QPID-1511 : Adds authentication and ssl encryption capabilities to the RMI based JMXConnectorServer in use, enforces use of the custom MBeanInvocationhandlerImp when using the RMI based JMX, and implements a customised RMI registry to prevent external changes being possible. Updated Management console accordingly.

Patch from Robbert Gemmell <gemmellr@dcs.gla.ac.uk>

git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@744113 13f79535-47bb-0310-9956-ffa450edef68

4 files changed, 95 insertions, 2 deletions

diff --git a/java/management/eclipse-plugin/src/main/java/org/apache/qpid/management/ui/actions/AbstractAction.java b/java/management/eclipse-plugin/src/main/java/org/apache/qpid/management/ui/actions/AbstractAction.java
index 202c6ea650..474e31cd8f 100644
--- a/java/management/eclipse-plugin/src/main/java/org/apache/qpid/management/ui/actions/AbstractAction.java
+++ b/java/management/eclipse-plugin/src/main/java/org/apache/qpid/management/ui/actions/AbstractAction.java
@@ -24,6 +24,11 @@ import static org.apache.qpid.management.ui.Constants.ERROR_SERVER_CONNECTION;
 
 import java.io.IOException;
 
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLHandshakeException;
+import javax.net.ssl.SSLKeyException;
+import javax.net.ssl.SSLPeerUnverifiedException;
+
 import org.apache.qpid.management.ui.ApplicationRegistry;
 import org.apache.qpid.management.ui.ApplicationWorkbenchAdvisor;
 import org.apache.qpid.management.ui.Constants;
@@ -47,6 +52,10 @@ public class AbstractAction
     public static final String SERVER_UNAVAILABLE = "Unable to connect to the specified Qpid JMX server";
     public static final String INVALID_PERSPECTIVE = "Invalid Perspective";
     public static final String CHANGE_PERSPECTIVE = "Please use the Qpid Management Perspective";
+    
+    private static final String SSL_EMPTY_TRUSTANCHORS = "the trustAnchors parameter must be non-empty";
+    private static final String SSL_UNABLE_TO_FIND_CERTPATH = "sun.security.provider.certpath.SunCertPathBuilderException: " +
+    		                                    "unable to find valid certification path to requested target";
       
     /**
      * We will cache window object in order to
@@ -93,9 +102,59 @@ public class AbstractAction
         //determine the error message to display
         if (msg == null)
         {
-            if (ex instanceof IOException)
+            if (ex instanceof SSLException)
+            {
+                if (ex instanceof SSLKeyException)
+                {
+                    msg = "SSL key was invalid, please check the certificate configuration.";
+                    //Display error dialogue and return
+                    displayErrorDialogue(msg, title);
+                    return;
+                }
+                else if (ex instanceof SSLPeerUnverifiedException)
+                {
+                    msg = "SSL peer identity could not be verified, please ensure valid certificate configuration.";
+                    //Display error dialogue and return
+                    displayErrorDialogue(msg, title);
+                    return;
+                }
+                else if (ex instanceof SSLHandshakeException)
+                {
+                    if (ex.getMessage().contains(SSL_UNABLE_TO_FIND_CERTPATH))
+                    {
+                        msg = "Unable to certify the provided SSL certificate using the current SSL trust store.";
+                    }
+                    else
+                    {
+                        //cause unknown, provide a trace too
+                        MBeanUtility.printStackTrace(ex);
+                        msg = "SSL handhshake error.";
+                    }
+                    //Display error dialogue and return
+                    displayErrorDialogue(msg, title);
+                    return;
+                }
+                else
+                {
+                    //general SSL Exception.
+                    if (ex.getMessage().contains(SSL_EMPTY_TRUSTANCHORS))
+                    {
+                        msg = "Unable to locate the specified SSL certificate trust store, please check the configuration.";
+                    }
+                    else
+                    {
+                        //cause unknown, print stack trace
+                        MBeanUtility.printStackTrace(ex);
+                        msg = "SSL connection error.";
+                    }
+                    //Display error dialogue and return
+                    displayErrorDialogue(msg, title);
+                    return;
+                }
+            }
+            else if (ex instanceof IOException)
             {
-                //IOException, eg when trying to connect to a server/port with no JMX server running
+                //uncaught IOException, eg when trying to connect to a server/port with no JMX server running
                 msg = SERVER_UNAVAILABLE;
                 //Display error dialogue and return
                 displayErrorDialogue(msg, title);
diff --git a/java/management/eclipse-plugin/src/main/resources/linux-gtk-x86/qpidmc.ini b/java/management/eclipse-plugin/src/main/resources/linux-gtk-x86/qpidmc.ini
index 8fd70ba19f..19ceb6f717 100644
--- a/java/management/eclipse-plugin/src/main/resources/linux-gtk-x86/qpidmc.ini
+++ b/java/management/eclipse-plugin/src/main/resources/linux-gtk-x86/qpidmc.ini
@@ -23,3 +23,15 @@
 -XX:MaxPermSize=256m
 -Dosgi.requiredJavaVersion=1.5
 -Declipse.consoleLog=true
+
+#===============================================
+# SSL trust store configuration options.
+#===============================================
+
+# Uncomment lines below to specify custom truststore for server SSL
+# certificate verification, eg when using self-signed server certs.
+#
+#-Djavax.net.ssl.trustStore=<path.to.truststore>
+#-Djavax.net.ssl.trustStorePassword=<truststore.password>
+
+
diff --git a/java/management/eclipse-plugin/src/main/resources/macosx/Contents/MacOS/qpidmc.ini b/java/management/eclipse-plugin/src/main/resources/macosx/Contents/MacOS/qpidmc.ini
index 231adf2d8b..2a31b9b2c7 100644
--- a/java/management/eclipse-plugin/src/main/resources/macosx/Contents/MacOS/qpidmc.ini
+++ b/java/management/eclipse-plugin/src/main/resources/macosx/Contents/MacOS/qpidmc.ini
@@ -29,3 +29,14 @@
 -Dosgi.requiredJavaVersion=1.5
 -Declipse.consoleLog=true
 -Dorg.eclipse.swt.internal.carbon.smallFonts
+
+#===============================================
+# SSL trust store configuration options.
+#===============================================
+
+# Uncomment lines below to specify custom truststore for server SSL
+# certificate verification, eg when using self-signed server certs.
+#
+#-Djavax.net.ssl.trustStore=<path.to.truststore>
+#-Djavax.net.ssl.trustStorePassword=<truststore.password>
+
diff --git a/java/management/eclipse-plugin/src/main/resources/win32-win32-x86/qpidmc.ini b/java/management/eclipse-plugin/src/main/resources/win32-win32-x86/qpidmc.ini
index 9f3ad202ad..9e3de042d5 100644
--- a/java/management/eclipse-plugin/src/main/resources/win32-win32-x86/qpidmc.ini
+++ b/java/management/eclipse-plugin/src/main/resources/win32-win32-x86/qpidmc.ini
@@ -23,3 +23,14 @@
 -XX:MaxPermSize=256m

 -Dosgi.requiredJavaVersion=1.5

 -Declipse.consoleLog=true

+
+#===============================================
+# SSL trust store configuration options.
+#===============================================
+
+# Uncomment lines below to specify custom truststore for server SSL
+# certificate verification, eg when using self-signed server certs.
+#
+#-Djavax.net.ssl.trustStore=<path.to.truststore>
+#-Djavax.net.ssl.trustStorePassword=<truststore.password>
+