[ARTEMIS-1310] [ARTEMIS-1264] consolidate configuration to require login configuration scope
Project: http://git-wip-us.apache.org/repos/asf/activemq-artemis/repo Commit: http://git-wip-us.apache.org/repos/asf/activemq-artemis/commit/9fedb47c Tree: http://git-wip-us.apache.org/repos/asf/activemq-artemis/tree/9fedb47c Diff: http://git-wip-us.apache.org/repos/asf/activemq-artemis/diff/9fedb47c Branch: refs/heads/master Commit: 9fedb47c400b9a00dec08b8f3bc280fe674ad915 Parents: ca7197b Author: gtully <gary.tu...@gmail.com> Authored: Wed Aug 2 12:19:07 2017 +0100 Committer: Clebert Suconic <clebertsuco...@apache.org> Committed: Tue Aug 8 13:28:50 2017 -0400 ---------------------------------------------------------------------- .../impl/TransportConfigurationUtil.java | 29 +------------------- .../remoting/impl/netty/NettyConnector.java | 15 ++-------- .../core/remoting/impl/netty/NettyAcceptor.java | 13 ++------- .../integration/amqp/JMSSaslGssapiTest.java | 20 +++++++------- .../ssl/CoreClientOverOneWaySSLKerb5Test.java | 6 ++-- .../src/test/resources/login.config | 17 +++++++++++- 6 files changed, 34 insertions(+), 66 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/9fedb47c/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/TransportConfigurationUtil.java ---------------------------------------------------------------------- diff --git a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/TransportConfigurationUtil.java b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/TransportConfigurationUtil.java index 97a4bd2..c6d8a5f 100644 --- a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/TransportConfigurationUtil.java +++ b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/TransportConfigurationUtil.java @@ -27,9 +27,6 @@ import org.apache.activemq.artemis.core.remoting.impl.netty.NettyConnectorFactor import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants; import org.apache.activemq.artemis.utils.ClassloadingUtil; -import javax.security.auth.login.AppConfigurationEntry; -import javax.security.auth.login.Configuration; - /** * Stores static mappings of class names to ConnectorFactory instances to act as a central repo for ConnectorFactory * objects. @@ -99,28 +96,4 @@ public class TransportConfigurationUtil { return false; } - public static Configuration kerb5Config(String principal, boolean initiator) { - final Map<String, String> krb5LoginModuleOptions = new HashMap<>(); - krb5LoginModuleOptions.put("isInitiator", String.valueOf(initiator)); - krb5LoginModuleOptions.put("principal", principal); - krb5LoginModuleOptions.put("useKeyTab", "true"); - krb5LoginModuleOptions.put("storeKey", "true"); - krb5LoginModuleOptions.put("doNotPrompt", "true"); - krb5LoginModuleOptions.put("renewTGT", "true"); - krb5LoginModuleOptions.put("refreshKrb5Config", "true"); - krb5LoginModuleOptions.put("useTicketCache", "true"); - String ticketCache = System.getenv("KRB5CCNAME"); - if (ticketCache != null) { - krb5LoginModuleOptions.put("ticketCache", ticketCache); - } - return new Configuration() { - @Override - public AppConfigurationEntry[] getAppConfigurationEntry(String name) { - return new AppConfigurationEntry[]{ - new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", - AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, - krb5LoginModuleOptions)}; - } - }; - } -} +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/9fedb47c/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java ---------------------------------------------------------------------- diff --git a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java index 1882490..8e48cf9 100644 --- a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java +++ b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java @@ -98,7 +98,6 @@ import org.apache.activemq.artemis.api.core.ActiveMQException; import org.apache.activemq.artemis.core.client.ActiveMQClientLogger; import org.apache.activemq.artemis.core.client.ActiveMQClientMessageBundle; import org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQClientProtocolManager; -import org.apache.activemq.artemis.core.remoting.impl.TransportConfigurationUtil; import