activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From gtu...@apache.org
Subject [activemq-artemis] branch master updated: ARTEMIS-2895 - ensure propagated credentials are visible for bind and removed for subsequent mapping operations
Date Mon, 07 Sep 2020 15:33:32 GMT
This is an automated email from the ASF dual-hosted git repository.

gtully pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/activemq-artemis.git


The following commit(s) were added to refs/heads/master by this push:
     new ec1c5a9  ARTEMIS-2895 - ensure propagated credentials are visible for bind and removed
for subsequent mapping operations
ec1c5a9 is described below

commit ec1c5a96c74b24f2c9a6f0919a1a180721c5c6b9
Author: gtully <gary.tully@gmail.com>
AuthorDate: Mon Sep 7 16:32:57 2020 +0100

    ARTEMIS-2895 - ensure propagated credentials are visible for bind and removed for subsequent
mapping operations
---
 .../spi/core/security/jaas/LDAPLoginModule.java    |  2 +
 .../core/security/jaas/LDAPLoginModuleTest.java    | 48 +++++++++++++++++++++-
 artemis-server/src/test/resources/login.config     | 20 +++++++++
 docs/user-manual/en/security.md                    |  2 +-
 4 files changed, 70 insertions(+), 2 deletions(-)

diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java
b/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java
index 8def766..392fdc7 100644
--- a/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java
+++ b/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java
@@ -587,6 +587,7 @@ public class LDAPLoginModule implements AuditLoginModule {
       if (logger.isDebugEnabled()) {
          logger.debug("Binding the user.");
       }
+      context.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple");
       context.addToEnvironment(Context.SECURITY_PRINCIPAL, dn);
       context.addToEnvironment(Context.SECURITY_CREDENTIALS, password);
       try {
@@ -612,6 +613,7 @@ public class LDAPLoginModule implements AuditLoginModule {
       } else {
          context.removeFromEnvironment(Context.SECURITY_CREDENTIALS);
       }
+      context.addToEnvironment(Context.SECURITY_AUTHENTICATION, getLDAPPropertyValue(AUTHENTICATION));
 
       return isValid;
    }
diff --git a/artemis-server/src/test/java/org/apache/activemq/artemis/core/security/jaas/LDAPLoginModuleTest.java
b/artemis-server/src/test/java/org/apache/activemq/artemis/core/security/jaas/LDAPLoginModuleTest.java
index b52a717..3842dbf 100644
--- a/artemis-server/src/test/java/org/apache/activemq/artemis/core/security/jaas/LDAPLoginModuleTest.java
+++ b/artemis-server/src/test/java/org/apache/activemq/artemis/core/security/jaas/LDAPLoginModuleTest.java
@@ -62,7 +62,7 @@ import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 
 @RunWith(FrameworkRunner.class)
-@CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP", port = 1024)})
+@CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP", port = 1024)}, allowAnonymousAccess
= true)
 @ApplyLdifFiles("test.ldif")
 public class LDAPLoginModuleTest extends AbstractLdapTestUnit {
 
@@ -230,6 +230,52 @@ public class LDAPLoginModuleTest extends AbstractLdapTestUnit {
       assertTrue("sessions still active after logout", waitFor(() -> ldapServer.getLdapSessionManager().getSessions().length
== 0));
    }
 
+
+   @Test
+   public void testAuthenticatedViaBindOnAnonConnection() throws Exception {
+      LoginContext context = new LoginContext("AnonBindCheckUserLDAPLogin", new CallbackHandler()
{
+         @Override
+         public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException
{
+            for (int i = 0; i < callbacks.length; i++) {
+               if (callbacks[i] instanceof NameCallback) {
+                  ((NameCallback) callbacks[i]).setName("first");
+               } else if (callbacks[i] instanceof PasswordCallback) {
+                  ((PasswordCallback) callbacks[i]).setPassword("wrongSecret".toCharArray());
+               } else {
+                  throw new UnsupportedCallbackException(callbacks[i]);
+               }
+            }
+         }
+      });
+      try {
+         context.login();
+         fail("Should have failed authenticating");
+      } catch (FailedLoginException expected) {
+      }
+      assertTrue("sessions still active after logout", waitFor(() -> ldapServer.getLdapSessionManager().getSessions().length
== 0));
+   }
+
+   @Test
+   public void testAuthenticatedOkViaBindOnAnonConnection() throws Exception {
+      LoginContext context = new LoginContext("AnonBindCheckUserLDAPLogin", new CallbackHandler()
{
+         @Override
+         public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException
{
+            for (int i = 0; i < callbacks.length; i++) {
+               if (callbacks[i] instanceof NameCallback) {
+                  ((NameCallback) callbacks[i]).setName("first");
+               } else if (callbacks[i] instanceof PasswordCallback) {
+                  ((PasswordCallback) callbacks[i]).setPassword("secret".toCharArray());
+               } else {
+                  throw new UnsupportedCallbackException(callbacks[i]);
+               }
+            }
+         }
+      });
+      context.login();
+      context.logout();
+      assertTrue("sessions still active after logout", waitFor(() -> ldapServer.getLdapSessionManager().getSessions().length
== 0));
+   }
+
    @Test
    public void testCommitOnFailedLogin() throws LoginException {
       LoginModule loginModule = new LDAPLoginModule();
diff --git a/artemis-server/src/test/resources/login.config b/artemis-server/src/test/resources/login.config
index 26791d9..3de9f51 100644
--- a/artemis-server/src/test/resources/login.config
+++ b/artemis-server/src/test/resources/login.config
@@ -89,6 +89,26 @@ UnAuthenticatedLDAPLogin {
         ;
 };
 
+AnonBindCheckUserLDAPLogin {
+    org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule required
+        debug=true
+        initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
+        connectionURL="ldap://localhost:1024"
+        connectionUsername=none
+        connectionPassword=none
+        connectionProtocol=s
+        authentication=none
+        authenticateUser=true
+        userBase="ou=system"
+        userSearchMatching="(uid={0})"
+        userSearchSubtree=false
+        roleBase="ou=system"
+        roleName=cn
+        roleSearchMatching="(member=uid={1},ou=system)"
+        roleSearchSubtree=false
+        ;
+};
+
 ExpandedLDAPLogin {
     org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule required
         debug=true
diff --git a/docs/user-manual/en/security.md b/docs/user-manual/en/security.md
index 7ba7da8..41fb770 100644
--- a/docs/user-manual/en/security.md
+++ b/docs/user-manual/en/security.md
@@ -769,7 +769,7 @@ system. It is implemented by
 
 - `authenticateUser` - boolean flag to disable authentication. Useful as an
   optimisation when this module is used just for role mapping of a Subject's
-  existing authenticated principals; default is `false`.
+  existing authenticated principals; default is `true`.
 
 - `referral` - specify how to handle referrals; valid values: `ignore`,
   `follow`, `throw`; default is `ignore`.


Mime
View raw message