diff options
Diffstat (limited to 'java')
9 files changed, 56 insertions, 150 deletions
diff --git a/java/broker/etc/config.xml b/java/broker/etc/config.xml index da0d13b72f..3789e6fcb6 100644 --- a/java/broker/etc/config.xml +++ b/java/broker/etc/config.xml @@ -50,33 +50,35 @@ <compressBufferOnQueue>false</compressBufferOnQueue> </advanced> - <principal-databases> - <principal-database> - <name>passwordfile</name> - <class>org.apache.qpid.server.security.auth.database.PlainPasswordVhostFilePrincipalDatabase</class> - <attributes> - <attribute> - <name>passwordFile</name> - <value>${conf}/passwdVhost</value> - </attribute> - </attributes> - </principal-database> + <security> + <principal-databases> + <principal-database> + <name>passwordfile</name> + <class>org.apache.qpid.server.security.auth.database.PlainPasswordVhostFilePrincipalDatabase</class> + <attributes> + <attribute> + <name>passwordFile</name> + <value>${conf}/passwdVhost</value> + </attribute> + </attributes> + </principal-database> - <principal-database> - <name>md5passwordfile</name> - <class>org.apache.qpid.server.security.auth.database.MD5PasswordFilePrincipalDatabase</class> - <attributes> - <attribute> - <name>passwordFile</name> - <value>${conf}/md5passwd</value> - </attribute> - </attributes> - </principal-database> - </principal-databases> + <!--principal-database> + <name>md5passwordfile</name> + <class>org.apache.qpid.server.security.auth.database.MD5PasswordFilePrincipalDatabase</class> + <attributes> + <attribute> + <name>passwordFile</name> + <value>${conf}/md5passwd</value> + </attribute> + </attributes> + </principal-database--> + </principal-databases> - <access> - <class>org.apache.qpid.server.security.access.AllowAll</class> - </access> + <access> + <class>org.apache.qpid.server.security.access.AllowAll</class> + </access> + </security> <virtualhosts> <virtualhost> @@ -89,7 +91,7 @@ </store> <security> - <!-- Need protocol changes to allow this--> + <!-- Need protocol changes to allow this--> <authentication> <name>passwordfile</name> <!-- Currently this can't be used as Vhost isn't specified at connection start only connection open --> @@ -161,3 +163,5 @@ <virtualhosts>${conf}/virtualhosts.xml</virtualhosts> </broker> + + diff --git a/java/broker/src/main/java/org/apache/qpid/server/handler/ConnectionStartOkMethodHandler.java b/java/broker/src/main/java/org/apache/qpid/server/handler/ConnectionStartOkMethodHandler.java index d8a20071b9..6c14aae7ed 100644 --- a/java/broker/src/main/java/org/apache/qpid/server/handler/ConnectionStartOkMethodHandler.java +++ b/java/broker/src/main/java/org/apache/qpid/server/handler/ConnectionStartOkMethodHandler.java @@ -75,9 +75,10 @@ public class ConnectionStartOkMethodHandler implements StateAwareMethodListener< if (ss == null) { - throw body.getConnectionException(AMQConstant.RESOURCE_ERROR, "Unable to create SASL Server"); + throw body.getConnectionException(AMQConstant.RESOURCE_ERROR, "Unable to create SASL Server:" + body.mechanism + ); } - + session.setSaslServer(ss); AuthenticationResult authResult = authMgr.authenticate(ss, body.response); @@ -152,3 +153,4 @@ public class ConnectionStartOkMethodHandler implements StateAwareMethodListener< } + diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/access/AccessManagerImpl.java b/java/broker/src/main/java/org/apache/qpid/server/security/access/AccessManagerImpl.java index 0b022aa8f7..0feb2791da 100644 --- a/java/broker/src/main/java/org/apache/qpid/server/security/access/AccessManagerImpl.java +++ b/java/broker/src/main/java/org/apache/qpid/server/security/access/AccessManagerImpl.java @@ -74,7 +74,7 @@ public class AccessManagerImpl implements AccessManager private void initialiseAccessControl(AccessManager accessManager, Configuration config) throws ConfigurationException { - String baseName = "access.attributes.attribute."; + String baseName = "security.access.attributes.attribute."; List<String> argumentNames = config.getList(baseName + "name"); List<String> argumentValues = config.getList(baseName + "value"); for (int i = 0; i < argumentNames.size(); i++) diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalDatabaseAccessManager.java b/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalDatabaseAccessManager.java index d41e5dfb94..0e447b5744 100644 --- a/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalDatabaseAccessManager.java +++ b/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalDatabaseAccessManager.java @@ -33,7 +33,7 @@ public class