qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Domen Vrankar <domen.vran...@gmail.com>
Subject qpid cpp 0.34 get sender user Id on receiver side when using SSL authentication
Date Mon, 07 Mar 2016 13:20:13 GMT

I'm using qpid C++ 0.34 both for broker and client.
For authentication I'm using SSL without encryption.

What I'm trying to do is to set user Id on every sent message:
Reason for this is that I'd like to know on the receiver side who put
the message in the exchange on the sending side.
So now I have a few questions:

First of I was experimenting with different nicknames for nss database
and inside the certificate. Clients expect QPID_SSL_CERT_NAME to be
set to nss database nickname while user Id in message has to be set to
nickname inside of certificate (ACL file also has to contain the
nickname that is located inside of the certificate). Is there a way to
map/change the functionality so that nss database nickname would be
used in all cases?

Next I wanted to get user Id from connection
(connection_.getAuthenticatedUsername()) but I always got "dummy"
string. I traced that to SslConnector.cpp (getSecuritySettings
function) where the string is hardcoded. Is there a way to get user id
(certificate nickname) from this function?
I tried to add this functionality myself:
In SslSocket.cpp:
std::string SslSocket::getCertNickname() const
    std::string nickname;
    CERTCertificate* cert = SSL_LocalCertificate(nssSocket);
    if (cert) {
        nickname = cert->nickname;
    return nickname;
There is already function getClientAuthId but on client side this
returns server cert domain (which in my case is the same as
gettingserver cert nickname - not certain if that is always the
In SslConnector.cpp function getSecuritySettings():

std::string nickname(socket.getCertNickname());
securitySettings.authid = (nickname.size() ? nickname + "@QPID" :
"dummy"); //"dummy";//set to non-empty string to enable external

I'm not certain if this solution is OK/would be something that would
be accepted by qpid devs?
Also there is an issue that "@QPID" part is hardcoded and I'm not
certain if this is always true. Maybe this part should be attached
somewhere else (right before return of getAuthenticatedUsername()?
Haven't checked how that code is connected)?

My last question is if I am even on the right track and could this
(knowing who sent the message on the receiving side from
authentication data) be done any other simpler way that I missed?


To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org

View raw message