diff options
| author | Gordon Sim <gsim@apache.org> | 2010-03-05 16:51:22 +0000 |
|---|---|---|
| committer | Gordon Sim <gsim@apache.org> | 2010-03-05 16:51:22 +0000 |
| commit | f5e41be93bec9b5556a65292516db07ff845f7d4 (patch) | |
| tree | d26b9519d281dbb36fd6717205462399292896dd /cpp/src/qpid/broker/ConnectionFactory.cpp | |
| parent | 74d838068a2a24423c0c5af1e33b612e132291fb (diff) | |
| download | qpid-python-f5e41be93bec9b5556a65292516db07ff845f7d4.tar.gz | |
QPID-2412: Support for EXTERNAL mechanism on client-authenticated SSL connections.
On SSL connection where the clients certificate is authenticated (requires the --ssl-require-client-authentication option at present), the clients identity will be taken from that certificate (it will be the CN with any DCs present appended as the domain, e.g. CN=bob,DC=acme,DC=com would result in an identity of bob@acme.com). This will enable the EXTERNAL mechanism when cyrus sasl is in use.
The client can still negotiate their desired mechanism. There is a new option on the ssl module (--ssl-sasl-no-dict) that allows the options on ssl connections to be restricted to those that are not vulnerable to dictionary attacks (EXTERNAL being the primary example).
git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@919487 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'cpp/src/qpid/broker/ConnectionFactory.cpp')
| -rw-r--r-- | cpp/src/qpid/broker/ConnectionFactory.cpp | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/cpp/src/qpid/broker/ConnectionFactory.cpp b/cpp/src/qpid/broker/ConnectionFactory.cpp index ffb0b34b95..9e0020812b 100644 --- a/cpp/src/qpid/broker/ConnectionFactory.cpp +++ b/cpp/src/qpid/broker/ConnectionFactory.cpp @@ -22,12 +22,14 @@ #include "qpid/framing/ProtocolVersion.h" #include "qpid/amqp_0_10/Connection.h" #include "qpid/broker/Connection.h" +#include "qpid/sys/SecuritySettings.h" #include "qpid/log/Statement.h" namespace qpid { namespace broker { using framing::ProtocolVersion; +using qpid::sys::SecuritySettings; typedef std::auto_ptr<amqp_0_10::Connection> ConnectionPtr; typedef std::auto_ptr<sys::ConnectionInputHandler> InputPtr; @@ -37,7 +39,7 @@ ConnectionFactory::~ConnectionFactory() {} sys::ConnectionCodec* ConnectionFactory::create(ProtocolVersion v, sys::OutputControl& out, const std::string& id, - unsigned int ) { + const SecuritySettings& external) { if (broker.getConnectionCounter().allowConnection()) { QPID_LOG(error, "Client max connection count limit exceeded: " << broker.getOptions().maxConnections << " connection refused"); @@ -45,7 +47,7 @@ ConnectionFactory::create(ProtocolVersion v, sys::OutputControl& out, const std: } if (v == ProtocolVersion(0, 10)) { ConnectionPtr c(new amqp_0_10::Connection(out, id, false)); - c->setInputHandler(InputPtr(new broker::Connection(c.get(), broker, id, false))); + c->setInputHandler(InputPtr(new broker::Connection(c.get(), broker, id, external, false))); return c.release(); } return 0; @@ -53,10 +55,10 @@ ConnectionFactory::create(ProtocolVersion v, sys::OutputControl& out, const std: sys::ConnectionCodec* ConnectionFactory::create(sys::OutputControl& out, const std::string& id, - unsigned int) { + const SecuritySettings& external) { // used to create connections from one broker to another ConnectionPtr c(new amqp_0_10::Connection(out, id, true)); - c->setInputHandler(InputPtr(new broker::Connection(c.get(), broker, id, true))); + c->setInputHandler(InputPtr(new broker::Connection(c.get(), broker, id, external, true))); return c.release(); } |