qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (QPIDJMS-303) Add support for SASL GSSAPI Kerberos mechanism
Date Fri, 21 Jul 2017 16:15:00 GMT

    [ https://issues.apache.org/jira/browse/QPIDJMS-303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16096435#comment-16096435
] 

ASF GitHub Bot commented on QPIDJMS-303:
----------------------------------------

Github user gtully commented on a diff in the pull request:

    https://github.com/apache/qpid-jms/pull/10#discussion_r128801781
  
    --- Diff: qpid-jms-client/src/test/java/org/apache/qpid/jms/test/testpeer/TestAmqpPeer.java
---
    @@ -495,6 +512,169 @@ public void run()
             }
         }
     
    +    public void expectGSSAPIFail(Symbol mech) throws Exception {
    +        SaslMechanismsFrame saslMechanismsFrame = new SaslMechanismsFrame().setSaslServerMechanisms(mech);
    +
    +        addHandler(new HeaderHandlerImpl(AmqpHeader.SASL_HEADER, AmqpHeader.SASL_HEADER,
    +                new FrameSender(
    +                        this, FrameType.SASL, 0,
    +                        saslMechanismsFrame, null)));
    +
    +        addHandler(new SaslInitMatcher().withMechanism(equalTo(mech)));
    +
    +    }
    +
    +    public void expectGSSAPI(Symbol mech, String serviceName) throws Exception {
    +
    +        SaslMechanismsFrame saslMechanismsFrame = new SaslMechanismsFrame().setSaslServerMechanisms(mech);
    +
    +        addHandler(new HeaderHandlerImpl(AmqpHeader.SASL_HEADER, AmqpHeader.SASL_HEADER,
    +                new FrameSender(
    +                        this, FrameType.SASL, 0,
    +                        saslMechanismsFrame, null)));
    +
    +        // setup server gss context
    +        LoginContext loginContext = new LoginContext("", null, null,
    +                kerb5InlineConfig(serviceName, false));
    +        loginContext.login();
    +        final Subject serverSubject =loginContext.getSubject();
    +
    +        LOGGER.info("saslServer subject:" + serverSubject.getPrivateCredentials());
    +
    +        Map<String, ?> config = new HashMap();
    +        final CallbackHandler handler = new CallbackHandler() {
    +            @Override
    +            public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException
{
    +                LOGGER.info("Here with: " + Arrays.asList(callbacks));
    +                for (Callback callback :callbacks) {
    +                    if (callback instanceof AuthorizeCallback) {
    +                        AuthorizeCallback authorizeCallback = (AuthorizeCallback) callback;
    +                        authorizeCallback.setAuthorized(authorizeCallback.getAuthenticationID().equals(authorizeCallback.getAuthorizationID()));
    +                    }
    +                }
    +            }
    +        };
    +        final SaslServer saslServer = Subject.doAs(serverSubject, new PrivilegedExceptionAction<SaslServer>()
{
    +            @Override
    +            public SaslServer run() throws Exception {
    +                return Sasl.createSaslServer(mech.toString(), null, null, config, handler);
    +            }
    +        });
    +
    +        final SaslChallengeFrame challengeFrame = new SaslChallengeFrame();
    +
    +        SaslInitMatcher saslInitMatcher = new SaslInitMatcher()
    +                .withMechanism(equalTo(mech))
    +                .withInitialResponse(new BaseMatcher<Binary>() {
    +
    +                    @Override
    +                    public void describeTo(Description description) {}
    +
    +                    @Override
    +                    public boolean matches(Object o) {
    +                        if (o == null) {
    +                            LOGGER.error("Got null initial response!");
    +                            return false;
    +                        }
    +                        final Binary binary = (Binary) o;
    +                        // validate via sasl
    +                        byte[] token = null;
    +                        try {
    +                            token = Subject.doAs(serverSubject, new PrivilegedExceptionAction<byte[]>()
{
    +                                @Override
    +                                public byte[] run() throws Exception {
    +                                    LOGGER.info("Evaluate Response.. size:" + binary.getLength());
    +                                    return saslServer.evaluateResponse(binary.getArray());
    +                                }
    +                            });
    +                        } catch (PrivilegedActionException e) {
    +                            e.printStackTrace();
    +                        }
    +                        LOGGER.info("Complete:" + saslServer.isComplete());
    +
    +                        if (token != null) {
    +                            // fling it back in on complete
    +                            challengeFrame.setChallenge(new Binary(token));
    +                        }
    +                        return true;
    +                    }
    +                }).onCompletion(new AmqpPeerRunnable() {
    +                    @Override
    +                    public void run() {
    +                        TestAmqpPeer.this.sendFrame(
    +                                FrameType.SASL, 0,
    +                                challengeFrame,
    +                                null,
    +                                false, 0);
    +                    }
    +                });
    +
    +        AtomicBoolean response = new AtomicBoolean(false);
    +        SaslResponseMatcher challengeMatcher = new SaslResponseMatcher().withResponse(new
BaseMatcher<Binary>() {
    +
    +            @Override
    +            public void describeTo(Description description) {}
    +
    +            @Override
    +            public boolean matches(Object o) {
    +                final Binary binary = (Binary) o;
    +                if (!saslServer.isComplete()) {
    +                    // validate via sasl
    +                    byte[] token = null;
    +                    try {
    +                        token = Subject.doAs(serverSubject, new PrivilegedExceptionAction<byte[]>()
{
    +                            @Override
    +                            public byte[] run() throws Exception {
    +                                LOGGER.info("Evaluate challenge response.. size:" + binary.getLength());
    +                                return saslServer.evaluateResponse(binary.getArray());
    +                            }
    +                        });
    +                    } catch (PrivilegedActionException e) {
    +                        e.printStackTrace();
    +                    }
    +                    LOGGER.info("Complete:" + saslServer.isComplete());
    +                    if (token != null) {
    +                        // fling it back
    +                        challengeFrame.setChallenge(new Binary(token));
    +                        response.set(true);
    +                    }
    +                    return true;
    +                }
    +
    +                return false;
    +            }
    +        }).onCompletion(new AmqpPeerRunnable() {
    +            @Override
    +            public void run() {
    +                if (response.get()) {
    +                    TestAmqpPeer.this.sendFrame(
    +                            FrameType.SASL, 0,
    +                            challengeFrame,
    +                            null,
    +                            false, 0);
    +                }
    +
    +                if (saslServer.isComplete()) {
    --- End diff --
    
    this is interesting. I need to check, good catch :-)


> Add support for SASL GSSAPI Kerberos mechanism
> ----------------------------------------------
>
>                 Key: QPIDJMS-303
>                 URL: https://issues.apache.org/jira/browse/QPIDJMS-303
>             Project: Qpid JMS
>          Issue Type: Bug
>          Components: qpid-jms-client
>            Reporter: Gary Tully
>
> It would be great to be able to authenticate using kerberos credentials using the SASL
GSSAPI mechanism.
> Authentication would be sufficient leaving TLS to do encryption of the channel if that
is necessary.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message