Search in sources :

Example 21 with ActiveMQSecurityException

use of org.apache.activemq.artemis.api.core.ActiveMQSecurityException in project activemq-artemis by apache.

the class SecurityTest method testComplexRoles2.

@Test
@Ignore
public void testComplexRoles2() throws Exception {
    ActiveMQServer server = createServer();
    server.start();
    ActiveMQJAASSecurityManager securityManager = (ActiveMQJAASSecurityManager) server.getSecurityManager();
    securityManager.getConfiguration().addUser("all", "all");
    securityManager.getConfiguration().addUser("bill", "activemq");
    securityManager.getConfiguration().addUser("andrew", "activemq1");
    securityManager.getConfiguration().addUser("frank", "activemq2");
    securityManager.getConfiguration().addUser("sam", "activemq3");
    securityManager.getConfiguration().addRole("all", "all");
    securityManager.getConfiguration().addRole("bill", "user");
    securityManager.getConfiguration().addRole("andrew", "europe-user");
    securityManager.getConfiguration().addRole("andrew", "user");
    securityManager.getConfiguration().addRole("frank", "us-user");
    securityManager.getConfiguration().addRole("frank", "news-user");
    securityManager.getConfiguration().addRole("frank", "user");
    securityManager.getConfiguration().addRole("sam", "news-user");
    securityManager.getConfiguration().addRole("sam", "user");
    Role all = new Role("all", true, true, true, true, true, true, true, true, true, true);
    HierarchicalRepository<Set<Role>> repository = server.getSecurityRepository();
    Set<Role> add = new HashSet<>();
    add.add(new Role("user", true, true, true, true, true, true, false, true, true, true));
    add.add(all);
    repository.addMatch("#", add);
    Set<Role> add1 = new HashSet<>();
    add1.add(all);
    add1.add(new Role("user", false, false, true, true, true, true, false, true, true, true));
    add1.add(new Role("europe-user", true, false, false, false, false, false, false, true, true, true));
    add1.add(new Role("news-user", false, true, false, false, false, false, false, true, true, true));
    repository.addMatch("news.europe.#", add1);
    Set<Role> add2 = new HashSet<>();
    add2.add(all);
    add2.add(new Role("user", false, false, true, true, true, true, false, true, true, true));
    add2.add(new Role("us-user", true, false, false, false, false, false, false, true, true, true));
    add2.add(new Role("news-user", false, true, false, false, false, false, false, true, true, true));
    repository.addMatch("news.us.#", add2);
    ClientSession billConnection = null;
    ClientSession andrewConnection = null;
    ClientSession frankConnection = null;
    ClientSession samConnection = null;
    locator.setBlockOnNonDurableSend(true).setBlockOnDurableSend(true);
    ClientSessionFactory factory = createSessionFactory(locator);
    ClientSession adminSession = factory.createSession("all", "all", false, true, true, false, -1);
    String genericQueueName = "genericQueue";
    adminSession.createQueue(genericQueueName, genericQueueName, false);
    String eurQueueName = "news.europe.europeQueue";
    adminSession.createQueue(eurQueueName, eurQueueName, false);
    String usQueueName = "news.us.usQueue";
    adminSession.createQueue(usQueueName, usQueueName, false);
    // Step 4. Try to create a JMS Connection without user/password. It will fail.
    try {
        factory.createSession(false, true, true);
        Assert.fail("should throw exception");
    } catch (ActiveMQSecurityException se) {
    // ok
    } catch (ActiveMQException e) {
        fail("Invalid Exception type:" + e.getType());
    }
    // Step 5. bill tries to make a connection using wrong password
    try {
        billConnection = factory.createSession("bill", "activemq1", false, true, true, false, -1);
        Assert.fail("should throw exception");
    } catch (ActiveMQSecurityException se) {
    // ok
    } catch (ActiveMQException e) {
        fail("Invalid Exception type:" + e.getType());
    }
    // Step 6. bill makes a good connection.
    billConnection = factory.createSession("bill", "activemq", false, true, true, false, -1);
    // Step 7. andrew makes a good connection.
    andrewConnection = factory.createSession("andrew", "activemq1", false, true, true, false, -1);
    // Step 8. frank makes a good connection.
    frankConnection = factory.createSession("frank", "activemq2", false, true, true, false, -1);
    // Step 9. sam makes a good connection.
    samConnection = factory.createSession("sam", "activemq3", false, true, true, false, -1);
    checkUserSendAndReceive(genericQueueName, billConnection);
    checkUserSendAndReceive(genericQueueName, andrewConnection);
    checkUserSendAndReceive(genericQueueName, frankConnection);
    checkUserSendAndReceive(genericQueueName, samConnection);
    // Step 11. Check permissions on news.europe.europeTopic for bill: can't send and can't
    // receive
    checkUserNoSendNoReceive(eurQueueName, billConnection, adminSession);
    // Step 12. Check permissions on news.europe.europeTopic for andrew: can send but can't
    // receive
    checkUserSendNoReceive(eurQueueName, andrewConnection);
    // Step 13. Check permissions on news.europe.europeTopic for frank: can't send but can
    // receive
    checkUserReceiveNoSend(eurQueueName, frankConnection, adminSession);
    // Step 14. Check permissions on news.europe.europeTopic for sam: can't send but can
    // receive
    checkUserReceiveNoSend(eurQueueName, samConnection, adminSession);
    // Step 15. Check permissions on news.us.usTopic for bill: can't send and can't receive
    checkUserNoSendNoReceive(usQueueName, billConnection, adminSession);
    // Step 16. Check permissions on news.us.usTopic for andrew: can't send and can't receive
    checkUserNoSendNoReceive(usQueueName, andrewConnection, adminSession);
    // Step 17. Check permissions on news.us.usTopic for frank: can both send and receive
    checkUserSendAndReceive(usQueueName, frankConnection);
    // Step 18. Check permissions on news.us.usTopic for same: can't send but can receive
    checkUserReceiveNoSend(usQueueName, samConnection, adminSession);
}
Also used : Role(org.apache.activemq.artemis.core.security.Role) ActiveMQServer(org.apache.activemq.artemis.core.server.ActiveMQServer) Set(java.util.Set) HashSet(java.util.HashSet) ActiveMQException(org.apache.activemq.artemis.api.core.ActiveMQException) ActiveMQJAASSecurityManager(org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager) ClientSession(org.apache.activemq.artemis.api.core.client.ClientSession) ClientSessionFactory(org.apache.activemq.artemis.api.core.client.ClientSessionFactory) SimpleString(org.apache.activemq.artemis.api.core.SimpleString) ActiveMQSecurityException(org.apache.activemq.artemis.api.core.ActiveMQSecurityException) HashSet(java.util.HashSet) Ignore(org.junit.Ignore) Test(org.junit.Test)

