All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.apache.activemq.security.JaasDualAuthenticationBroker Maven / Gradle / Ivy

There is a newer version: 6.1.4
Show newest version
/**
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.apache.activemq.security;

import java.security.cert.X509Certificate;

import org.apache.activemq.broker.Broker;
import org.apache.activemq.broker.BrokerFilter;
import org.apache.activemq.broker.ConnectionContext;
import org.apache.activemq.broker.Connector;
import org.apache.activemq.broker.EmptyBroker;
import org.apache.activemq.broker.TransportConnector;
import org.apache.activemq.command.ActiveMQDestination;
import org.apache.activemq.command.ConnectionInfo;

/**
 * A JAAS Authentication Broker that uses different JAAS domain configurations
 * depending if the connection is over an SSL enabled Connector or not.
 *
 * This allows you to, for instance, do DN based authentication for SSL connections
 * and use a mixture of username/passwords and simple guest authentication for
 * non-SSL connections.
 * 

* An example login.config to do do this is: *

 * activemq-domain {
 *   org.apache.activemq.jaas.PropertiesLoginModule sufficient
 *       debug=true
 *       org.apache.activemq.jaas.properties.user="users.properties"
 *       org.apache.activemq.jaas.properties.group="groups.properties";
 *   org.apache.activemq.jaas.GuestLoginModule sufficient
 *       debug=true
 *       org.apache.activemq.jaas.guest.user="guest"
 *       org.apache.activemq.jaas.guest.group="guests";
 * };
 *
 * activemq-ssl-domain {
 *   org.apache.activemq.jaas.TextFileCertificateLoginModule required
 *       debug=true
 *       org.apache.activemq.jaas.textfiledn.user="dns.properties"
 *       org.apache.activemq.jaas.textfiledn.group="groups.properties";
 * };
 * 
*/ public class JaasDualAuthenticationBroker extends BrokerFilter implements AuthenticationBroker { private final JaasCertificateAuthenticationBroker sslBroker; private final JaasAuthenticationBroker nonSslBroker; /*** Simple constructor. Leaves everything to superclass. * * @param next The Broker that does the actual work for this Filter. * @param jaasConfiguration The JAAS domain configuration name for * non-SSL connections (refer to JAAS documentation). * @param jaasSslConfiguration The JAAS domain configuration name for * SSL connections (refer to JAAS documentation). */ public JaasDualAuthenticationBroker(Broker next, String jaasConfiguration, String jaasSslConfiguration) { super(next); this.nonSslBroker = new JaasAuthenticationBroker(new EmptyBroker(), jaasConfiguration); this.sslBroker = new JaasCertificateAuthenticationBroker(new EmptyBroker(), jaasSslConfiguration); } /** * Overridden to allow for authentication using different Jaas * configurations depending on if the connection is SSL or not. * * @param context The context for the incoming Connection. * @param info The ConnectionInfo Command representing the incoming * connection. */ @Override public void addConnection(ConnectionContext context, ConnectionInfo info) throws Exception { if (context.getSecurityContext() == null) { if (isSSL(context, info)) { this.sslBroker.addConnection(context, info); } else { this.nonSslBroker.addConnection(context, info); } super.addConnection(context, info); } } /** * Overriding removeConnection to make sure the security context is cleaned. */ @Override public void removeConnection(ConnectionContext context, ConnectionInfo info, Throwable error) throws Exception { super.removeConnection(context, info, error); if (isSSL(context, info)) { this.sslBroker.removeConnection(context, info, error); } else { this.nonSslBroker.removeConnection(context, info, error); } } private boolean isSSL(ConnectionContext context, ConnectionInfo info) throws Exception { boolean sslCapable = false; Connector connector = context.getConnector(); if (connector instanceof TransportConnector) { TransportConnector transportConnector = (TransportConnector) connector; sslCapable = transportConnector.getServer().isSslServer(); } // AMQ-5943, also check if transport context carries X509 cert if (!sslCapable && info.getTransportContext() instanceof X509Certificate[]) { sslCapable = true; } return sslCapable; } @Override public void removeDestination(ConnectionContext context, ActiveMQDestination destination, long timeout) throws Exception { // Give both a chance to clear out their contexts this.sslBroker.removeDestination(context, destination, timeout); this.nonSslBroker.removeDestination(context, destination, timeout); super.removeDestination(context, destination, timeout); } @Override public SecurityContext authenticate(String username, String password, X509Certificate[] peerCertificates) throws SecurityException { if (peerCertificates != null) { return this.sslBroker.authenticate(username, password, peerCertificates); } else { return this.nonSslBroker.authenticate(username, password, peerCertificates); } } }




© 2015 - 2024 Weber Informatics LLC | Privacy Policy