summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRajith Muditha Attapattu <rajith@apache.org>2010-03-19 15:45:16 +0000
committerRajith Muditha Attapattu <rajith@apache.org>2010-03-19 15:45:16 +0000
commit03f0284987ba1429996911ddb7dd260b7f10b29e (patch)
tree39f878201aeb8606ef49a41d44df1fb0807b0f29
parent44aa95b735907572ce1d5e5b2f86fd82848607f4 (diff)
downloadqpid-python-03f0284987ba1429996911ddb7dd260b7f10b29e.tar.gz
This is related to QPID-2444 and QPID-2445
If SASL EXTERNAL is used the CN and DC components will be extracted from the clients certificate to construct a user ID which will then be set in the out going messages. This also contains support for verifying the server when using SSL. The hostname is checked against the server certificates CN. git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@925288 13f79535-47bb-0310-9956-ffa450edef68
Diffstat
-rw-r--r--java/common/src/main/java/org/apache/qpid/transport/ClientDelegate.java21
-rw-r--r--java/common/src/main/java/org/apache/qpid/transport/network/security/SecurityLayer.java2
-rw-r--r--java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLReceiver.java16
-rw-r--r--java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLSender.java14
-rw-r--r--java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java4
5 files changed, 48 insertions, 9 deletions
diff --git a/java/common/src/main/java/org/apache/qpid/transport/ClientDelegate.java b/java/common/src/main/java/org/apache/qpid/transport/ClientDelegate.java
index 74064c9d11..d5f97f48a8 100644
--- a/java/common/src/main/java/org/apache/qpid/transport/ClientDelegate.java
+++ b/java/common/src/main/java/org/apache/qpid/transport/ClientDelegate.java
@@ -181,10 +181,25 @@ public class ClientDelegate extends ConnectionDelegate
@Override public void connectionOpenOk(Connection conn, ConnectionOpenOk ok)
{
SaslClient sc = conn.getSaslClient();
- if (sc != null && sc.getMechanismName().equals("GSSAPI") && getUserID() != null)
+ if (sc != null)
{
- conn.setUserID(getUserID());
+ if (sc.getMechanismName().equals("GSSAPI"))
+ {
+ String id = getKerberosUser();
+ if (id != null)
+ {
+ conn.setUserID(id);
+ }
+ }
+ else if (sc.getMechanismName().equals("EXTERNAL"))
+ {
+ if (conn.getSecurityLayer() != null)
+ {
+ conn.setUserID(conn.getSecurityLayer().getUserID());
+ }
+ }
}
+
conn.setState(OPEN);
}
@@ -245,7 +260,7 @@ public class ClientDelegate extends ConnectionDelegate
}
- private String getUserID()
+ private String getKerberosUser()
{
log.debug("Obtaining userID from kerberos");
String service = conSettings.getSaslProtocol() + "@" + conSettings.getSaslServerName();
diff --git a/java/common/src/main/java/org/apache/qpid/transport/network/security/SecurityLayer.java b/java/common/src/main/java/org/apache/qpid/transport/network/security/SecurityLayer.java
index bb877d4185..3f0966903d 100644
--- a/java/common/src/main/java/org/apache/qpid/transport/network/security/SecurityLayer.java
+++ b/java/common/src/main/java/org/apache/qpid/transport/network/security/SecurityLayer.java
@@ -156,7 +156,7 @@ public class SecurityLayer
public String getUserID()
{
- return null;
+ return SSLUtil.retriveIdentity(engine);
}
}
diff --git a/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLReceiver.java b/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLReceiver.java
index 73b2fcb731..082ae9e8ec 100644
--- a/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLReceiver.java
+++ b/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLReceiver.java
@@ -28,6 +28,7 @@ import javax.net.ssl.SSLException;
import javax.net.ssl.SSLEngineResult.HandshakeStatus;
import javax.net.ssl.SSLEngineResult.Status;
+import org.apache.qpid.transport.ConnectionSettings;
import org.apache.qpid.transport.Receiver;