org.apache.activemq.artemis.core.remoting.impl.ssl.SSLSupport; import org.apache.activemq.artemis.core.server.ActiveMQComponent; import org.apache.activemq.artemis.spi.core.remoting.AbstractConnector; @@ -523,18 +522,8 @@ public class NettyConnector extends AbstractConnector { if (sslEnabled && !useServlet) { Subject subject = null; - if (kerb5Config != null && kerb5Config.length() > 0) { - - LoginContext loginContext = null; - if (Character.isUpperCase(kerb5Config.charAt(0))) { - // use as login.config scope - loginContext = new LoginContext(kerb5Config); - } else { - // inline keytab config using kerb5Config as principal - loginContext = new LoginContext("", null, null, - TransportConfigurationUtil.kerb5Config(kerb5Config, true)); - } - + if (kerb5Config != null) { + LoginContext loginContext = new LoginContext(kerb5Config); loginContext.login(); subject = loginContext.getSubject(); verifyHost = true; http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/9fedb47c/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java ---------------------------------------------------------------------- diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java b/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java index d626fad..b41fc70 100644 --- a/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java +++ b/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java @@ -71,7 +71,6 @@ import org.apache.activemq.artemis.api.core.management.CoreNotificationType; import org.apache.activemq.artemis.core.client.impl.ClientSessionFactoryImpl; import org.apache.activemq.artemis.core.protocol.ProtocolHandler; import org.apache.activemq.artemis.core.remoting.impl.AbstractAcceptor; -import org.apache.activemq.artemis.core.remoting.impl.TransportConfigurationUtil; import org.apache.activemq.artemis.core.remoting.impl.ssl.SSLSupport; import org.apache.activemq.artemis.core.security.ActiveMQPrincipal; import org.apache.activemq.artemis.core.server.ActiveMQComponent; @@ -442,17 +441,9 @@ public class NettyAcceptor extends AbstractAcceptor { throw ise; } Subject subject = null; - if (kerb5Config != null && kerb5Config.length() > 0) { - LoginContext loginContext = null; - if (Character.isUpperCase(kerb5Config.charAt(0))) { - // use as login.config scope - loginContext = new LoginContext(kerb5Config); - } else { - loginContext = new LoginContext("", null, null, - TransportConfigurationUtil.kerb5Config(kerb5Config, false)); - } + if (kerb5Config != null) { + LoginContext loginContext = new LoginContext(kerb5Config); loginContext.login(); - subject = loginContext.getSubject(); } http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/9fedb47c/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslGssapiTest.java ---------------------------------------------------------------------- diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslGssapiTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslGssapiTest.java index a4f9476..17d70a5 100644 --- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslGssapiTest.java +++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslGssapiTest.java @@ -16,15 +16,6 @@ */ package org.apache.activemq.artemis.tests.integration.amqp; -import org.apache.activemq.artemis.core.security.Role; -import org.apache.activemq.artemis.core.server.ActiveMQServer; -import org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager; -import org.apache.activemq.artemis.utils.RandomUtil; -import org.apache.hadoop.minikdc.MiniKdc; -import org.junit.After; -import org.junit.Before; -import org.junit.Test; - import javax.jms.Connection; import javax.jms.MessageConsumer; import javax.jms.MessageProducer; @@ -37,6 +28,15 @@ import java.util.HashSet; import java.util.Map; import java.util.Set; +import org.apache.activemq.artemis.core.security.Role; +import org.apache.activemq.artemis.core.server.ActiveMQServer; +import org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager; +import org.apache.activemq.artemis.utils.RandomUtil; +import org.apache.hadoop.minikdc.MiniKdc; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; + public class JMSSaslGssapiTest extends JMSClientTestSupport { static { @@ -85,7 +85,7 @@ public