diff options
| author | Robert Godfrey <rgodfrey@apache.org> | 2014-07-24 11:27:03 +0000 |
|---|---|---|
| committer | Robert Godfrey <rgodfrey@apache.org> | 2014-07-24 11:27:03 +0000 |
| commit | 79c88e13948c79d85aa84dd241f4dcdc7a0ced6b (patch) | |
| tree | b6ffe0198e102c3b33e01778df0ed584357e7760 /qpid/java/broker-plugins | |
| parent | 38f6dea5a16eda38a50489d500de234b34916df3 (diff) | |
| download | qpid-python-79c88e13948c79d85aa84dd241f4dcdc7a0ced6b.tar.gz | |
QPID-5922 : [Java Broker] restrict the use of PLAIN authentication to secure channels
git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1613068 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'qpid/java/broker-plugins')
8 files changed, 81 insertions, 75 deletions
diff --git a/qpid/java/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ProtocolEngineCreator_0_10.java b/qpid/java/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ProtocolEngineCreator_0_10.java index b1d9fbf676..40c94075a1 100644 --- a/qpid/java/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ProtocolEngineCreator_0_10.java +++ b/qpid/java/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ProtocolEngineCreator_0_10.java @@ -77,7 +77,8 @@ public class ProtocolEngineCreator_0_10 implements ProtocolEngineCreator fqdn = ((InetSocketAddress) address).getHostName(); } final ConnectionDelegate connDelegate = new ServerConnectionDelegate(broker, - fqdn, broker.getSubjectCreator(address)); + fqdn, broker.getSubjectCreator(address, transport.isSecure()) + ); ServerConnection conn = new ServerConnection(id,broker); diff --git a/qpid/java/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerConnectionDelegate.java b/qpid/java/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerConnectionDelegate.java index 793150f9bb..390d7a8c46 100644 --- a/qpid/java/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerConnectionDelegate.java +++ b/qpid/java/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerConnectionDelegate.java @@ -31,7 +31,6 @@ import java.util.HashMap; import java.util.Iterator; import java.util.List; import java.util.Map; -import java.util.StringTokenizer; import javax.security.sasl.SaslException; import javax.security.sasl.SaslServer; @@ -84,12 +83,12 @@ public class ServerConnectionDelegate extends ServerDelegate } private ServerConnectionDelegate(Map<String, Object> properties, - List<Object> locales, - Broker broker, - String localFQDN, - SubjectCreator subjectCreator) + List<Object> locales, + Broker broker, + String localFQDN, + SubjectCreator subjectCreator) { - super(properties, parseToList(subjectCreator.getMechanisms()), locales); + super(properties, (List) subjectCreator.getMechanisms(), locales); _broker = broker; _localFQDN = localFQDN; @@ -128,17 +127,6 @@ public class ServerConnectionDelegate extends ServerDelegate return map; } - private static List<Object> parseToList(String mechanisms) - { - List<Object> list = new ArrayList<Object>(); - StringTokenizer tokenizer = new StringTokenizer(mechanisms, " "); - while(tokenizer.hasMoreTokens()) - { - list.add(tokenizer.nextToken()); - } - return list; - } - public ServerSession getSession(Connection conn, SessionAttach atc) { SessionDelegate serverSessionDelegate = new ServerSessionDelegate(); diff --git a/qpid/java/broker-plugins/amqp-0-8-protocol/src/main/java/org/apache/qpid/server/protocol/v0_8/AMQProtocolEngine.java b/qpid/java/broker-plugins/amqp-0-8-protocol/src/main/java/org/apache/qpid/server/protocol/v0_8/AMQProtocolEngine.java index b28e9bc23c..0db0f9339c 100644 --- a/qpid/java/broker-plugins/amqp-0-8-protocol/src/main/java/org/apache/qpid/server/protocol/v0_8/AMQProtocolEngine.java +++ b/qpid/java/broker-plugins/amqp-0-8-protocol/src/main/java/org/apache/qpid/server/protocol/v0_8/AMQProtocolEngine.java @@ -496,7 +496,16 @@ public class AMQProtocolEngine implements ServerProtocolEngine, AMQProtocolSessi // This sets the protocol version (and hence framing classes) for this session. setProtocolVersion(pv); - String mechanisms = _broker.getSubjectCreator(getLocalAddress()).getMechanisms(); + StringBuilder mechanismBuilder = new StringBuilder(); + for(String