use of org.apache.activemq.artemis.api.core.ActiveMQSecurityException in project activemq-artemis by apache.
the class SecurityTest method testComplexRoles2.
@Test
@Ignore
public void testComplexRoles2() throws Exception {
ActiveMQServer server = createServer();
server.start();
ActiveMQJAASSecurityManager securityManager = (ActiveMQJAASSecurityManager) server.getSecurityManager();
securityManager.getConfiguration().addUser("all", "all");
securityManager.getConfiguration().addUser("bill", "activemq");
securityManager.getConfiguration().addUser("andrew", "activemq1");
securityManager.getConfiguration().addUser("frank", "activemq2");
securityManager.getConfiguration().addUser("sam", "activemq3");
securityManager.getConfiguration().addRole("all", "all");
securityManager.getConfiguration().addRole("bill", "user");
securityManager.getConfiguration().addRole("andrew", "europe-user");
securityManager.getConfiguration().addRole("andrew", "user");
securityManager.getConfiguration().addRole("frank", "us-user");
securityManager.getConfiguration().addRole("frank", "news-user");
securityManager.getConfiguration().addRole("frank", "user");
securityManager.getConfiguration().addRole("sam", "news-user");
securityManager.getConfiguration().addRole("sam", "user");
Role all = new Role("all", true, true, true, true, true, true, true, true, true, true);
HierarchicalRepository<Set<Role>> repository = server.getSecurityRepository();
Set<Role> add = new HashSet<>();
add.add(new Role("user", true, true, true, true, true, true, false, true, true, true));
add.add(all);
repository.addMatch("#", add);
Set<Role> add1 = new HashSet<>();
add1.add(all);
add1.add(new Role("user", false, false, true, true, true, true, false, true, true, true));
add1.add(new Role("europe-user", true, false, false, false, false, false, false, true, true, true));
add1.add(new Role("news-user", false, true, false, false, false, false, false, true, true, true));
repository.addMatch("news.europe.#", add1);
Set<Role> add2 = new HashSet<>();
add2.add(all);
add2.add(new Role("user", false, false, true, true, true, true, false, true, true, true));
add2.add(new Role("us-user", true, false, false, false, false, false, false, true, true, true));
add2.add(new Role("news-user", false, true, false, false, false, false, false, true, true, true));
repository.addMatch("news.us.#", add2);
ClientSession billConnection = null;
ClientSession andrewConnection = null;
ClientSession frankConnection = null;
ClientSession samConnection = null;
locator.setBlockOnNonDurableSend(true).setBlockOnDurableSend(true);
ClientSessionFactory factory = createSessionFactory(locator);
ClientSession adminSession = factory.createSession("all", "all", false, true, true, false, -1);
String genericQueueName = "genericQueue";
adminSession.createQueue(genericQueueName, genericQueueName, false);
String eurQueueName = "news.europe.europeQueue";
adminSession.createQueue(eurQueueName, eurQueueName, false);
String usQueueName = "news.us.usQueue";
adminSession.createQueue(usQueueName, usQueueName, false);
// Step 4. Try to create a JMS Connection without user/password. It will fail.
try {
factory.createSession(false, true, true);
Assert.fail("should throw exception");
} catch (ActiveMQSecurityException se) {
// ok
} catch (ActiveMQException e) {
fail("Invalid Exception type:" + e.getType());
}
// Step 5. bill tries to make a connection using wrong password
try {
billConnection = factory.createSession("bill", "activemq1", false, true, true, false, -1);
Assert.fail("should throw exception");
} catch (ActiveMQSecurityException se) {
// ok
} catch (ActiveMQException e) {
fail("Invalid Exception type:" + e.getType());
}
// Step 6. bill makes a good connection.
billConnection = factory.createSession("bill", "activemq", false, true, true, false, -1);
// Step 7. andrew makes a good connection.
andrewConnection = factory.createSession("andrew", "activemq1", false, true, true, false, -1);
// Step 8. frank makes a good connection.
frankConnection = factory.createSession("frank", "activemq2", false, true, true, false, -1);
// Step 9. sam makes a good connection.
