This is an automated email from the ASF dual-hosted git repository.
robbie pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq-artemis.git
The following commit(s) were added to refs/heads/main by this push:
new a5b5a50 ARTEMIS-3038: unwind effect of defunct changes from
ARTEMIS-1264
a5b5a50 is described below
commit a5b5a504e0426daa1f2598582ea3252f8bca4cf8
Author: Robbie Gemmell <[email protected]>
AuthorDate: Tue Oct 5 17:17:35 2021 +0100
ARTEMIS-3038: unwind effect of defunct changes from ARTEMIS-1264
Follows earlier test removal in a3de3d4c75ba1482706e8c42a5c9b0f9811901eb
---
.../FederationDownstreamConfiguration.java | 1 -
.../core/remoting/impl/netty/NettyConnector.java | 51 ++++-----------------
.../remoting/impl/netty/TransportConstants.java | 4 --
.../core/remoting/impl/netty/NettyAcceptor.java | 53 +++++-----------------
docs/user-manual/en/security.md | 10 ----
.../src/test/resources/login.config | 15 ------
6 files changed, 19 insertions(+), 115 deletions(-)
diff --git
a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/config/federation/FederationDownstreamConfiguration.java
b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/config/federation/FederationDownstreamConfiguration.java
index 17905e1..a7dd1e0 100644
---
a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/config/federation/FederationDownstreamConfiguration.java
+++
b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/config/federation/FederationDownstreamConfiguration.java
@@ -56,7 +56,6 @@ public class FederationDownstreamConfiguration extends
FederationStreamConfigura
//The federated server that creates the upstream back will rely on its
config from the acceptor for TLS
stripParam(params, TransportConstants.SSL_ENABLED_PROP_NAME);
stripParam(params, TransportConstants.SSL_PROVIDER);
- stripParam(params, TransportConstants.SSL_KRB5_CONFIG_PROP_NAME);
stripParam(params, TransportConstants.KEYSTORE_PATH_PROP_NAME);
stripParam(params, TransportConstants.KEYSTORE_PASSWORD_PROP_NAME);
stripParam(params, TransportConstants.KEYSTORE_PROVIDER_PROP_NAME);
diff --git
a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java
b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java
index dde607f..f04b750 100644
---
a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java
+++
b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java
@@ -20,8 +20,6 @@ import javax.net.ssl.SNIHostName;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
-import javax.security.auth.Subject;
-import javax.security.auth.login.LoginContext;
import java.io.IOException;
import java.net.ConnectException;
import java.net.InetAddress;
@@ -33,7 +31,6 @@ import java.net.UnknownHostException;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
-import java.security.PrivilegedExceptionAction;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
@@ -265,8 +262,6 @@ public class NettyConnector extends AbstractConnector {
private String sniHost;
- private String kerb5Config;
-
private boolean useDefaultSslContext;
private boolean tcpNoDelay;
@@ -433,8 +428,6 @@ public class NettyConnector extends AbstractConnector {
sniHost =
ConfigurationHelper.getStringProperty(TransportConstants.SNIHOST_PROP_NAME,
TransportConstants.DEFAULT_SNIHOST_CONFIG, configuration);
- kerb5Config =
ConfigurationHelper.getStringProperty(TransportConstants.SSL_KRB5_CONFIG_PROP_NAME,
TransportConstants.DEFAULT_SSL_KRB5_CONFIG, configuration);
-
useDefaultSslContext =
ConfigurationHelper.getBooleanProperty(TransportConstants.USE_DEFAULT_SSL_CONTEXT_PROP_NAME,
TransportConstants.DEFAULT_USE_DEFAULT_SSL_CONTEXT, configuration);
trustManagerFactoryPlugin =
ConfigurationHelper.getStringProperty(TransportConstants.TRUST_MANAGER_FACTORY_PLUGIN_PROP_NAME,
TransportConstants.DEFAULT_TRUST_MANAGER_FACTORY_PLUGIN, configuration);
@@ -759,50 +752,22 @@ public class NettyConnector extends AbstractConnector {
final SSLContext context =
SSLContextFactoryProvider.getSSLContextFactory()
.getSSLContext(sslContextConfig, configuration);