Example 22 with ActiveMQSecurityException

use of org.apache.activemq.artemis.api.core.ActiveMQSecurityException in project activemq-artemis by apache.

the class SecurityTest method testDeleteDurableQueueWithoutRole.

@Test
public void testDeleteDurableQueueWithoutRole() throws Exception {
    ActiveMQServer server = createServer();
    server.start();
    HierarchicalRepository<Set<Role>> securityRepository = server.getSecurityRepository();
    ActiveMQJAASSecurityManager securityManager = (ActiveMQJAASSecurityManager) server.getSecurityManager();
    securityManager.getConfiguration().addUser("auser", "pass");
    Role role = new Role("arole", false, false, true, false, false, false, false, false, false, false);
    Set<Role> roles = new HashSet<>();
    roles.add(role);
    securityRepository.addMatch(SecurityTest.addressA, roles);
    securityManager.getConfiguration().addRole("auser", "arole");
    ClientSessionFactory cf = createSessionFactory(locator);
    ClientSession session = cf.createSession("auser", "pass", false, true, true, false, -1);
    session.createQueue(SecurityTest.addressA, SecurityTest.queueA, true);
    try {
        session.deleteQueue(SecurityTest.queueA);
        Assert.fail("should throw exception");
    } catch (ActiveMQSecurityException se) {
    // ok
    } catch (ActiveMQException e) {
        fail("Invalid Exception type:" + e.getType());
    }
    session.close();
}
Also used : Role(org.apache.activemq.artemis.core.security.Role) ActiveMQServer(org.apache.activemq.artemis.core.server.ActiveMQServer) Set(java.util.Set) HashSet(java.util.HashSet) ActiveMQException(org.apache.activemq.artemis.api.core.ActiveMQException) ActiveMQJAASSecurityManager(org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager) ClientSession(org.apache.activemq.artemis.api.core.client.ClientSession) ClientSessionFactory(org.apache.activemq.artemis.api.core.client.ClientSessionFactory) ActiveMQSecurityException(org.apache.activemq.artemis.api.core.ActiveMQSecurityException) HashSet(java.util.HashSet) Test(org.junit.Test)

Example 23 with ActiveMQSecurityException

use of org.apache.activemq.artemis.api.core.ActiveMQSecurityException in project activemq-artemis by apache.

the class SecurityTest method testSendWithoutRole.

