activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hiram Chirino" <hi...@hiramchirino.com>
Subject Re: SSL with client authentification?
Date Thu, 20 Apr 2006 15:04:09 GMT
Hi Mike,

Thanks for the info!  So all the real magic is in:
((SSLSocket)socket).setNeedClientAuth(needClientAuth) and
((SSLSocket)socket).setWantClientAuth(wantClientAuth);

I'm going to apply a patch so you can do this and also set any other
properties on the socket.  First off, when binding a tcp transport,
you will be able to use "transport." prefix on properties to configure
the options on the transports the connector creates.  Secondly, you
will be able to configure options on transport's the socket using the
"socket." prefix on the transport options.

So if you need clientAuth on the sockets created by ssl transport
connector, you would use:
ssl://localhost:616167?transport.socket.needClientAuth=true

If this is OK with you, I'll go a head and commit the change.

On 4/20/06, Gerdes, Mike <Mike.Gerdes@airbus.com> wrote:
>
> hi,
>
> I have implemented mutal authentication for AMQ by using needClientAuth and wantClientAuth.
> It can be set in the transportconnector as additional parameters e.g.
>
> <transportConnectors>
>        <transportConnector uri="ssl://localhost:61616?needClientAuth=true" discoveryUri="multicast://default"/>
>     </transportConnectors>
>
> I needed to modify two classes for this: TransportFactory and TcpTransportServer.
>
> To this mail I have attached the .diff files. It would be nice to see this feature in
the next AMQ.
>
> I hope this helps.
>
> cya
>
> mike
>
> p.s. other ssl opetions can also be implemented in this way. It should be really easy
do to so.
>
> --- D:\esb\TransportFactory.java        2006-04-03 00:21:14.000000000 +0200
> +++ D:\ActiveMQ\org\apache\activemq\transport\TransportFactory.java     2006-04-20 14:27:29.812412800
+0200
> @@ -111,6 +111,8 @@
>      public Transport doConnect(URI location) throws Exception {
>          try {
>              Map options = new HashMap(URISupport.parseParamters(location));
> +            IntrospectionSupport.extractProperties(options, "needClientAuth");
> +            IntrospectionSupport.extractProperties(options, "wantClientAuth");
>              WireFormat wf = createWireFormat(options);
>              Transport transport = createTransport(location, wf);
>              Transport rc = configure(transport, wf, options);
>
> --- D:\esb\TcpTransportServer.java      2006-04-03 00:21:38.000000000 +0200
> +++ D:\ActiveMQ\org\apache\activemq\transport\tcp\TcpTransportServer.java       2006-04-20
15:00:31.001222400 +0200
> @@ -26,6 +26,12 @@
>  import java.net.URISyntaxException;
>  import java.net.UnknownHostException;
>  import java.util.HashMap;
> +import javax.net.ssl.SSLServerSocket;
> +import javax.net.ssl.SSLSocket;
> +
> +import org.apache.activemq.util.IntrospectionSupport;
> +import org.apache.activemq.util.URISupport;
> +import java.util.Map;
>
>  import org.apache.activeio.command.WireFormat;
>  import org.apache.activeio.command.WireFormatFactory;
> @@ -55,10 +61,14 @@
>      private long maxInactivityDuration = 30000;
>      private int minmumWireFormatVersion;
>      private boolean trace;
> +    private boolean needClientAuth;
> +    private boolean wantClientAuth;
>
>      public TcpTransportServer(URI location, ServerSocketFactory serverSocketFactory)
throws IOException, URISyntaxException {
>          super(location);
>          serverSocket = createServerSocket(location, serverSocketFactory);
> +        Map options = new HashMap(URISupport.parseParamters(location));
> +        IntrospectionSupport.setProperties(this, options);
>          serverSocket.setSoTimeout(2000);
>          updatePhysicalUri(location);
>      }
> @@ -111,14 +121,43 @@
>          this.trace = trace;
>      }
>
> -    /**
> +    public boolean isNeedClientAuth() {
> +               return needClientAuth;
> +       }
> +
> +       public void setNeedClientAuth(boolean needClientAuth) {
> +               this.needClientAuth = needClientAuth;
> +       }
> +
> +       public boolean isWantClientAuth() {
> +               return wantClientAuth;
> +       }
> +
> +       public void setWantClientAuth(boolean wantClientAuth) {
> +               this.wantClientAuth = wantClientAuth;
> +       }
> +
> +       /**
>       * pull Sockets from the ServerSocket
>       */
>      public void run() {
>          while (!isStopped()) {
> -            Socket socket = null;
> +
> +            Socket socket = null;
> +
>              try {
> -                socket = serverSocket.accept();
> +
> +               if (serverSocket instanceof SSLServerSocket){
> +                       socket = serverSocket.accept();
> +                       if (needClientAuth) {
> +                               ((SSLSocket)socket).setNeedClientAuth(needClientAuth);
> +                       } else {
> +                               ((SSLSocket)socket).setWantClientAuth(wantClientAuth);
> +                       }
> +               } else {
> +                       socket = serverSocket.accept();
> +               }
> +
>                  if (socket != null) {
>                      if (isStopped() || getAcceptListener() == null) {
>                          socket.close();
>
> This mail has originated outside your organization, either from an external partner or
the Global Internet. Keep this in mind if you answer this message.
>


--
Regards,
Hiram

Mime
View raw message