qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (QPIDJMS-303) Add support for SASL GSSAPI Kerberos mechanism
Date Fri, 21 Jul 2017 13:15:00 GMT

    [ https://issues.apache.org/jira/browse/QPIDJMS-303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16096225#comment-16096225
] 

ASF GitHub Bot commented on QPIDJMS-303:
----------------------------------------

Github user gemmellr commented on a diff in the pull request:

    https://github.com/apache/qpid-jms/pull/10#discussion_r128747005
  
    --- Diff: qpid-jms-client/src/main/java/org/apache/qpid/jms/sasl/GssapiMechanism.java
---
    @@ -0,0 +1,163 @@
    +/*
    + * Licensed to the Apache Software Foundation (ASF) under one or more
    + * contributor license agreements.  See the NOTICE file distributed with
    + * this work for additional information regarding copyright ownership.
    + * The ASF licenses this file to You under the Apache License, Version 2.0
    + * (the "License"); you may not use this file except in compliance with
    + * the License.  You may obtain a copy of the License at
    + *
    + *      http://www.apache.org/licenses/LICENSE-2.0
    + *
    + * Unless required by applicable law or agreed to in writing, software
    + * distributed under the License is distributed on an "AS IS" BASIS,
    + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    + * See the License for the specific language governing permissions and
    + * limitations under the License.
    + */
    +package org.apache.qpid.jms.sasl;
    +
    +import javax.security.auth.Subject;
    +import javax.security.auth.login.AppConfigurationEntry;
    +import javax.security.auth.login.Configuration;
    +import javax.security.auth.login.LoginContext;
    +import javax.security.sasl.Sasl;
    +import javax.security.sasl.SaslClient;
    +import javax.security.sasl.SaslException;
    +import java.security.Principal;
    +import java.security.PrivilegedActionException;
    +import java.security.PrivilegedExceptionAction;
    +import java.util.HashMap;
    +import java.util.Map;
    +
    +/**
    + * Implements the GSSAPI sasl authentication Mechanism.
    + */
    +public class GssapiMechanism extends AbstractMechanism {
    +
    +    public static final String NAME = "GSSAPI";
    +    private Subject subject;
    +    private SaslClient saslClient;
    +    private String protocol = "amqp";
    +    private String server = null;
    +    private String configScope = null;
    +
    +    // a gss/sasl service name, x@y, morphs to a krbPrincipal a/y@REALM
    +
    +    @Override
    +    public int getPriority() {
    +        return PRIORITY.LOW.getValue();
    +    }
    +
    +    @Override
    +    public String getName() {
    +        return NAME;
    +    }
    +
    +    @Override
    +    public byte[] getInitialResponse() throws SaslException {
    +        try {
    +            LoginContext loginContext = null;
    +            if (configScope != null) {
    +                loginContext = new LoginContext(configScope);
    +            } else {
    +                // inline keytab config using user as principal
    +                loginContext = new LoginContext("", null, null,
    +                        kerb5InlineConfig(getUsername(), true));
    +            }
    +            loginContext.login();
    +            subject = loginContext.getSubject();
    +
    +            return Subject.doAs(subject, new PrivilegedExceptionAction<byte[]>()
{
    +
    +                @Override
    +                public byte[] run() throws Exception {
    +                    saslClient = Sasl.createSaslClient(new String[]{getName()}, null,
protocol, server, null, null);
    --- End diff --
    
    Referencing the constant rather than using getName() might be clearer.


> Add support for SASL GSSAPI Kerberos mechanism
> ----------------------------------------------
>
>                 Key: QPIDJMS-303
>                 URL: https://issues.apache.org/jira/browse/QPIDJMS-303
>             Project: Qpid JMS
>          Issue Type: Bug
>          Components: qpid-jms-client
>            Reporter: Gary Tully
>
> It would be great to be able to authenticate using kerberos credentials using the SASL
GSSAPI mechanism.
> Authentication would be sufficient leaving TLS to do encryption of the channel if that
is necessary.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message