qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rajith Attapattu <rajit...@gmail.com>
Subject Re: svn commit: r742267 - in /qpid/trunk/qpid/java: client/src/main/java/org/apache/qpid/jms/ common/src/main/java/org/apache/qpid/transport/ tools/src/main/java/org/apache/qpid/tools/
Date Mon, 09 Feb 2009 16:36:41 GMT
Hello Martin,

Thanks for raising this point.
I was actually going to start a thread on this last night, but was a bit too
sleepy:).

I was aware of the CallBackHandlerRegistry and the related classes.
In fact I had some of that code duplicated in the common module that I
removed in rev 742269.
The "chooseMechanisms" method currently selects the very first match between
the broker and client supported mechanisms.
I noticed that the mechs specified in CallbackHandlerRegistry.properties are
arranged by strength and the strongest mech would be the first choice.
However it is difficult to force the client to use a particular mechanism on
a per connection basis.
(You could use the amq.callbackhandler.properties to specify a prop file
with only one mechanism to do the above, but this will be per JVM).

The only drawback in not using something like chooseMechanisms is that the
client may specify a mech (using the connection property) not supported by
the broker as we currently don't check our prefered mech is included in the
list provided by the broker. (I will be adding that very shortly).

But for the most parts organizations have very specify security requirements
and would mandate what the broker/clients should be using.
For people who don't care PLAIN will work out of the box with no additional
config.

Also looking at
http://java.sun.com/j2se/1.5.0/docs/guide/security/sasl/sasl-refguide.htmlwe
can get away with the simple UsernamePasswordCallbackHandler for all
the
mechanism we intend to support. Ex PLAIN, CRAM-MD5,DIGEST-MD5, GSSAPI
(doesn't use any callbacks), AMQPLAIN ..etc
Therefore I wouldn't think we need an elaborate mechanism like the
CallBackHandlerRegistry.

I see we have a UsernameHashedPasswordCallbackHandler that uses Digest MD5,
but I am not sure why we need to do that as we could easily use the
DIGEST-MD5 mech supported by most SASL implementations rather than writing
our own.
Appologies in advance if I missed something here, but I feel that the
UsernameHashedPasswordCallbackHandler is redundent.

So in conclusion I would think for simplicity it's best we default to PLAIN
and if a more secure method of auth is needed, then the user could specify
the mechanism(s) explicitly in the connection URL. I agree however that we
need to do a quick check of the preferred mechs with the list supplied by
the broker.

Regards,

Rajith

On Mon, Feb 9, 2009 at 5:27 AM, Martin Ritchie <ritchiem@apache.org> wrote:

> Hi Rajith,
>
> Why not use the CallBackHandlerRegistry to automatically pick the
> mechanism from the intersection of the supported mechanisms from the
> broker and client? Or is this more to say only use GSSAPI? Might still
> be nice to be able to automatically pick an available mechanism when
> you don't actually care about it.
>
> See ConnectionStartMethodHandler.chooseMechanism in the client.
>
> Cheers
>
> Martin
>
> 2009/2/9  <rajith@apache.org>:
> > Author: rajith
> > Date: Mon Feb  9 05:14:09 2009
> > New Revision: 742267
> >
> > URL: http://svn.apache.org/viewvc?rev=742267&view=rev
> > Log:
> > This is related to QPID-1645
> > Added support to specify the sasl_mechs as a space separated list in the
> connection URL.
> > By default it will use PLAIN.
> > You could provide a list of mechs to support or force to use one GASSAPI
> or CRAM-MD5 by specifying only that in the connection URL.
> >
> > Modified:
> >
>  qpid/trunk/qpid/java/client/src/main/java/org/apache/qpid/jms/BrokerDetails.java
> >
>  qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/ClientDelegate.java
> >
>  qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/Connection.java
> >
>  qpid/trunk/qpid/java/tools/src/main/java/org/apache/qpid/tools/JNDICheck.java
> >
> > Modified:
> qpid/trunk/qpid/java/client/src/main/java/org/apache/qpid/jms/BrokerDetails.java
> > URL:
> http://svn.apache.org/viewvc/qpid/trunk/qpid/java/client/src/main/java/org/apache/qpid/jms/BrokerDetails.java?rev=742267&r1=742266&r2=742267&view=diff
> >
> ==============================================================================
> > ---
> qpid/trunk/qpid/java/client/src/main/java/org/apache/qpid/jms/BrokerDetails.java
> (original)
> > +++
> qpid/trunk/qpid/java/client/src/main/java/org/apache/qpid/jms/BrokerDetails.java
> Mon Feb  9 05:14:09 2009
> > @@ -35,6 +35,7 @@
> >     public static final String OPTIONS_CONNECT_TIMEOUT =
> "connecttimeout";
> >     public static final String OPTIONS_CONNECT_DELAY = "connectdelay";
> >     public static final String OPTIONS_IDLE_TIMEOUT = "idle_timeout";
> > +    public static final String OPTIONS_SASL_MECHS = "sasl_mechs";
> >     public static final int DEFAULT_PORT = 5672;
> >
> >     public static final String SOCKET = "socket";
> >
> > Modified:
> qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/ClientDelegate.java
> > URL:
> http://svn.apache.org/viewvc/qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/ClientDelegate.java?rev=742267&r1=742266&r2=742267&view=diff
> >
> ==============================================================================
> > ---
> qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/ClientDelegate.java
> (original)
> > +++
> qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/ClientDelegate.java
> Mon Feb  9 05:14:09 2009
> > @@ -46,12 +46,21 @@
> >     private String vhost;
> >     private String username;
> >     private String password;
> > -
> > -    public ClientDelegate(String vhost, String username, String
> password)
> > +    private String[] saslMechs;
> > +    private String protocol;
> > +    private String serverName;
> > +
> > +    public ClientDelegate(String vhost, String username, String
> password,String saslMechs)
> >     {
> >         this.vhost = vhost;
> >         this.username = username;
> >         this.password = password;
> > +        this.saslMechs = saslMechs.split(" ");
> > +
> > +        // Looks kinda of silly but the Sun SASL Kerberos client uses
> the
> > +        // protocol + servername as the service key.
> > +        this.protocol = System.getProperty("qpid.sasl_protocol","AMQP");
> > +        this.serverName =
> System.getProperty("qpid.sasl_server_name","localhost");
> >     }
> >
> >     public void init(Connection conn, ProtocolHeader hdr)
> > @@ -84,7 +93,7 @@
> >                 new UsernamePasswordCallbackHandler();
> >             handler.initialise(username, password);
> >             SaslClient sc = Sasl.createSaslClient
> > -                (new String[] {"PLAIN"}, null, "AMQP", "localhost",
> null, handler);
> > +                (saslMechs, null, protocol, serverName, null, handler);
> >             conn.setSaslClient(sc);
> >
> >             byte[] response = sc.hasInitialResponse() ?
> >
> > Modified:
> qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/Connection.java
> > URL:
> http://svn.apache.org/viewvc/qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/Connection.java?rev=742267&r1=742266&r2=742267&view=diff
> >
> ==============================================================================
> > ---
> qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/Connection.java
> (original)
> > +++
> qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/Connection.java
> Mon Feb  9 05:14:09 2009
> > @@ -161,14 +161,19 @@
> >     {
> >         connect(host, port, vhost, username, password, false);
> >     }
> > -
> > +
> >     public void connect(String host, int port, String vhost, String
> username, String password, boolean ssl)
> >     {
> > +        connect(host, port, vhost, username, password, false,"PLAIN");
> > +    }
> > +
> > +    public void connect(String host, int port, String vhost, String
> username, String password, boolean ssl,String saslMechs)
> > +    {
> >         synchronized (lock)
> >         {
> >             state = OPENING;
> >
> > -            delegate = new ClientDelegate(vhost, username, password);
> > +            delegate = new ClientDelegate(vhost, username,
> password,saslMechs);
> >
> >             IoTransport.connect(host, port, ConnectionBinding.get(this),
> ssl);
> >             send(new ProtocolHeader(1, 0, 10));
> >
> > Modified:
> qpid/trunk/qpid/java/tools/src/main/java/org/apache/qpid/tools/JNDICheck.java
> > URL:
> http://svn.apache.org/viewvc/qpid/trunk/qpid/java/tools/src/main/java/org/apache/qpid/tools/JNDICheck.java?rev=742267&r1=742266&r2=742267&view=diff
> >
> ==============================================================================
> > ---
> qpid/trunk/qpid/java/tools/src/main/java/org/apache/qpid/tools/JNDICheck.java
> (original)
> > +++
> qpid/trunk/qpid/java/tools/src/main/java/org/apache/qpid/tools/JNDICheck.java
> Mon Feb  9 05:14:09 2009
> > @@ -187,7 +187,7 @@
> >             print("ConnectionURL:");
> >             print(factory.getConnectionURL().toString());
> >             print("FailoverPolicy");
> > -            print(new
> FailoverPolicy(factory.getConnectionURL()).toString());
> > +            print(new
> FailoverPolicy(factory.getConnectionURL(),null).toString());
> >             print("");
> >         }
> >     }
> >
> >
> >
> > ---------------------------------------------------------------------
> > Apache Qpid - AMQP Messaging Implementation
> > Project:      http://qpid.apache.org
> > Use/Interact: mailto:commits-subscribe@qpid.apache.org
> >
> >
>
>
>
> --
> Martin Ritchie
>
> ---------------------------------------------------------------------
> Apache Qpid - AMQP Messaging Implementation
> Project:      http://qpid.apache.org
> Use/Interact: mailto:dev-subscribe@qpid.apache.org
>
>


-- 
Regards,

Rajith Attapattu
Red Hat
http://rajith.2rlabs.com/

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message