samConnection = factory.createSession("sam", "activemq3", false, true, true, false, -1);
checkUserSendAndReceive(genericQueueName, billConnection);
checkUserSendAndReceive(genericQueueName, andrewConnection);
checkUserSendAndReceive(genericQueueName, frankConnection);
checkUserSendAndReceive(genericQueueName, samConnection);
// Step 11. Check permissions on news.europe.europeTopic for bill: can't send and can't
// receive
checkUserNoSendNoReceive(eurQueueName, billConnection, adminSession);
// Step 12. Check permissions on news.europe.europeTopic for andrew: can send but can't
// receive
checkUserSendNoReceive(eurQueueName, andrewConnection);
// Step 13. Check permissions on news.europe.europeTopic for frank: can't send but can
// receive
checkUserReceiveNoSend(eurQueueName, frankConnection, adminSession);
// Step 14. Check permissions on news.europe.europeTopic for sam: can't send but can
// receive
checkUserReceiveNoSend(eurQueueName, samConnection, adminSession);
// Step 15. Check permissions on news.us.usTopic for bill: can't send and can't receive
checkUserNoSendNoReceive(usQueueName, billConnection, adminSession);
// Step 16. Check permissions on news.us.usTopic for andrew: can't send and can't receive
checkUserNoSendNoReceive(usQueueName, andrewConnection, adminSession);
// Step 17. Check permissions on news.us.usTopic for frank: can both send and receive
checkUserSendAndReceive(usQueueName, frankConnection);
// Step 18. Check permissions on news.us.usTopic for same: can't send but can receive
checkUserReceiveNoSend(usQueueName, samConnection, adminSession);
}
use of org.apache.activemq.artemis.api.core.ActiveMQSecurityException in project activemq-artemis by apache.
the class SecurityTest method testDeleteDurableQueueWithoutRole.
@Test
public void testDeleteDurableQueueWithoutRole() throws Exception {
ActiveMQServer server = createServer();
server.start();
HierarchicalRepository<Set<Role>> securityRepository = server.getSecurityRepository();
ActiveMQJAASSecurityManager securityManager = (ActiveMQJAASSecurityManager) server.getSecurityManager();
securityManager.getConfiguration().addUser("auser", "pass");
Role role = new Role("arole", false, false, true, false, false, false, false, false, false, false);
Set<Role> roles = new HashSet<>();
roles.add(role);
securityRepository.addMatch(SecurityTest.addressA, roles);
securityManager.getConfiguration().addRole("auser", "arole");
ClientSessionFactory cf = createSessionFactory(locator);
ClientSession session = cf.createSession("auser", "pass", false, true, true, false, -1);
session.createQueue(SecurityTest.addressA, SecurityTest.queueA, true);
try {
session.deleteQueue(SecurityTest.queueA);
Assert.fail("should throw exception");
} catch (ActiveMQSecurityException se) {
// ok
} catch (ActiveMQException e) {
fail("Invalid Exception type:" + e.getType());
}
session.close();
}
use of org.apache.activemq.artemis.api.core.ActiveMQSecurityException in project activemq-artemis by apache.
the class SecurityTest method testSendWithoutRole.
@Test
public void testSendWithoutRole() throws Exception {
ActiveMQServer server = createServer();
server.start();
HierarchicalRepository<Set<Role>> securityRepository = server.getSecurityRepository();
ActiveMQJAASSecurityManager securityManager = (ActiveMQJAASSecurityManager) server.getSecurityManager();
securityManager.getConfiguration().addUser("auser", "pass");
Role role = new Role("arole", false, false, true, false, false, false, false, false, false, false);
Set<Role> roles = new HashSet<>();
roles.add(role);
securityRepository.addMatch(SecurityTest.addressA, roles);
securityManager.getConfiguration().addRole("auser", "arole");
locator.setBlockOnNonDurableSend(true);
ClientSessionFactory cf = createSessionFactory(locator);
ClientSession session = cf.createSession("auser", "pass", false, true, true, false, -1);
session.createQueue(SecurityTest.addressA, SecurityTest.queueA, true);
ClientProducer cp = session.createProducer(SecurityTest.addressA);
try {
cp.send(session.createMessage(false));
} catch (ActiveMQSecurityException se) {
// ok
} catch (ActiveMQException e) {
fail("Invalid Exception type:" + e.getType());
}
session.close();
}
use of org.apache.activemq.artemis.api.core.ActiveMQSecurityException in project activemq-artemis by apache.
the class CoreClientOverOneWaySSLKerb5Test method testOneWaySSLWithGoodClientCipherSuite.