mechanismName : _broker.getSubjectCreator(getLocalAddress(), _transport.isSecure()).getMechanisms()) + { + if(mechanismBuilder.length() != 0) + { + mechanismBuilder.append(' '); + } + mechanismBuilder.append(mechanismName); + } + String mechanisms = mechanismBuilder.toString(); String locales = "en_US"; diff --git a/qpid/java/broker-plugins/amqp-0-8-protocol/src/main/java/org/apache/qpid/server/protocol/v0_8/state/AMQStateManager.java b/qpid/java/broker-plugins/amqp-0-8-protocol/src/main/java/org/apache/qpid/server/protocol/v0_8/state/AMQStateManager.java index af2ceeca7f..328064b6dc 100644 --- a/qpid/java/broker-plugins/amqp-0-8-protocol/src/main/java/org/apache/qpid/server/protocol/v0_8/state/AMQStateManager.java +++ b/qpid/java/broker-plugins/amqp-0-8-protocol/src/main/java/org/apache/qpid/server/protocol/v0_8/state/AMQStateManager.java @@ -20,6 +20,11 @@ */ package org.apache.qpid.server.protocol.v0_8.state; +import java.security.PrivilegedActionException; +import java.security.PrivilegedExceptionAction; + +import javax.security.auth.Subject; + import org.apache.log4j.Logger; import org.apache.qpid.AMQException; @@ -37,11 +42,6 @@ import org.apache.qpid.server.protocol.v0_8.AMQProtocolSession; import org.apache.qpid.server.security.SubjectCreator; import org.apache.qpid.server.util.ServerScopedRuntimeException; -import javax.security.auth.Subject; - -import java.security.PrivilegedActionException; -import java.security.PrivilegedExceptionAction; - /** * The state manager is responsible for managing the state of the protocol session. <p/> For each AMQProtocolHandler * there is a separate state manager. @@ -147,6 +147,6 @@ public class AMQStateManager implements AMQMethodListener public SubjectCreator getSubjectCreator() { - return _broker.getSubjectCreator(getProtocolSession().getLocalAddress()); + return _broker.getSubjectCreator(getProtocolSession().getLocalAddress(), getProtocolSession().getTransport().isSecure()); } } diff --git a/qpid/java/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/ProtocolEngine_1_0_0_SASL.java b/qpid/java/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/ProtocolEngine_1_0_0_SASL.java index 0d6861d80c..550355216e 100644 --- a/qpid/java/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/ProtocolEngine_1_0_0_SASL.java +++ b/qpid/java/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/ProtocolEngine_1_0_0_SASL.java @@ -27,6 +27,7 @@ import java.nio.ByteBuffer; import java.security.Principal; import java.security.PrivilegedAction; import java.util.LinkedHashMap; +import java.util.List; import java.util.Map; import javax.security.auth.Subject; @@ -184,7 +185,7 @@ public class ProtocolEngine_1_0_0_SASL implements ServerProtocolEngine, FrameOut Container container = new Container(_broker.getId().toString()); - SubjectCreator subjectCreator = _broker.getSubjectCreator(getLocalAddress()); + SubjectCreator subjectCreator = _broker.getSubjectCreator(getLocalAddress(), _transport.isSecure()); _endpoint = new ConnectionEndpoint(container, asSaslServerProvider(subjectCreator)); _endpoint.setLogger(new ConnectionEndpoint.FrameReceiptLogger() { @@ -236,7 +237,8 @@ public class ProtocolEngine_1_0_0_SASL implements ServerProtocolEngine, FrameOut _sender.send(HEADER.duplicate()); _sender.flush(); - _endpoint.initiateSASL(subjectCreator.getMechanisms().split(" ")); + List<String> mechanisms = subjectCreator.getMechanisms(); + _endpoint.initiateSASL(mechanisms.toArray(new String[mechanisms.size()])); } diff --git a/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java b/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java index 1937ee8744..ef0a68a42b 100644 --- a/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java +++ b/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java @@ -45,6 +45,7 @@ import org.apache.qpid.server.security.auth.AuthenticatedPrincipal; import org.apache.qpid.server.security.auth.AuthenticationResult.AuthenticationStatus; import org.apache.qpid.server.security.auth.SubjectAuthenticationResult; import org.apache.qpid.server.security.auth.UsernamePrincipal; +import org.apache.qpid.server.security.auth.manager.AnonymousAuthenticationManager; import