@Test
public void testSendWithoutRole() throws Exception {
    ActiveMQServer server = createServer();
    server.start();
    HierarchicalRepository<Set<Role>> securityRepository = server.getSecurityRepository();
    ActiveMQJAASSecurityManager securityManager = (ActiveMQJAASSecurityManager) server.getSecurityManager();
    securityManager.getConfiguration().addUser("auser", "pass");
    Role role = new Role("arole", false, false, true, false, false, false, false, false, false, false);
    Set<Role> roles = new HashSet<>();
    roles.add(role);
    securityRepository.addMatch(SecurityTest.addressA, roles);
    securityManager.getConfiguration().addRole("auser", "arole");
    locator.setBlockOnNonDurableSend(true);
    ClientSessionFactory cf = createSessionFactory(locator);
    ClientSession session = cf.createSession("auser", "pass", false, true, true, false, -1);
    session.createQueue(SecurityTest.addressA, SecurityTest.queueA, true);
    ClientProducer cp = session.createProducer(SecurityTest.addressA);
    try {
        cp.send(session.createMessage(false));
    } catch (ActiveMQSecurityException se) {
    // ok
    } catch (ActiveMQException e) {
        fail("Invalid Exception type:" + e.getType());
    }
    session.close();
}
Also used : Role(org.apache.activemq.artemis.core.security.Role) ActiveMQServer(org.apache.activemq.artemis.core.server.ActiveMQServer) Set(java.util.Set) HashSet(java.util.HashSet) ActiveMQException(org.apache.activemq.artemis.api.core.ActiveMQException) ActiveMQJAASSecurityManager(org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager) ClientSession(org.apache.activemq.artemis.api.core.client.ClientSession) ClientSessionFactory(org.apache.activemq.artemis.api.core.client.ClientSessionFactory) ActiveMQSecurityException(org.apache.activemq.artemis.api.core.ActiveMQSecurityException) ClientProducer(org.apache.activemq.artemis.api.core.client.ClientProducer) HashSet(java.util.HashSet) Test(org.junit.Test)

Example 24 with ActiveMQSecurityException

use of org.apache.activemq.artemis.api.core.ActiveMQSecurityException in project activemq-artemis by apache.

the class CoreClientOverOneWaySSLKerb5Test method testOneWaySSLWithGoodClientCipherSuite.

@Test
public void testOneWaySSLWithGoodClientCipherSuite() throws Exception {
    // hard coded match, default_keytab_name in minikdc-krb5.conf template
    File userKeyTab = new File("target/test.krb5.keytab");
    kdc.createPrincipal(userKeyTab, CLIENT_PRINCIPAL, SERVICE_PRINCIPAL);
    createCustomSslServer();
    tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
    tc.getParams().put(TransportConstants.ENABLED_CIPHER_SUITES_PROP_NAME, getSuitableCipherSuite());
    // static service name rather than dynamic machine name
    tc.getParams().put(TransportConstants.SNIHOST_PROP_NAME, SNI_HOST);
    tc.getParams().put(TransportConstants.SSL_KRB5_CONFIG_PROP_NAME, "core-tls-krb5-client");
    final ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
    ClientSessionFactory sf = null;
    try {
        sf = createSessionFactory(locator);
        ClientSession session = sf.createSession(false, true, true);
        session.createQueue(CoreClientOverOneWaySSLKerb5Test.QUEUE, RoutingType.ANYCAST, CoreClientOverOneWaySSLKerb5Test.QUEUE);
        ClientProducer producer = session.createProducer(CoreClientOverOneWaySSLKerb5Test.QUEUE);
        final String text = RandomUtil.randomString();
        ClientMessage message = createTextMessage(session, text);
        producer.send(message);
        ClientConsumer consumer = session.createConsumer(CoreClientOverOneWaySSLKerb5Test.QUEUE);
        session.start();
        ClientMessage m = consumer.receive(1000);
        Assert.assertNotNull(m);
        Assert.assertEquals(text, m.getReadOnlyBodyBuffer().readString());
        System.err.println("m:" + m + ", user:" + m.getValidatedUserID());
        Assert.assertNotNull("got validated user", m.getValidatedUserID());
        Assert.assertTrue("krb id in validated user", m.getValidatedUserID().contains(CLIENT_PRINCIPAL));
    } catch (Exception e) {
        e.printStackTrace();
        Assert.fail();
    } finally {
        if (sf != null) {
            sf.close();
        }
        locator.close();
    }
    // validate only ssl creds work, try and fake the principal w/o ssl
    final ServerLocator inVmLocator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(inVMTc));
    ClientSessionFactory inVmSf = null;
    try {
        inVmSf = createSessionFactory(inVmLocator);
        inVmSf.createSession(userPrincipal, "", false, false, false, false, 10);
        fail("supposed to throw exception");
    } catch (ActiveMQSecurityException e) {
    // expected
    } finally {
        if (inVmSf != null) {
            inVmSf.close();
        }
        inVmLocator.close();
    }
}
Also used : ClientSession(org.apache.activemq.artemis.api.core.client.ClientSession) ClientSessionFactory(org.apache.activemq.artemis.api.core.client.ClientSessionFactory) SimpleString(org.apache.activemq.artemis.api.core.SimpleString) ClientMessage(org.apache.activemq.artemis.api.core.client.ClientMessage) ClientConsumer(org.apache.activemq.artemis.api.core.client.ClientConsumer) ActiveMQSecurityException(org.apache.activemq.artemis.api.core.ActiveMQSecurityException) File(java.io.File) ClientProducer(org.apache.activemq.artemis.api.core.client.ClientProducer) ServerLocator(org.apache.activemq.artemis.api.core.client.ServerLocator) ActiveMQSecurityException(org.apache.activemq.artemis.api.core.ActiveMQSecurityException) Test(org.junit.Test)