class JMSSaslGssapiTest extends JMSClientTestSupport { protected void configureBrokerSecurity(ActiveMQServer server) { server.getConfiguration().setSecurityEnabled(isSecurityEnabled()); ActiveMQJAASSecurityManager securityManager = (ActiveMQJAASSecurityManager) server.getSecurityManager(); - securityManager.setConfigurationName("Krb5SslPlus"); + securityManager.setConfigurationName("Krb5Plus"); securityManager.setConfiguration(null); final String roleName = "ALLOW_ALL"; http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/9fedb47c/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverOneWaySSLKerb5Test.java ---------------------------------------------------------------------- diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverOneWaySSLKerb5Test.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverOneWaySSLKerb5Test.java index 1dd238f..a9f5c88 100644 --- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverOneWaySSLKerb5Test.java +++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverOneWaySSLKerb5Test.java @@ -88,7 +88,7 @@ public class CoreClientOverOneWaySSLKerb5Test extends ActiveMQTestBase { tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true); tc.getParams().put(TransportConstants.ENABLED_CIPHER_SUITES_PROP_NAME, getSuitableCipherSuite()); tc.getParams().put(TransportConstants.SNIHOST_PROP_NAME, SNI_HOST); // static service name rather than dynamic machine name - tc.getParams().put(TransportConstants.SSL_KRB5_CONFIG_PROP_NAME, "client"); // lower case used as principal with default keytab + tc.getParams().put(TransportConstants.SSL_KRB5_CONFIG_PROP_NAME, "core-tls-krb5-client"); final ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc)); ClientSessionFactory sf = null; @@ -171,7 +171,7 @@ public class CoreClientOverOneWaySSLKerb5Test extends ActiveMQTestBase { params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true); params.put(TransportConstants.ENABLED_CIPHER_SUITES_PROP_NAME, getSuitableCipherSuite()); - params.put(TransportConstants.SSL_KRB5_CONFIG_PROP_NAME, SERVICE_PRINCIPAL); + params.put(TransportConstants.SSL_KRB5_CONFIG_PROP_NAME, "core-tls-krb5-server"); ConfigurationImpl config = createBasicConfig().addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params, "nettySSL")); config.setPopulateValidatedUser(true); // so we can verify the kerb5 id is present @@ -179,7 +179,7 @@ public class CoreClientOverOneWaySSLKerb5Test extends ActiveMQTestBase { config.addAcceptorConfiguration(new TransportConfiguration(INVM_ACCEPTOR_FACTORY)); - ActiveMQSecurityManager securityManager = new ActiveMQJAASSecurityManager("Krb5SslPlus"); + ActiveMQSecurityManager securityManager = new ActiveMQJAASSecurityManager("Krb5Plus"); server = addServer(ActiveMQServers.newActiveMQServer(config, ManagementFactory.getPlatformMBeanServer(), securityManager, false)); HierarchicalRepository<Set<Role>> securityRepository = server.getSecurityRepository(); http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/9fedb47c/tests/integration-tests/src/test/resources/login.config ---------------------------------------------------------------------- diff --git a/tests/integration-tests/src/test/resources/login.config b/tests/integration-tests/src/test/resources/login.config index 5c0e2eb..a834627 100644 --- a/tests/integration-tests/src/test/resources/login.config +++ b/tests/integration-tests/src/test/resources/login.config @@ -138,7 +138,7 @@ DualAuthenticationPropertiesLogin { org.apache.activemq.jaas.properties.role="dual-authentication-roles.properties"; }; -Krb5SslPlus { +Krb5Plus { org.apache.activemq.artemis.spi.core.security.jaas.Krb5LoginModule optional debug=true; @@ -149,6 +149,21 @@ Krb5SslPlus { org.apache.activemq.jaas.properties.role="dual-authentication-roles.properties"; }; +core-tls-krb5-server { + com.sun.security.auth.module.Krb5LoginModule required + isInitiator=false + storeKey=true + useKeyTab=true + principal="host/sni.host" + debug=true; +}; + +core-tls-krb5-client { + com.sun.security.auth.module.Krb5LoginModule required + principal="client" + useKeyTab=true; +}; + amqp-sasl-gssapi { com.sun.security.auth.module.Krb5LoginModule required isInitiator=false