activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From clebertsuco...@apache.org
Subject [1/5] activemq-artemis git commit: [ARTEMIS-1310] require mechanism to be explicitly enabled
Date Tue, 08 Aug 2017 17:34:00 GMT
Repository: activemq-artemis
Updated Branches:
  refs/heads/master 766f412c6 -> d0a9d017d


[ARTEMIS-1310] require mechanism to be explicitly enabled


Project: http://git-wip-us.apache.org/repos/asf/activemq-artemis/repo
Commit: http://git-wip-us.apache.org/repos/asf/activemq-artemis/commit/db62ed92
Tree: http://git-wip-us.apache.org/repos/asf/activemq-artemis/tree/db62ed92
Diff: http://git-wip-us.apache.org/repos/asf/activemq-artemis/diff/db62ed92

Branch: refs/heads/master
Commit: db62ed92f7f48067b642d0975d2a14dab1926f61
Parents: 9fedb47
Author: gtully <gary.tully@gmail.com>
Authored: Wed Aug 2 15:05:50 2017 +0100
Committer: Clebert Suconic <clebertsuconic@apache.org>
Committed: Tue Aug 8 13:28:50 2017 -0400

----------------------------------------------------------------------
 .../protocol/amqp/sasl/MechanismFinder.java     |  2 +-
 docs/user-manual/en/security.md                 | 24 ++++++++++++--------
 2 files changed, 16 insertions(+), 10 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/db62ed92/artemis-protocols/artemis-amqp-protocol/src/main/java/org/apache/activemq/artemis/protocol/amqp/sasl/MechanismFinder.java
----------------------------------------------------------------------
diff --git a/artemis-protocols/artemis-amqp-protocol/src/main/java/org/apache/activemq/artemis/protocol/amqp/sasl/MechanismFinder.java
b/artemis-protocols/artemis-amqp-protocol/src/main/java/org/apache/activemq/artemis/protocol/amqp/sasl/MechanismFinder.java
index 4a8b420..fd24a5d 100644
--- a/artemis-protocols/artemis-amqp-protocol/src/main/java/org/apache/activemq/artemis/protocol/amqp/sasl/MechanismFinder.java
+++ b/artemis-protocols/artemis-amqp-protocol/src/main/java/org/apache/activemq/artemis/protocol/amqp/sasl/MechanismFinder.java
@@ -19,7 +19,7 @@ package org.apache.activemq.artemis.protocol.amqp.sasl;
 
 public class MechanismFinder {
 
-   public static String[] KNOWN_MECHANISMS = new String[]{PlainSASL.NAME, GSSAPIServerSASL.NAME,
AnonymousServerSASL.NAME};
+   public static String[] KNOWN_MECHANISMS = new String[]{PlainSASL.NAME, AnonymousServerSASL.NAME};
 
    public static String[] getKnownMechanisms() {
       return KNOWN_MECHANISMS;

http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/db62ed92/docs/user-manual/en/security.md
----------------------------------------------------------------------
diff --git a/docs/user-manual/en/security.md b/docs/user-manual/en/security.md
index 9173f2f..e77a0dd 100644
--- a/docs/user-manual/en/security.md
+++ b/docs/user-manual/en/security.md
@@ -651,19 +651,25 @@ The simplest way to make the login configuration available to JAAS is
to add the
 
 ### Kerberos Authentication
 
-The [https://docs.oracle.com/javase/7/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html]
-can be used with JAAS on both the client and server to authenticate with Kerberos.
+The [Krb5LoginModule](https://docs.oracle.com/javase/7/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html)
+can be used with JAAS to authenticate using the Kerberos protocol.
 
-Using SASL over AMQP, Kerberos authentication is supported using the `GSSAPI` SASL mechanism.
By default the server will use a
-JAAS login configuration scope named `amqp-sasl-gssapi` to obtain it acceptor Kerberos credentials.
The config scope can be
-specified explicitly on the amqp acceptor url using the parameter: `saslLoginConfigScope=<some
other scope>`.
+Using SASL over [AMQP](using-AMQP.md), Kerberos authentication is supported using the `GSSAPI`
SASL mechanism. With SASL doing Kerberos
+authentication, TLS can be used to provide integrity and confidentially to the communications
channel in the normal way.
+The `GSSAPI` SASL mechanism must be enabled on the amqp acceptor by adding it to the `saslMechanisms`
list url parameter:
+`saslMechanisms="GSSAPI<,PLAIN, etc>`.
 
-On the server, the Kerberos authenticated peer Principal can be extracted from the calling
context as a UserPrincipal
-using a dedicated login module:
+By default the server will use a JAAS login configuration scope named `amqp-sasl-gssapi`
to obtain acceptor Kerberos
+credentials. An alternative configuration scope can be specified on the amqp acceptor url
using the parameter: `saslLoginConfigScope=<some other scope>`.
 
-   org.apache.activemq.artemis.spi.core.security.jaas.Krb5LoginModule
+On the server, the Kerberos authenticated Peer Principal can be associated with a JAAS Subject
as an Apache ActiveMQ Artemis UserPrincipal
+using the Apache ActiveMQ Artemis Krb5LoginModule login module. The [PropertiesLoginModule](#propertiesloginmodule)
can be used to map
+the peer principal to a role.
+Note: the Kerberos Peer Principal does not exist as an Apache ActiveMQ Artemis user.
 
-The legacy [http://www.ietf.org/rfc/rfc2712.txt] defines TLS Kerberos cipher suites that
can be used by TLS to negotiate
+    org.apache.activemq.artemis.spi.core.security.jaas.Krb5LoginModule optional;
+
+The legacy [rfc2712](http://www.ietf.org/rfc/rfc2712.txt) defines TLS Kerberos cipher suites
that can be used by TLS to negotiate
 Kerberos authentication. The cypher suites offered by rfc2712 are dated and insecure and
rfc2712 has been superseded by
 SASL GSSAPI. However, for clients that don't support SASL (core client), using TLS can provide
Kerberos authentication
 over an *unsecure* channel.


Mime
View raw message