Example 25 with ActiveMQSecurityException

use of org.apache.activemq.artemis.api.core.ActiveMQSecurityException in project activemq-artemis by apache.

the class ProtonServerReceiverContext method initialise.

@Override
public void initialise() throws Exception {
    super.initialise();
    org.apache.qpid.proton.amqp.messaging.Target target = (org.apache.qpid.proton.amqp.messaging.Target) receiver.getRemoteTarget();
    // Match the settlement mode of the remote instead of relying on the default of MIXED.
    receiver.setSenderSettleMode(receiver.getRemoteSenderSettleMode());
    // We don't currently support SECOND so enforce that the answer is anlways FIRST
    receiver.setReceiverSettleMode(ReceiverSettleMode.FIRST);
    RoutingType defRoutingType;
    if (target != null) {
        if (target.getDynamic()) {
            // if dynamic we have to create the node (queue) and set the address on the target, the node is temporary and
            // will be deleted on closing of the session
            address = SimpleString.toSimpleString(sessionSPI.tempQueueName());
            defRoutingType = getRoutingType(target.getCapabilities(), address);
            try {
                sessionSPI.createTemporaryQueue(address, defRoutingType);
            } catch (ActiveMQSecurityException e) {
                throw ActiveMQAMQPProtocolMessageBundle.BUNDLE.securityErrorCreatingTempDestination(e.getMessage());
            } catch (Exception e) {
                throw new ActiveMQAMQPInternalErrorException(e.getMessage(), e);
            }
            expiryPolicy = target.getExpiryPolicy() != null ? target.getExpiryPolicy() : TerminusExpiryPolicy.LINK_DETACH;
            target.setAddress(address.toString());
        } else {
            // the target will have an address unless the remote is requesting an anonymous
            // relay in which case the address in the incoming message's to field will be
            // matched on receive of the message.
            address = SimpleString.toSimpleString(target.getAddress());
            if (address != null && !address.isEmpty()) {
                defRoutingType = getRoutingType(target.getCapabilities(), address);
                try {
                    if (!sessionSPI.bindingQuery(address, defRoutingType)) {
                        throw ActiveMQAMQPProtocolMessageBundle.BUNDLE.addressDoesntExist();
                    }
                } catch (ActiveMQAMQPNotFoundException e) {
                    throw e;
                } catch (Exception e) {
                    log.debug(e.getMessage(), e);
                    throw new ActiveMQAMQPInternalErrorException(e.getMessage(), e);
                }
                try {
                    sessionSPI.check(address, CheckType.SEND, new SecurityAuth() {

                        @Override
                        public String getUsername() {
                            String username = null;
                            SASLResult saslResult = connection.getSASLResult();
                            if (saslResult != null) {
                                username = saslResult.getUser();
                            }
                            return username;
                        }