PrincipalDatabaseAccessManager implements AccessManager public PrincipalDatabaseAccessManager() { - _default = ApplicationRegistry.getInstance().getAccessManager(); + _default = null; } public void setDefaultAccessManager(String defaultAM) @@ -64,7 +64,14 @@ public class PrincipalDatabaseAccessManager implements AccessManager if (_database == null) { - result = _default.isAuthorized(accessObject, username); + if (_default != null) + { + result = _default.isAuthorized(accessObject, username); + } + else + { + throw new RuntimeException("Principal Database and default Access Manager are both null unable to perform Access Control"); + } } else { diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/ConfigurationFilePrincipalDatabaseManager.java b/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/ConfigurationFilePrincipalDatabaseManager.java index dde4ce7c4d..0c35206dd3 100644 --- a/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/ConfigurationFilePrincipalDatabaseManager.java +++ b/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/ConfigurationFilePrincipalDatabaseManager.java @@ -38,7 +38,7 @@ public class ConfigurationFilePrincipalDatabaseManager implements PrincipalDatab { private static final Logger _logger = Logger.getLogger(ConfigurationFilePrincipalDatabaseManager.class); - private static final String _base = "principal-databases.principal-database"; + private static final String _base = "security.principal-databases.principal-database"; Map<String, PrincipalDatabase> _databases; diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/MD5PasswordFilePrincipalDatabase.java b/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/MD5PasswordFilePrincipalDatabase.java index 98fca99aa3..c24a5f21e9 100644 --- a/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/MD5PasswordFilePrincipalDatabase.java +++ b/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/MD5PasswordFilePrincipalDatabase.java @@ -21,7 +21,6 @@ package org.apache.qpid.server.security.auth.database; import org.apache.log4j.Logger; -import org.apache.qpid.server.security.auth.database.PrincipalDatabase; import org.apache.qpid.server.security.auth.sasl.AuthenticationProviderInitialiser; import org.apache.qpid.server.security.auth.sasl.crammd5.CRAMMD5Initialiser; import org.apache.qpid.server.security.auth.sasl.plain.PlainInitialiser; diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java b/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java index 6770baaece..3abdd9a7ff 100644 --- a/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java +++ b/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java @@ -23,6 +23,7 @@ package org.apache.qpid.server.security.auth.database; import org.apache.log4j.Logger; import org.apache.qpid.server.security.auth.database.PrincipalDatabase; import org.apache.qpid.server.security.auth.sasl.AuthenticationProviderInitialiser; +import org.apache.qpid.server.security.auth.sasl.amqplain.AmqPlainInitialiser; import org.apache.qpid.server.security.auth.sasl.crammd5.CRAMMD5Initialiser; import org.apache.qpid.server.security.auth.sasl.plain.PlainInitialiser; @@ -49,11 +50,11 @@ public class PlainPasswordFilePrincipalDatabase implements PrincipalDatabase { private static final Logger _logger = Logger.getLogger(PlainPasswordFilePrincipalDatabase.class); - private File _passwordFile; + protected File _passwordFile; - private Pattern _regexp = Pattern.compile(":"); + protected Pattern _regexp = Pattern.compile(":"); - private Map<String, AuthenticationProviderInitialiser> _saslServers; + protected Map<String, AuthenticationProviderInitialiser> _saslServers; public PlainPasswordFilePrincipalDatabase() { @@ -63,6 +64,10 @@ public class PlainPasswordFilePrincipalDatabase implements PrincipalDatabase * Create Authenticators for Plain Password file. */ + // Accept AMQPlain incomming and compare it to the file. + AmqPlainInitialiser amqplain = new AmqPlainInitialiser(); + amqplain.initialise(this); + // Accept Plain incomming and compare it to the file. PlainInitialiser plain = new PlainInitialiser(); plain.initialise(this); @@ -71,6 +76,7 @@ public class PlainPasswordFilePrincipalDatabase implements PrincipalDatabase CRAMMD5Initialiser cram = new CRAMMD5Initialiser(); cram.initialise(this); + _saslServers.put(amqplain.getMechanismName(), amqplain); _saslServers.put(plain.getMechanismName(), plain); _saslServers.put(cram.getMechanismName(), cram); } diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordVhostFilePrincipalDatabase.java b/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordVhostFilePrincipalDatabase.java index 37d883769a..c8318d6e64 100644 --- a/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordVhostFilePrincipalDatabase.java +++ b/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordVhostFilePrincipalDatabase.java @@ -49,122 +49,10 @@ import java.security.Principal; * * where a carriage return separates each username/password pair. Passwords are assumed to be in plain text. */ -public class PlainPasswordVhostFilePrincipalDatabase implements PrincipalDatabase, AccessManager +public class PlainPasswordVhostFilePrincipalDatabase extends PlainPasswordFilePrincipalDatabase implements AccessManager { private static final Logger _logger = Logger.getLogger(PlainPasswordVhostFilePrincipalDatabase.class); - private File _passwordFile; - - private Pattern _regexp = Pattern.compile(":"); - - private Map<String, AuthenticationProviderInitialiser> _saslServers; - - public PlainPasswordVhostFilePrincipalDatabase() - { - _saslServers = new HashMap<String, AuthenticationProviderInitialiser>(); - - /** - * Create Authenticators for Plain Password file. - */ - - // Accept Plain incomming and compare it to the file. - PlainInitialiser plain = new PlainInitialiser(); - plain.initialise(this); - - // Accept MD5 incomming and Hash file value for comparison - CRAMMD5Initialiser cram = new CRAMMD5Initialiser(); - cram.initialise(this); - - _saslServers.put(plain.getMechanismName(), plain); - _saslServers.put(cram.getMechanismName(), cram); - } - - public void setPasswordFile(String passwordFile) throws FileNotFoundException - { - File f = new File(passwordFile); - _logger.info("PlainPasswordFile using file " + f.getAbsolutePath()); - _passwordFile = f; - if (!f.exists()) - { - throw new FileNotFoundException("Cannot find password file " + f); - } - if (!f.canRead()) - { - throw new FileNotFoundException("Cannot read password file " + f + - ". Check permissions."); - } - } - - public void setPassword(Principal principal, PasswordCallback callback) throws IOException, - AccountNotFoundException - { - if (_passwordFile == null) - { - throw new AccountNotFoundException("Unable to locate principal since no password file was specified during initialisation"); - } - if (principal == null) - { - throw new IllegalArgumentException("principal must not be null"); - } - char[] pwd = lookupPassword(principal.getName()); - if (pwd != null) - { - callback.setPassword(pwd); - } - else - { - throw new AccountNotFoundException("No account found for principal " + principal); - } - } - - public Map<String, AuthenticationProviderInitialiser> getMechanisms() - { - return _saslServers; - } - - - /** - * Looks up the password for a specified user in the password file. Note this code is <b>not</b> secure since it - * creates strings of passwords. It should be modified to create only char arrays which get nulled out. - * - * @param name - * - * @return - * - * @throws java.io.IOException - */ - private char[] lookupPassword(String name) throws IOException - { - BufferedReader reader = null; - try - { - reader = new BufferedReader(new FileReader(_passwordFile)); - String line; - - while ((line = reader.readLine()) != null) - { - String[] result = _regexp.split(line); - if (result == null || result.length < 2) - { - continue; - } - - if (name.equals(result[0])) - { - return result[1].toCharArray(); - } - } - return null; - } - finally - { - if (reader != null) - { - reader.close(); - } - } - } - /** * Looks up the virtual hosts for a specified user in the password file. * diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/PrincipalDatabaseAuthenticationManager.java b/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/PrincipalDatabaseAuthenticationManager.java index d0862fbb63..0546bbb81e 100644 --- a/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/PrincipalDatabaseAuthenticationManager.java +++ b/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/PrincipalDatabaseAuthenticationManager.java @@ -62,7 +62,7 @@ public class PrincipalDatabaseAuthenticationManager implements AuthenticationMan public PrincipalDatabaseAuthenticationManager(String name, Configuration hostConfig) throws Exception { - _logger.info("Initialising " + (name == null ? " Default" : "'" + name + "'") + _logger.info("Initialising " + (name == null ? "Default" : "'" + name + "'") + " PrincipleDatabase authentication manager."); // Fixme This should be done per Vhost but allowing global hack isn't right but ... |