- Subject subject = null;
- if (kerb5Config != null) {
- LoginContext loginContext = new LoginContext(kerb5Config);
- loginContext.login();
- subject = loginContext.getSubject();
- verifyHost = true;
+ if (host != null && port != -1) {
+ return context.createSSLEngine(host, port);
+ } else {
+ return context.createSSLEngine();
}
-
- SSLEngine engine = Subject.doAs(subject, new
PrivilegedExceptionAction<SSLEngine>() {
- @Override
- public SSLEngine run() {
- if (host != null && port != -1) {
- return context.createSSLEngine(host, port);
- } else {
- return context.createSSLEngine();
- }
- }
- });
- return engine;
}
private SSLEngine loadOpenSslEngine(final ByteBufAllocator alloc, final
SSLContextConfig sslContextConfig) throws Exception {
final SslContext context =
OpenSSLContextFactoryProvider.getOpenSSLContextFactory()
.getClientSslContext(sslContextConfig, configuration);
- Subject subject = null;
- if (kerb5Config != null) {
- LoginContext loginContext = new LoginContext(kerb5Config);
- loginContext.login();
- subject = loginContext.getSubject();
- verifyHost = true;
+ if (host != null && port != -1) {
+ return context.newEngine(alloc, host, port);
+ } else {
+ return context.newEngine(alloc);
}
-
- SSLEngine engine = Subject.doAs(subject, new
PrivilegedExceptionAction<SSLEngine>() {
- @Override
- public SSLEngine run() {
- if (host != null && port != -1) {
- return context.newEngine(alloc, host, port);
- } else {
- return context.newEngine(alloc);
- }
- }
- });
- return engine;
}
@Override
diff --git
a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/TransportConstants.java
b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/TransportConstants.java
index 37a4e80..43bc67b 100644
---
a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/TransportConstants.java
+++
b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/TransportConstants.java
@@ -33,8 +33,6 @@ public class TransportConstants {
public static final String SSL_ENABLED_PROP_NAME = "sslEnabled";
- public static final String SSL_KRB5_CONFIG_PROP_NAME = "sslKrb5Config";
-
public static final String HTTP_ENABLED_PROP_NAME = "httpEnabled";
public static final String HTTP_CLIENT_IDLE_PROP_NAME =
"httpClientIdleTime";
@@ -196,8 +194,6 @@ public class TransportConstants {
public static final boolean DEFAULT_SSL_ENABLED = false;
- public static final String DEFAULT_SSL_KRB5_CONFIG = null;
-
public static final String DEFAULT_SNIHOST_CONFIG = null;
public static final boolean DEFAULT_USE_GLOBAL_WORKER_POOL = true;
diff --git
a/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java
b/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java
index eca729a..b9d692b 100644
---
a/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java
+++
b/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java
@@ -21,13 +21,10 @@ import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.SSLParameters;
-import javax.security.auth.Subject;
-import javax.security.auth.login.LoginContext;
import java.net.InetSocketAddress;
import java.net.SocketAddress;
import java.security.AccessController;
import java.security.PrivilegedAction;
-import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
@@ -189,8 +186,6 @@ public class NettyAcceptor extends AbstractAcceptor {
private final String trustManagerFactoryPlugin;
- private final String kerb5Config;
-
private String sniHost;
private final boolean tcpNoDelay;
@@ -269,8 +264,6 @@ public class NettyAcceptor extends AbstractAcceptor {
sslEnabled =
ConfigurationHelper.getBooleanProperty(TransportConstants.SSL_ENABLED_PROP_NAME,
TransportConstants.DEFAULT_SSL_ENABLED, configuration);
- kerb5Config =
ConfigurationHelper.getStringProperty(TransportConstants.SSL_KRB5_CONFIG_PROP_NAME,
TransportConstants.DEFAULT_SSL_KRB5_CONFIG, configuration);
-
remotingThreads =
ConfigurationHelper.getIntProperty(TransportConstants.NIO_REMOTING_THREADS_PROPNAME,
-1, configuration);
remotingThreads =
