Search in sources :

Example 1 with ActiveMQSecurityManager3

use of org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager3 in project activemq-artemis by apache.

the class SecurityStoreImpl method authenticate.

@Override
public String authenticate(final String user, final String password, RemotingConnection connection) throws Exception {
    if (securityEnabled) {
        if (managementClusterUser.equals(user)) {
            if (logger.isTraceEnabled()) {
                logger.trace("Authenticating cluster admin user");
            }
            /*
             * The special user cluster user is used for creating sessions that replicate management
             * operation between nodes
             */
            if (!managementClusterPassword.equals(password)) {
                throw ActiveMQMessageBundle.BUNDLE.unableToValidateClusterUser(user);
            } else {
                return managementClusterUser;
            }
        }
        String validatedUser = null;
        boolean userIsValid = false;
        if (securityManager instanceof ActiveMQSecurityManager3) {
            validatedUser = ((ActiveMQSecurityManager3) securityManager).validateUser(user, password, connection);
        } else if (securityManager instanceof ActiveMQSecurityManager2) {
            userIsValid = ((ActiveMQSecurityManager2) securityManager).validateUser(user, password, CertificateUtil.getCertsFromConnection(connection));
        } else {
            userIsValid = securityManager.validateUser(user, password);
        }
        if (!userIsValid && validatedUser == null) {
            if (notificationService != null) {
                TypedProperties props = new TypedProperties();
                Notification notification = new Notification(null, CoreNotificationType.SECURITY_AUTHENTICATION_VIOLATION, props);
                notificationService.sendNotification(notification);
            }
            String certSubjectDN = "unavailable";
            X509Certificate[] certs = CertificateUtil.getCertsFromConnection(connection);
            if (certs != null && certs.length > 0 && certs[0] != null) {
                certSubjectDN = certs[0].getSubjectDN().getName();
            }
            throw ActiveMQMessageBundle.BUNDLE.unableToValidateUser(connection.getRemoteAddress(), user, certSubjectDN);
        }
        return validatedUser;
    }
    return null;
}
Also used : ActiveMQSecurityManager2(org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager2) ActiveMQSecurityManager3(org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager3) SimpleString(org.apache.activemq.artemis.api.core.SimpleString) TypedProperties(org.apache.activemq.artemis.utils.collections.TypedProperties) Notification(org.apache.activemq.artemis.core.server.management.Notification) X509Certificate(javax.security.cert.X509Certificate)

Example 2 with ActiveMQSecurityManager3

use of org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager3 in project activemq-artemis by apache.

the class StompProtocolManager method validateUser.

public boolean validateUser(String login, String passcode, RemotingConnection remotingConnection) {
    boolean validated = true;
    ActiveMQSecurityManager sm = server.getSecurityManager();
    if (sm != null && server.getConfiguration().isSecurityEnabled()) {
        if (sm instanceof ActiveMQSecurityManager3) {
            validated = ((ActiveMQSecurityManager3) sm).validateUser(login, passcode, remotingConnection) != null;
        } else if (sm instanceof ActiveMQSecurityManager2) {
            validated = ((ActiveMQSecurityManager2) sm).validateUser(login, passcode, CertificateUtil.getCertsFromConnection(remotingConnection));
        } else {
            validated = sm.validateUser(login, passcode);
        }
    }
    return validated;
}
Also used : ActiveMQSecurityManager2(org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager2) ActiveMQSecurityManager3(org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager3) ActiveMQSecurityManager(org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager)

Example 3 with ActiveMQSecurityManager3

use of org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager3 in project activemq-artemis by apache.

the class SecurityTest method testCustomSecurityManager3.

@Test
public void testCustomSecurityManager3() throws Exception {
    final Configuration configuration = createDefaultInVMConfig().setSecurityEnabled(true);
    final ActiveMQSecurityManager customSecurityManager = new ActiveMQSecurityManager3() {

        @Override
        public boolean validateUser(final String username, final String password) {
            fail("Unexpected call to overridden method");
            return false;
        }

        @Override
        public String validateUser(final String username, final String password, final RemotingConnection remotingConnection) {
            if ((username.equals("foo") || username.equals("bar") || username.equals("all")) && password.equals("frobnicate")) {
                return username;
            } else {
                return null;
            }
        }

        @Override
        public boolean validateUserAndRole(final String username, final String password, final Set<Role> requiredRoles, final CheckType checkType) {
            fail("Unexpected call to overridden method");
            return false;
        }

