QPID-4253: add configuration for basic-auth on http / https management and set to disabled / enabled respectively by default

git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1380016 13f79535-47bb-0310-9956-ffa450edef68

5 files changed, 139 insertions, 5 deletions

diff --git a/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/AbstractServlet.java b/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/AbstractServlet.java
index 1469808565..843ba9816a 100644
--- a/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/AbstractServlet.java
+++ b/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/AbstractServlet.java
@@ -255,17 +255,18 @@ public abstract class AbstractServlet extends HttpServlet
         {
             String header = request.getHeader("Authorization");
 
-            /*
-             * TODO - Should configure whether basic authentication is allowed... and in particular whether it
-             * should be allowed over non-ssl connections
-             * */
-
             if (header != null)
             {
                 String[] tokens = header.split("\\s");
                 if(tokens.length >= 2
                         && "BASIC".equalsIgnoreCase(tokens[0]))
                 {
+                    if(!isBasicAuthSupported(request))
+                    {
+                        //TODO: write a return response indicating failure?
+                        throw new IllegalArgumentException("BASIC Authorization is not enabled.");
+                    }
+
                     String[] credentials = (new String(Base64.decodeBase64(tokens[1].getBytes()))).split(":",2);
                     if(credentials.length == 2)
                     {
@@ -299,6 +300,12 @@ public abstract class AbstractServlet extends HttpServlet
         return subject;
     }
 
+    private boolean isBasicAuthSupported(HttpServletRequest req)
+    {
+        return req.isSecure()  ? ApplicationRegistry.getInstance().getConfiguration().getHTTPSManagementBasicAuth()
+                               : ApplicationRegistry.getInstance().getConfiguration().getHTTPManagementBasicAuth();
+    }
+
     private HttpManagementActor getLogActorAndCacheInSession(HttpServletRequest req)
     {
         HttpSession session = req.getSession();
diff --git a/qpid/java/broker-plugins/management-http/src/test/java/org/apache/qpid/server/management/plugin/servlet/rest/BasicAuthRestTest.java b/qpid/java/broker-plugins/management-http/src/test/java/org/apache/qpid/server/management/plugin/servlet/rest/BasicAuthRestTest.java
new file mode 100644
index 0000000000..f372fd4f3a
--- /dev/null
+++ b/qpid/java/broker-plugins/management-http/src/test/java/org/apache/qpid/server/management/plugin/servlet/rest/BasicAuthRestTest.java
@@ -0,0 +1,115 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.server.management.plugin.servlet.rest;
+
+import java.io.IOException;
+import java.net.HttpURLConnection;
+
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.configuration.ConfigurationException;
+
+public class BasicAuthRestTest extends QpidRestTestCase
+{
+    private static final String TRUSTSTORE = "test-profiles/test_resources/ssl/java_client_truststore.jks";
+    private static final String TRUSTSTORE_PASSWORD = "password";
+    private static final String USERNAME = "admin";
+
+    @Override
+    public void setUp() throws Exception
+    {
+        setSystemProperty("javax.net.debug", "ssl");
+
+        //don't call super method, we will configure the broker in the test before doing so
+    }
+
+    @Override
+    protected void customizeConfiguration() throws ConfigurationException, IOException
+    {
+        //do nothing, we will configure this locally
+    }
+
+    private void configure(boolean useSsl) throws ConfigurationException, IOException
+    {
+        getRestTestHelper().setUseSsl(useSsl);
+        setConfigurationProperty("management.http.enabled",  String.valueOf(!useSsl));
+        setConfigurationProperty("management.http.port", Integer.toString(getRestTestHelper().getHttpPort()));
+        setConfigurationProperty("management.https.enabled", String.valueOf(useSsl));
+        setConfigurationProperty("management.https.port", Integer.toString(getRestTestHelper().getHttpPort()));
+        setConfigurationProperty("management.enabled", "false"); //JMX
+    }
+
+    private void verifyGetBrokerAttempt(int responseCode) throws IOException
+    {
+        HttpURLConnection conn = getRestTestHelper().openManagementConnection("/rest/broker", "GET");
+        assertEquals(responseCode, conn.getResponseCode());
+    }
+
+    public void testDefaultEnabledWithHttps() throws Exception
+    {
+        configure(true);
+        super.setUp();
+        setSystemProperty("javax.net.ssl.trustStore", TRUSTSTORE);
+        setSystemProperty("javax.net.ssl.trustStorePassword", TRUSTSTORE_PASSWORD);
+
+        // Try the attempt with authentication, it should succeed because
+        // BASIC auth is enabled by default on secure connections.
+        getRestTestHelper().setUsernameAndPassword(USERNAME, USERNAME);
+        verifyGetBrokerAttempt(HttpServletResponse.SC_OK);
+    }
+
+    public void testDefaultDisabledWithHttp() throws Exception
+    {
+        configure(false);
+        super.setUp();
+
+        // Try the attempt with authentication, it should fail because
+        // BASIC auth is disabled by default on non-secure connections.
+        getRestTestHelper().setUsernameAndPassword(USERNAME, USERNAME);
+        verifyGetBrokerAttempt(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
+    }
+
+    public void testEnablingForHttp() throws Exception
+    {
+        configure(false);
+        setConfigurationProperty("management.http.basic-auth", "true");
+        super.setUp();
+
+        // Try the attempt with authentication, it should succeed because
+        // BASIC auth is now enabled on non-secure connections.
+        getRestTestHelper().setUsernameAndPassword(USERNAME, USERNAME);
+        verifyGetBrokerAttempt(HttpServletResponse.SC_OK);
+    }
+
+    public void testDisablingForHttps() throws Exception
+    {
+        configure(true);
+        setConfigurationProperty("management.https.basic-auth", "false");
+        super.setUp();
+        setSystemProperty("javax.net.ssl.trustStore", TRUSTSTORE);
+        setSystemProperty("javax.net.ssl.trustStorePassword", TRUSTSTORE_PASSWORD);
+
+        // Try the attempt with authentication, it should fail because
+        // BASIC auth is now disabled on secure connections.
+        getRestTestHelper().setUsernameAndPassword(USERNAME, USERNAME);
+        verifyGetBrokerAttempt(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
+    }
+}
diff --git a/qpid/java/broker-plugins/management-http/src/test/java/org/apache/qpid/systest/rest/acl/GroupRestACLTest.java b/qpid/java/broker-plugins/management-http/src/test/java/org/apache/qpid/systest/rest/acl/GroupRestACLTest.java
index f9f9fbfef0..3d21f95f0c 100644
--- a/qpid/java/broker-plugins/management-http/src/test/java/org/apache/qpid/systest/rest/acl/GroupRestACLTest.java
+++ b/qpid/java/broker-plugins/management-http/src/test/java/org/apache/qpid/systest/rest/acl/GroupRestACLTest.java
@@ -50,6 +50,7 @@ public class GroupRestACLTest extends QpidRestTestCase
     {
         _groupFile = createTemporaryGroupFile();
 