org.apache.qpid.server.security.auth.manager.ExternalAuthenticationManager; import org.apache.qpid.transport.network.security.ssl.SSLUtil; @@ -146,14 +147,14 @@ public class HttpManagementUtil Subject subject = null; SocketAddress localAddress = getSocketAddress(request); final AuthenticationProvider authenticationProvider = managementConfig.getAuthenticationProvider(localAddress); - SubjectCreator subjectCreator = authenticationProvider.getSubjectCreator(); + SubjectCreator subjectCreator = authenticationProvider.getSubjectCreator(request.isSecure()); String remoteUser = request.getRemoteUser(); - if (remoteUser != null || subjectCreator.isAnonymousAuthenticationAllowed()) + if (remoteUser != null || authenticationProvider instanceof AnonymousAuthenticationManager) { subject = authenticateUser(subjectCreator, remoteUser, null); } - else if(subjectCreator.isExternalAuthenticationAllowed() + else if(authenticationProvider instanceof ExternalAuthenticationManager && Collections.list(request.getAttributeNames()).contains("javax.servlet.request.X509Certificate")) { Principal principal = null; diff --git a/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.java b/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.java index af3973c7b3..81d67caf96 100644 --- a/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.java +++ b/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.java @@ -20,34 +20,36 @@ */ package org.apache.qpid.server.management.plugin.servlet.rest; +import java.io.IOException; +import java.io.PrintWriter; +import java.net.SocketAddress; +import java.security.Principal; +import java.security.SecureRandom; +import java.util.LinkedHashMap; +import java.util.List; +import java.util.Map; +import java.util.Random; + +import javax.security.auth.Subject; +import javax.security.sasl.SaslException; +import javax.security.sasl.SaslServer; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; + import org.apache.commons.codec.binary.Base64; -import org.apache.qpid.server.management.plugin.servlet.ServletConnectionPrincipal; -import org.apache.qpid.server.util.ConnectionScopedRuntimeException; +import org.apache.log4j.Logger; import org.codehaus.jackson.map.ObjectMapper; import org.codehaus.jackson.map.SerializationConfig; -import org.apache.log4j.Logger; import org.apache.qpid.server.management.plugin.HttpManagementConfiguration; import org.apache.qpid.server.management.plugin.HttpManagementUtil; +import org.apache.qpid.server.management.plugin.servlet.ServletConnectionPrincipal; import org.apache.qpid.server.model.Broker; import org.apache.qpid.server.security.SubjectCreator; import org.apache.qpid.server.security.auth.AuthenticatedPrincipal; - -import javax.security.auth.Subject; -import javax.security.sasl.SaslException; -import javax.security.sasl.SaslServer; -import javax.servlet.ServletException; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.HttpSession; -import java.io.IOException; -import java.io.PrintWriter; -import java.net.SocketAddress; -import java.security.Principal; -import java.security.SecureRandom; -import java.util.LinkedHashMap; -import java.util.Map; -import java.util.Random; +import org.apache.qpid.server.util.ConnectionScopedRuntimeException; public class SaslServlet extends AbstractServlet { @@ -81,7 +83,8 @@ public class SaslServlet extends AbstractServlet getRandom(session); SubjectCreator subjectCreator = getSubjectCreator(request); - String[] mechanisms = subjectCreator.getMechanisms().split(" "); + List<String> mechanismsList = subjectCreator.getMechanisms(); + String[] mechanisms = mechanismsList.toArray(new String[mechanismsList.size()]); Map<String, Object> outputObject = new LinkedHashMap<String, Object>(); final Subject subject = getAuthorisedSubject(request); @@ -237,7 +240,7 @@ public class SaslServlet extends AbstractServlet if(saslServer.isComplete()) { - Subject originalSubject = subjectCreator.createSubjectWithGroups(saslServer.getAuthorizationID()); + Subject originalSubject = subjectCreator.createSubjectWithGroups(new AuthenticatedPrincipal(saslServer.getAuthorizationID())); Subject subject = new