@Test
public void testOneWaySSLWithGoodClientCipherSuite() throws Exception {
// hard coded match, default_keytab_name in minikdc-krb5.conf template
File userKeyTab = new File("target/test.krb5.keytab");
kdc.createPrincipal(userKeyTab, CLIENT_PRINCIPAL, SERVICE_PRINCIPAL);
createCustomSslServer();
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
tc.getParams().put(TransportConstants.ENABLED_CIPHER_SUITES_PROP_NAME, getSuitableCipherSuite());
// static service name rather than dynamic machine name
tc.getParams().put(TransportConstants.SNIHOST_PROP_NAME, SNI_HOST);
tc.getParams().put(TransportConstants.SSL_KRB5_CONFIG_PROP_NAME, "core-tls-krb5-client");
final ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
ClientSessionFactory sf = null;
try {
sf = createSessionFactory(locator);
ClientSession session = sf.createSession(false, true, true);
session.createQueue(CoreClientOverOneWaySSLKerb5Test.QUEUE, RoutingType.ANYCAST, CoreClientOverOneWaySSLKerb5Test.QUEUE);
ClientProducer producer = session.createProducer(CoreClientOverOneWaySSLKerb5Test.QUEUE);
final String text = RandomUtil.randomString();
ClientMessage message = createTextMessage(session, text);
producer.send(message);
ClientConsumer consumer = session.createConsumer(CoreClientOverOneWaySSLKerb5Test.QUEUE);
session.start();
ClientMessage m = consumer.receive(1000);
Assert.assertNotNull(m);
Assert.assertEquals(text, m.getReadOnlyBodyBuffer().readString());
System.err.println("m:" + m + ", user:" + m.getValidatedUserID());
Assert.assertNotNull("got validated user", m.getValidatedUserID());
Assert.assertTrue("krb id in validated user", m.getValidatedUserID().contains(CLIENT_PRINCIPAL));
} catch (Exception e) {
e.printStackTrace();
Assert.fail();
} finally {
if (sf != null) {
sf.close();
}
locator.close();
}
// validate only ssl creds work, try and fake the principal w/o ssl
final ServerLocator inVmLocator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(inVMTc));
ClientSessionFactory inVmSf = null;
try {
inVmSf = createSessionFactory(inVmLocator);
inVmSf.createSession(userPrincipal, "", false, false, false, false, 10);
fail("supposed to throw exception");
} catch (ActiveMQSecurityException e) {
// expected
} finally {
if (inVmSf != null) {
inVmSf.close();
}
inVmLocator.close();
}
}
use of org.apache.activemq.artemis.api.core.ActiveMQSecurityException in project activemq-artemis by apache.
the class ProtonServerReceiverContext method initialise.
@Override
public void initialise() throws Exception {
super.initialise();
org.apache.qpid.proton.amqp.messaging.Target target = (org.apache.qpid.proton.amqp.messaging.Target) receiver.getRemoteTarget();
// Match the settlement mode of the remote instead of relying on the default of MIXED.
receiver.setSenderSettleMode(receiver.getRemoteSenderSettleMode());
// We don't currently support SECOND so enforce that the answer is anlways FIRST
receiver.setReceiverSettleMode(ReceiverSettleMode.FIRST);
RoutingType defRoutingType;
if (target != null) {
if (target.getDynamic()) {
// if dynamic we have to create the node (queue) and set the address on the target, the node is temporary and
// will be deleted on closing of the session
address = SimpleString.toSimpleString(sessionSPI.tempQueueName());
defRoutingType = getRoutingType(target.getCapabilities(), address);
try {
sessionSPI.createTemporaryQueue(address, defRoutingType);
} catch (ActiveMQSecurityException e) {
throw ActiveMQAMQPProtocolMessageBundle.BUNDLE.securityErrorCreatingTempDestination(e.getMessage());
} catch (Exception e) {
throw new ActiveMQAMQPInternalErrorException(e.getMessage(), e);
}
expiryPolicy = target.getExpiryPolicy() != null ? target.getExpiryPolicy() : TerminusExpiryPolicy.LINK_DETACH;
target.setAddress(address.toString());
} else {
// the target will have an address unless the remote is requesting an anonymous
// relay in which case the address in the incoming message's to field will be
// matched on receive of the message.
address = SimpleString.toSimpleString(target.getAddress());
if (address != null && !address.isEmpty()) {
defRoutingType = getRoutingType(target.getCapabilities(), address);
try {
if (!sessionSPI.bindingQuery(address, defRoutingType)) {
throw ActiveMQAMQPProtocolMessageBundle.BUNDLE.addressDoesntExist();
}
} catch (ActiveMQAMQPNotFoundException e) {
throw e;
} catch (Exception e) {
log.debug(e.getMessage(), e);
throw new ActiveMQAMQPInternalErrorException(e.getMessage(), e);
}
try {
sessionSPI.check(address, CheckType.SEND, new SecurityAuth() {
@Override
public String getUsername() {
String username = null;
SASLResult saslResult = connection.getSASLResult();
if (saslResult != null) {
username = saslResult.getUser();
}
return username;
}
@Override
public String getPassword() {
String password = null;
SASLResult saslResult = connection.getSASLResult();
if (saslResult != null) {
if (saslResult instanceof PlainSASLResult) {
password = ((PlainSASLResult) saslResult).getPassword();
}
}
return password;
}
@Override
public RemotingConnection getRemotingConnection() {
return connection.connectionCallback.getProtonConnectionDelegate();
}
});
} catch (ActiveMQSecurityException e) {
throw ActiveMQAMQPProtocolMessageBundle.BUNDLE.securityErrorCreatingProducer(e.getMessage());
}
}
}
Symbol[] remoteDesiredCapabilities = receiver.getRemoteDesiredCapabilities();
if (remoteDesiredCapabilities != null) {
List<Symbol> list = Arrays.asList(remoteDesiredCapabilities);
if (list.contains(AmqpSupport.DELAYED_DELIVERY)) {
receiver.setOfferedCapabilities(new Symbol[] { AmqpSupport.DELAYED_DELIVERY });
}
}
}
flow(amqpCredits, minCreditRefresh);
}
Aggregations