ConfigurationHelper.getIntProperty(TransportConstants.REMOTING_THREADS_PROPNAME,
remotingThreads, configuration);
@@ -674,55 +667,31 @@ public class NettyAcceptor extends AbstractAcceptor {
private SSLEngine loadJdkSslEngine(String peerHost, int peerPort) throws
Exception {
final SSLContext context = (SSLContext) providerAgnosticSslContext;
- Subject subject = null;
- if (kerb5Config != null) {
- LoginContext loginContext = new LoginContext(kerb5Config);
- loginContext.login();
- subject = loginContext.getSubject();
- }
- SSLEngine engine = Subject.doAs(subject, new
PrivilegedExceptionAction<SSLEngine>() {
- @Override
- public SSLEngine run() {
- if (peerHost != null && peerPort != 0) {
- return context.createSSLEngine(peerHost, peerPort);
- } else {
- return context.createSSLEngine();
- }
- }
- });
- return engine;
+ if (peerHost != null && peerPort != 0) {
+ return context.createSSLEngine(peerHost, peerPort);
+ } else {
+ return context.createSSLEngine();
+ }
}
private void checkSSLConfiguration() throws IllegalArgumentException {
if (configuration.containsKey(TransportConstants.SSL_CONTEXT_PROP_NAME))
{
return;
}
- if (kerb5Config == null && keyStorePath == null &&
TransportConstants.DEFAULT_KEYSTORE_PROVIDER.equals(keyStoreProvider)) {
+ if (keyStorePath == null &&
TransportConstants.DEFAULT_KEYSTORE_PROVIDER.equals(keyStoreProvider)) {
throw new IllegalArgumentException("If \"" +
TransportConstants.SSL_ENABLED_PROP_NAME + "\" is true then \"" +
TransportConstants.KEYSTORE_PATH_PROP_NAME + "\" must be non-null unless an
alternative \"" + TransportConstants.KEYSTORE_PROVIDER_PROP_NAME + "\" has been
specified.");
}
}
private SSLEngine loadOpenSslEngine(ByteBufAllocator alloc, String
peerHost, int peerPort) throws Exception {
final SslContext context = (SslContext) providerAgnosticSslContext;
- Subject subject = null;
- if (kerb5Config != null) {
- LoginContext loginContext = new LoginContext(kerb5Config);
- loginContext.login();
- subject = loginContext.getSubject();
- }
- SSLEngine engine = Subject.doAs(subject, new
PrivilegedExceptionAction<SSLEngine>() {
- @Override
- public SSLEngine run() {
- if (peerHost != null && peerPort != 0) {
- return context.newEngine(alloc, peerHost, peerPort);
- } else {
- return context.newEngine(alloc);
- }
- }
- });
- return engine;
+ if (peerHost != null && peerPort != 0) {
+ return context.newEngine(alloc, peerHost, peerPort);
+ } else {
+ return context.newEngine(alloc);
+ }
}
private void startServerChannels() {
diff --git a/docs/user-manual/en/security.md b/docs/user-manual/en/security.md
index fb0f745..88478ad 100644
--- a/docs/user-manual/en/security.md
+++ b/docs/user-manual/en/security.md
@@ -1159,16 +1159,6 @@ amqp-sasl-gssapi {
};
```
-##### TLS Kerberos Cipher Suites
-
-The legacy [rfc2712](https://www.ietf.org/rfc/rfc2712.txt) defines TLS Kerberos
-cipher suites that can be used by TLS to negotiate Kerberos authentication. The
-cypher suites offered by rfc2712 are dated and insecure and rfc2712 has been
-superseded by SASL GSSAPI. However, for clients that don't support SASL (core
-client), using TLS can provide Kerberos authentication over an *unsecure*
-channel.
-
-
### Role Mapping
On the server, a Kerberos or SCRAM-SHA JAAS authenticated Principal must be
added to the
diff --git a/tests/integration-tests/src/test/resources/login.config
b/tests/integration-tests/src/test/resources/login.config
index 6ff980c..b1af825 100644
--- a/tests/integration-tests/src/test/resources/login.config
+++ b/tests/integration-tests/src/test/resources/login.config
@@ -282,21 +282,6 @@ Krb5PlusLdapMemberOfNoRoleName {
;
};
-core-tls-krb5-server {
- com.sun.security.auth.module.Krb5LoginModule required
- isInitiator=false
- storeKey=true
- useKeyTab=true
- principal="host/sni.host"
- debug=true;
-};
-
-core-tls-krb5-client {
- com.sun.security.auth.module.Krb5LoginModule required
- principal="client"
- useKeyTab=true;
-};
-
amqp-sasl-gssapi {
com.sun.security.auth.module.Krb5LoginModule required
isInitiator=false