import org.apache.qpid.transport.TransportException;
import org.apache.qpid.transport.util.Logger;
@@ -42,7 +43,8 @@ public class SSLReceiver implements Receiver<ByteBuffer>
private ByteBuffer localBuffer;
private boolean dataCached = false;
private final Object notificationToken;
-
+ private ConnectionSettings settings;
+
private static final Logger log = Logger.get(SSLReceiver.class);
public SSLReceiver(SSLEngine engine, Receiver<ByteBuffer> delegate,SSLSender sender)
@@ -56,6 +58,11 @@ public class SSLReceiver implements Receiver<ByteBuffer>
notificationToken = sender.getNotificationToken();
}
+ public void setConnectionSettings(ConnectionSettings settings)
+ {
+ this.settings = settings;
+ }
+
public void closed()
{
delegate.closed();
@@ -159,8 +166,13 @@ public class SSLReceiver implements Receiver<ByteBuffer>
sender.doTasks();
handshakeStatus = engine.getHandshakeStatus();
- case NEED_WRAP:
case FINISHED:
+ if (this.settings != null && this.settings.isVerifyHostname() )
+ {
+ SSLUtil.verifyHostname(engine, this.settings.getHost());
+ }
+
+ case NEED_WRAP:
case NOT_HANDSHAKING:
synchronized(notificationToken)
{
diff --git a/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLSender.java b/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLSender.java
index bc1bee1e5d..24cedcc75a 100644
--- a/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLSender.java
+++ b/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLSender.java
@@ -28,6 +28,7 @@ import javax.net.ssl.SSLException;
import javax.net.ssl.SSLEngineResult.HandshakeStatus;
import javax.net.ssl.SSLEngineResult.Status;
+import org.apache.qpid.transport.ConnectionSettings;
import org.apache.qpid.transport.Sender;
import org.apache.qpid.transport.SenderException;
import org.apache.qpid.transport.util.Logger;
@@ -39,7 +40,8 @@ public class SSLSender implements Sender<ByteBuffer>
private int sslBufSize;
private ByteBuffer netData;
private long timeout = 30000;
-
+ private ConnectionSettings settings;
+
private final Object engineState = new Object();
private final AtomicBoolean closed = new AtomicBoolean(false);
@@ -53,6 +55,11 @@ public class SSLSender implements Sender<ByteBuffer>
netData = ByteBuffer.allocate(sslBufSize);
timeout = Long.getLong("qpid.ssl_timeout", 60000);
}
+
+ public void setConnectionSettings(ConnectionSettings settings)
+ {
+ this.settings = settings;
+ }
public void close()
{
@@ -225,6 +232,11 @@ public class SSLSender implements Sender<ByteBuffer>
break;
case FINISHED:
+ if (this.settings != null && this.settings.isVerifyHostname() )
+ {
+ SSLUtil.verifyHostname(engine, this.settings.getHost());
+ }
+
case NOT_HANDSHAKING:
break; //do nothing
diff --git a/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java b/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
index f74a6ecae4..f23d9ae359 100644
--- a/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
+++ b/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
@@ -38,7 +38,7 @@ public class SSLUtil
log.debug("Host Name obtained from DN : " + hostname);
}
- if (hostname != null && hostname.equalsIgnoreCase(hostnameExpected))
+ if (hostname != null && !hostname.equalsIgnoreCase(hostnameExpected))
{
throw new TransportException("SSL hostname verification failed." +
" Expected : " + hostnameExpected +
@@ -50,7 +50,7 @@ public class SSLUtil
{
log.warn("Exception received while trying to verify hostname",e);
// For some reason the SSL engine sets the handshake status to FINISH twice
- // in succession. For some reason the first time the peer certificate
+ // in succession. The first time the peer certificate
// info is not available. The second time it works !
// Therefore have no choice but to ignore the exception here.
}
View Lorry Controller Status