                        @Override
                        public String getPassword() {
                            String password = null;
                            SASLResult saslResult = connection.getSASLResult();
                            if (saslResult != null) {
                                if (saslResult instanceof PlainSASLResult) {
                                    password = ((PlainSASLResult) saslResult).getPassword();
                                }
                            }
                            return password;
                        }

                        @Override
                        public RemotingConnection getRemotingConnection() {
                            return connection.connectionCallback.getProtonConnectionDelegate();
                        }
                    });
                } catch (ActiveMQSecurityException e) {
                    throw ActiveMQAMQPProtocolMessageBundle.BUNDLE.securityErrorCreatingProducer(e.getMessage());
                }
            }
        }
        Symbol[] remoteDesiredCapabilities = receiver.getRemoteDesiredCapabilities();
        if (remoteDesiredCapabilities != null) {
            List<Symbol> list = Arrays.asList(remoteDesiredCapabilities);
            if (list.contains(AmqpSupport.DELAYED_DELIVERY)) {
                receiver.setOfferedCapabilities(new Symbol[] { AmqpSupport.DELAYED_DELIVERY });
            }
        }
    }
    flow(amqpCredits, minCreditRefresh);
}
Also used : ActiveMQAMQPInternalErrorException(org.apache.activemq.artemis.protocol.amqp.exceptions.ActiveMQAMQPInternalErrorException) Symbol(org.apache.qpid.proton.amqp.Symbol) SecurityAuth(org.apache.activemq.artemis.core.security.SecurityAuth) RemotingConnection(org.apache.activemq.artemis.spi.core.protocol.RemotingConnection) PlainSASLResult(org.apache.activemq.artemis.protocol.amqp.sasl.PlainSASLResult) SimpleString(org.apache.activemq.artemis.api.core.SimpleString) ActiveMQAMQPNotFoundException(org.apache.activemq.artemis.protocol.amqp.exceptions.ActiveMQAMQPNotFoundException) ActiveMQAMQPInternalErrorException(org.apache.activemq.artemis.protocol.amqp.exceptions.ActiveMQAMQPInternalErrorException) ActiveMQAMQPNotFoundException(org.apache.activemq.artemis.protocol.amqp.exceptions.ActiveMQAMQPNotFoundException) ActiveMQAMQPException(org.apache.activemq.artemis.protocol.amqp.exceptions.ActiveMQAMQPException) ActiveMQSecurityException(org.apache.activemq.artemis.api.core.ActiveMQSecurityException) SASLResult(org.apache.activemq.artemis.protocol.amqp.sasl.SASLResult) PlainSASLResult(org.apache.activemq.artemis.protocol.amqp.sasl.PlainSASLResult) ActiveMQSecurityException(org.apache.activemq.artemis.api.core.ActiveMQSecurityException) RoutingType(org.apache.activemq.artemis.api.core.RoutingType)

Aggregations

ActiveMQSecurityException (org.apache.activemq.artemis.api.core.ActiveMQSecurityException)25 ActiveMQException (org.apache.activemq.artemis.api.core.ActiveMQException)20 ClientSessionFactory (org.apache.activemq.artemis.api.core.client.ClientSessionFactory)19 Test (org.junit.Test)19 ActiveMQServer (org.apache.activemq.artemis.core.server.ActiveMQServer)18 ClientSession (org.apache.activemq.artemis.api.core.client.ClientSession)17 HashSet (java.util.HashSet)16 Set (java.util.Set)16 ActiveMQJAASSecurityManager (org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager)14 Role (org.apache.activemq.artemis.core.security.Role)13 SimpleString (org.apache.activemq.artemis.api.core.SimpleString)11 ClientProducer (org.apache.activemq.artemis.api.core.client.ClientProducer)8 TransportConfiguration (org.apache.activemq.artemis.api.core.TransportConfiguration)6 Configuration (org.apache.activemq.artemis.core.config.Configuration)6 ServerLocator (org.apache.activemq.artemis.api.core.client.ServerLocator)4 CheckType (org.apache.activemq.artemis.core.security.CheckType)3 ActiveMQServerImpl (org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl)3 ActiveMQAMQPException (org.apache.activemq.artemis.protocol.amqp.exceptions.ActiveMQAMQPException)3 ActiveMQAMQPInternalErrorException (org.apache.activemq.artemis.protocol.amqp.exceptions.ActiveMQAMQPInternalErrorException)3 ActiveMQAMQPNotFoundException (org.apache.activemq.artemis.protocol.amqp.exceptions.ActiveMQAMQPNotFoundException)3