Subject(false, originalSubject.getPrincipals(), originalSubject.getPublicCredentials(), @@ -298,7 +301,8 @@ public class SaslServlet extends AbstractServlet private SubjectCreator getSubjectCreator(HttpServletRequest request) { SocketAddress localAddress = HttpManagementUtil.getSocketAddress(request); - return HttpManagementUtil.getManagementConfiguration(getServletContext()).getAuthenticationProvider(localAddress).getSubjectCreator(); + return HttpManagementUtil.getManagementConfiguration(getServletContext()).getAuthenticationProvider(localAddress).getSubjectCreator( + request.isSecure()); } @Override diff --git a/qpid/java/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/JMXManagedObjectRegistry.java b/qpid/java/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/JMXManagedObjectRegistry.java index f27a9126ea..78eba66158 100644 --- a/qpid/java/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/JMXManagedObjectRegistry.java +++ b/qpid/java/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/JMXManagedObjectRegistry.java @@ -20,28 +20,6 @@ */ package org.apache.qpid.server.jmx; -import org.apache.log4j.Logger; -import org.apache.qpid.server.configuration.BrokerProperties; -import org.apache.qpid.server.logging.EventLogger; -import org.apache.qpid.server.logging.messages.ManagementConsoleMessages; -import org.apache.qpid.server.model.Broker; -import org.apache.qpid.server.model.KeyStore; -import org.apache.qpid.server.model.Port; -import org.apache.qpid.server.model.Transport; - -import org.apache.qpid.server.security.auth.jmx.JMXPasswordAuthenticator; -import org.apache.qpid.server.util.ServerScopedRuntimeException; - -import javax.management.JMException; -import javax.management.MBeanServer; -import javax.management.MBeanServerFactory; -import javax.management.ObjectName; -import javax.management.remote.JMXConnectorServer; -import javax.management.remote.JMXServiceURL; -import javax.management.remote.MBeanServerForwarder; -import javax.management.remote.rmi.RMIConnectorServer; -import javax.net.ssl.SSLContext; -import javax.rmi.ssl.SslRMIClientSocketFactory; import java.io.IOException; import java.lang.management.ManagementFactory; import java.net.InetAddress; @@ -59,6 +37,29 @@ import java.rmi.server.UnicastRemoteObject; import java.security.GeneralSecurityException; import java.util.HashMap; +import javax.management.JMException; +import javax.management.MBeanServer; +import javax.management.MBeanServerFactory; +import javax.management.ObjectName; +import javax.management.remote.JMXConnectorServer; +import javax.management.remote.JMXServiceURL; +import javax.management.remote.MBeanServerForwarder; +import javax.management.remote.rmi.RMIConnectorServer; +import javax.net.ssl.SSLContext; +import javax.rmi.ssl.SslRMIClientSocketFactory; + +import org.apache.log4j.Logger; + +import org.apache.qpid.server.configuration.BrokerProperties; +import org.apache.qpid.server.logging.EventLogger; +import org.apache.qpid.server.logging.messages.ManagementConsoleMessages; +import org.apache.qpid.server.model.Broker; +import org.apache.qpid.server.model.KeyStore; +import org.apache.qpid.server.model.Port; +import org.apache.qpid.server.model.Transport; +import org.apache.qpid.server.security.auth.jmx.JMXPasswordAuthenticator; +import org.apache.qpid.server.util.ServerScopedRuntimeException; + /** * This class starts up an MBeanserver. If out of the box agent has been enabled then there are no * security features implemented like user authentication and authorisation. @@ -157,7 +158,7 @@ public class JMXManagedObjectRegistry implements ManagedObjectRegistry int jmxPortConnectorServer = _connectorPort.getPort(); //add a JMXAuthenticator implementation the env map to authenticate the RMI based JMX connector server - JMXPasswordAuthenticator rmipa = new JMXPasswordAuthenticator(_broker, new InetSocketAddress(jmxPortConnectorServer)); + JMXPasswordAuthenticator rmipa = new JMXPasswordAuthenticator(_broker, new InetSocketAddress(jmxPortConnectorServer), connectorSslEnabled); HashMap<String,Object> connectorEnv = new HashMap<String,Object>(); connectorEnv.put(JMXConnectorServer.AUTHENTICATOR, rmipa); |