+        setConfigurationProperty("management.http.basic-auth", "true");
         setConfigurationProperty("security.file-group-manager.attributes.attribute.name", "groupFile");
         setConfigurationProperty("security.file-group-manager.attributes.attribute.value", _groupFile.getAbsolutePath());
 
diff --git a/qpid/java/broker-plugins/management-http/src/test/java/org/apache/qpid/systest/rest/acl/UserRestACLTest.java b/qpid/java/broker-plugins/management-http/src/test/java/org/apache/qpid/systest/rest/acl/UserRestACLTest.java
index 514d1bd781..31286fb70b 100644
--- a/qpid/java/broker-plugins/management-http/src/test/java/org/apache/qpid/systest/rest/acl/UserRestACLTest.java
+++ b/qpid/java/broker-plugins/management-http/src/test/java/org/apache/qpid/systest/rest/acl/UserRestACLTest.java
@@ -50,6 +50,7 @@ public class UserRestACLTest extends QpidRestTestCase
     {
         _groupFile = createTemporaryGroupFile();
 
+        setConfigurationProperty("management.http.basic-auth", "true");
         setConfigurationProperty("security.file-group-manager.attributes.attribute.name", "groupFile");
         setConfigurationProperty("security.file-group-manager.attributes.attribute.value", _groupFile.getAbsolutePath());
 
diff --git a/qpid/java/broker/src/main/java/org/apache/qpid/server/configuration/ServerConfiguration.java b/qpid/java/broker/src/main/java/org/apache/qpid/server/configuration/ServerConfiguration.java
index f9e2d93cff..968f29a6e6 100644
--- a/qpid/java/broker/src/main/java/org/apache/qpid/server/configuration/ServerConfiguration.java
+++ b/qpid/java/broker/src/main/java/org/apache/qpid/server/configuration/ServerConfiguration.java
@@ -585,6 +585,11 @@ public class ServerConfiguration extends ConfigurationPlugin
         return getIntValue("management.http.port", DEFAULT_HTTP_MANAGEMENT_PORT);
     }
 
+    public boolean getHTTPManagementBasicAuth()
+    {
+        return getBooleanValue("management.http.basic-auth", false);
+    }
+
     public boolean getHTTPSManagementEnabled()
     {
         return getBooleanValue("management.https.enabled", false);
@@ -595,6 +600,11 @@ public class ServerConfiguration extends ConfigurationPlugin
         return getIntValue("management.https.port", DEFAULT_HTTPS_MANAGEMENT_PORT);
     }
 
+    public boolean getHTTPSManagementBasicAuth()
+    {
+        return getBooleanValue("management.https.basic-auth", true);
+    }
+
     public String[] getVirtualHosts()
     {
         return _virtualHosts.keySet().toArray(new String[_virtualHosts.size()]);