        @Override
        public String validateUserAndRole(final String username, final String password, final Set<Role> requiredRoles, final CheckType checkType, final String address, final RemotingConnection connection) {
            if (!(connection.getTransportConnection() instanceof InVMConnection)) {
                return null;
            }
            if ((username.equals("foo") || username.equals("bar") || username.equals("all")) && password.equals("frobnicate")) {
                if (username.equals("all")) {
                    return username;
                } else if (username.equals("foo")) {
                    if (address.equals("test.queue") && checkType == CheckType.CONSUME)
                        return username;
                    else
                        return null;
                } else if (username.equals("bar")) {
                    if (address.equals("test.queue") && checkType == CheckType.SEND)
                        return username;
                    else
                        return null;
                } else {
                    return null;
                }
            } else {
                return null;
            }
        }
    };
    final ActiveMQServer server = addServer(new ActiveMQServerImpl(configuration, customSecurityManager));
    server.start();
    final ServerLocator locator = createInVMNonHALocator();
    locator.setBlockOnNonDurableSend(true).setBlockOnDurableSend(true);
    final ClientSessionFactory factory = createSessionFactory(locator);
    ClientSession adminSession = factory.createSession("all", "frobnicate", false, true, true, false, -1);
    final String queueName = "test.queue";
    adminSession.createQueue(queueName, queueName, false);
    final String otherQueueName = "other.queue";
    adminSession.createQueue(otherQueueName, otherQueueName, false);
    // Wrong user name
    try {
        factory.createSession("baz", "frobnicate", false, true, true, false, -1);
        Assert.fail("should throw exception");
    } catch (ActiveMQSecurityException se) {
    // ok
    } catch (ActiveMQException e) {
        fail("Invalid Exception type:" + e.getType());
    }
    // Wrong password
    try {
        factory.createSession("foo", "xxx", false, true, true, false, -1);
        Assert.fail("should throw exception");
    } catch (ActiveMQSecurityException se) {
    // ok
    } catch (ActiveMQException e) {
        fail("Invalid Exception type:" + e.getType());
    }
    // Correct user and password, wrong queue for sending
    try {
        final ClientSession session = factory.createSession("foo", "frobnicate", false, true, true, false, -1);
        checkUserReceiveNoSend(otherQueueName, session, adminSession);
        Assert.fail("should throw exception");
    } catch (ActiveMQSecurityException se) {
    // ok
    } catch (ActiveMQException e) {
        fail("Invalid Exception type:" + e.getType());
    }
    // Correct user and password, wrong queue for receiving
    try {
        final ClientSession session = factory.createSession("foo", "frobnicate", false, true, true, false, -1);
        checkUserReceiveNoSend(otherQueueName, session, adminSession);
        Assert.fail("should throw exception");
    } catch (ActiveMQSecurityException se) {
    // ok
    } catch (ActiveMQException e) {
        fail("Invalid Exception type:" + e.getType());
    }
    // Correct user and password, allowed to send but not receive
    {
        final ClientSession session = factory.createSession("foo", "frobnicate", false, true, true, false, -1);
        checkUserReceiveNoSend(queueName, session, adminSession);
    }
    // Correct user and password, allowed to receive but not send
    {
        final ClientSession session = factory.createSession("bar", "frobnicate", false, true, true, false, -1);
        checkUserSendNoReceive(queueName, session);
    }
}
Also used : InVMConnection(org.apache.activemq.artemis.core.remoting.impl.invm.InVMConnection) Set(java.util.Set) HashSet(java.util.HashSet) TransportConfiguration(org.apache.activemq.artemis.api.core.TransportConfiguration) Configuration(org.apache.activemq.artemis.core.config.Configuration) RemotingConnection(org.apache.activemq.artemis.spi.core.protocol.RemotingConnection) ActiveMQSecurityManager3(org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager3) SimpleString(org.apache.activemq.artemis.api.core.SimpleString) ActiveMQServerImpl(org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl) ActiveMQServer(org.apache.activemq.artemis.core.server.ActiveMQServer) ActiveMQException(org.apache.activemq.artemis.api.core.ActiveMQException) CheckType(org.apache.activemq.artemis.core.security.CheckType) ClientSession(org.apache.activemq.artemis.api.core.client.ClientSession) ClientSessionFactory(org.apache.activemq.artemis.api.core.client.ClientSessionFactory) ActiveMQSecurityException(org.apache.activemq.artemis.api.core.ActiveMQSecurityException) ActiveMQSecurityManager(org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager) ServerLocator(org.apache.activemq.artemis.api.core.client.ServerLocator) Test(org.junit.Test)

Example 4 with ActiveMQSecurityManager3

use of org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager3 in project activemq-artemis by apache.

the class SecurityStoreImpl method check.

