.artemi tree. For example, ldap://ldapserver:10389/ou=system. - `authentication` - specifies the authentication method used when binding to the LDAP server. Can take either of - the values, `simple` (username and password) or `none` (anonymous). + the values, `simple` (username and password), `GSSAPI` (Kerberos SASL) or `none` (anonymous). - `connectionUsername` - the DN of the user that opens the connection to the directory server. For example, `uid=admin,ou=system`. Directory servers generally require clients to present username/password credentials in order @@ -468,6 +468,9 @@ managed using the X.500 system. It is implemented by `org.apache.activemq.artemi - `connectionPassword` - the password that matches the DN from `connectionUsername`. In the directory server, in the DIT, the password is normally stored as a `userPassword` attribute in the corresponding directory entry. +- `saslLoginConfigScope` - the scope in JAAS configuration (login.config) to use to obtain Kerberos initiator credentials + when the `authentication` method is SASL `GSSAPI`. The default value is `broker-sasl-gssapi`. + - `connectionProtocol` - currently, the only supported value is a blank string. In future, this option will allow you to select the Secure Socket Layer (SSL) for the connection to the directory server. This option must be set explicitly to an empty string, because it has no default value. @@ -536,6 +539,9 @@ managed using the X.500 system. It is implemented by `org.apache.activemq.artemi - `true` â try to match any entry belonging to the subtree of the roleBase node (maps to `javax.naming.directory.SearchControls.SUBTREE_SCOPE`). +- `authenticateUser` - boolean flag to disable authentication. Useful as an optimisation when this module is used just for + role mapping of a Subject's existing authenticated principals; default is `false`. + - `debug` - boolean flag; if `true`, enable debugging; this is used only for testing or debugging; normally, it should be set to `false`, or omitted; default is `false` @@ -694,8 +700,9 @@ An example configuration scope for `login.config` that will pick up a Kerberos k #### Role Mapping On the server, the Kerberos authenticated Peer Principal can be added to the Subject's principal set as an Apache ActiveMQ Artemis UserPrincipal -using the Apache ActiveMQ Artemis `Krb5LoginModule` login module. The [PropertiesLoginModule](#propertiesloginmodule) can then be used to map -the authenticated Kerberos Peer Principal to a [Role](#role-based-security-for-addresses). +using the Apache ActiveMQ Artemis `Krb5LoginModule` login module. The [PropertiesLoginModule](#propertiesloginmodule) or + [LDAPLoginModule](#ldaploginmodule) can then be used to map +the authenticated Kerberos Peer Principal to an Apache ActiveMQ Artemis [Role](#role-based-security-for-addresses). Note: the Kerberos Peer Principal does not exist as an Apache ActiveMQ Artemis user. http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/125bd41f/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslGssapiTest.java ---------------------------------------------------------------------- diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslGssapiTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslGssapiTest.java index 2a47e1f..d66c83d 100644 --- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslGssapiTest.java +++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslGssapiTest.java @@ -17,6 +17,7 @@ package org.apache.activemq.artemis.tests.integration.amqp; import javax.jms.Connection; +import javax.jms.JMSSecurityException; import javax.jms.MessageConsumer; import javax.jms.MessageProducer; import javax.jms.Session; @@ -33,6 +34,7 @@ import org.apache.activemq.artemis.core.server.ActiveMQServer; import org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager; import org.apache.activemq.artemis.utils.RandomUtil; import org.apache.hadoop.minikdc.MiniKdc; +import org.apache.qpid.jms.JmsConnectionFactory; import org.junit.After; import org.junit.Before; import org.junit.Test; @@ -150,4 +152,16 @@ public class JMSSaslGssapiTest extends JMSClientTestSupport { connection.close(); } } + + @Test(timeout = 600000) + public void testSaslPlainConnectionDenied() throws Exception { + + JmsConnectionFactory factory = new JmsConnectionFactory(new URI("amqp://localhost:" + AMQP_PORT + "?amqp.saslMechanisms=PLAIN")); + try { + factory.createConnection("plain", "secret"); + fail("Expect sasl failure"); + } catch (JMSSecurityException expected) { + assertTrue(expected.getMessage().contains("SASL")); + } + } } http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/125bd41f/tests/integration-tests/src/test/resources/login.config ---------------------------------------------------------------------- diff --git a/tests/integration-tests/src/test/resources/login.config b/tests/integration-tests/src/test/resources/login.config index f8e48ba..1fceada 100644 --- a/tests/integration-tests/src/test/resources/login.config +++ b/tests/integration-tests/src/test/resources/login.config @@ -159,7 +159,7 @@ Krb5PlusLdap { initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory connectionURL="ldap://localhost:1024" authentication=GSSAPI - loginConfigScope=broker-sasl-gssapi + saslLoginConfigScope=broker-sasl-gssapi connectionProtocol=s userBase="ou=users,dc=example,dc=com" userSearchMatching="(krb5PrincipalName={0})"