@Override
public void check(final SimpleString address, final SimpleString queue, final CheckType checkType, final SecurityAuth session) throws Exception {
    if (securityEnabled) {
        if (logger.isTraceEnabled()) {
            logger.trace("checking access permissions to " + address);
        }
        String user = session.getUsername();
        if (checkCached(address, user, checkType)) {
            // OK
            return;
        }
        String saddress = address.toString();
        Set<Role> roles = securityRepository.getMatch(saddress);
        // bypass permission checks for management cluster user
        if (managementClusterUser.equals(user) && session.getPassword().equals(managementClusterPassword)) {
            return;
        }
        final boolean validated;
        if (securityManager instanceof ActiveMQSecurityManager3) {
            final ActiveMQSecurityManager3 securityManager3 = (ActiveMQSecurityManager3) securityManager;
            validated = securityManager3.validateUserAndRole(user, session.getPassword(), roles, checkType, saddress, session.getRemotingConnection()) != null;
        } else if (securityManager instanceof ActiveMQSecurityManager2) {
            final ActiveMQSecurityManager2 securityManager2 = (ActiveMQSecurityManager2) securityManager;
            validated = securityManager2.validateUserAndRole(user, session.getPassword(), roles, checkType, saddress, session.getRemotingConnection());
        } else {
            validated = securityManager.validateUserAndRole(user, session.getPassword(), roles, checkType);
        }
        if (!validated) {
            if (notificationService != null) {
                TypedProperties props = new TypedProperties();
                props.putSimpleStringProperty(ManagementHelper.HDR_ADDRESS, address);
                props.putSimpleStringProperty(ManagementHelper.HDR_CHECK_TYPE, new SimpleString(checkType.toString()));
                props.putSimpleStringProperty(ManagementHelper.HDR_USER, SimpleString.toSimpleString(user));
                Notification notification = new Notification(null, CoreNotificationType.SECURITY_PERMISSION_VIOLATION, props);
                notificationService.sendNotification(notification);
            }
            if (queue == null) {
                throw ActiveMQMessageBundle.BUNDLE.userNoPermissions(session.getUsername(), checkType, saddress);
            } else {
                throw ActiveMQMessageBundle.BUNDLE.userNoPermissionsQueue(session.getUsername(), checkType, queue.toString(), saddress);
            }
        }
        // if we get here we're granted, add to the cache
        ConcurrentHashSet<SimpleString> set = new ConcurrentHashSet<>();
        ConcurrentHashSet<SimpleString> act = cache.putIfAbsent(user + "." + checkType.name(), set);
        if (act != null) {
            set = act;
        }
        set.add(address);
    }
}
Also used : Role(org.apache.activemq.artemis.core.security.Role) ActiveMQSecurityManager2(org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager2) ConcurrentHashSet(org.apache.activemq.artemis.utils.collections.ConcurrentHashSet) ActiveMQSecurityManager3(org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager3) SimpleString(org.apache.activemq.artemis.api.core.SimpleString) SimpleString(org.apache.activemq.artemis.api.core.SimpleString) TypedProperties(org.apache.activemq.artemis.utils.collections.TypedProperties) Notification(org.apache.activemq.artemis.core.server.management.Notification)

Aggregations

ActiveMQSecurityManager3 (org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager3)4 SimpleString (org.apache.activemq.artemis.api.core.SimpleString)3 ActiveMQSecurityManager2 (org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager2)3 Notification (org.apache.activemq.artemis.core.server.management.Notification)2 ActiveMQSecurityManager (org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager)2 TypedProperties (org.apache.activemq.artemis.utils.collections.TypedProperties)2 HashSet (java.util.HashSet)1 Set (java.util.Set)1 X509Certificate (javax.security.cert.X509Certificate)1 ActiveMQException (org.apache.activemq.artemis.api.core.ActiveMQException)1 ActiveMQSecurityException (org.apache.activemq.artemis.api.core.ActiveMQSecurityException)1 TransportConfiguration (org.apache.activemq.artemis.api.core.TransportConfiguration)1 ClientSession (org.apache.activemq.artemis.api.core.client.ClientSession)1 ClientSessionFactory (org.apache.activemq.artemis.api.core.client.ClientSessionFactory)1 ServerLocator (org.apache.activemq.artemis.api.core.client.ServerLocator)1 Configuration (org.apache.activemq.artemis.core.config.Configuration)1 InVMConnection (org.apache.activemq.artemis.core.remoting.impl.invm.InVMConnection)1 CheckType (org.apache.activemq.artemis.core.security.CheckType)1 Role (org.apache.activemq.artemis.core.security.Role)1 ActiveMQServer (org.apache.activemq.artemis.core.server.ActiveMQServer)1