[
https://issues.apache.org/jira/browse/QPIDJMS-303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16096497#comment-16096497
]
ASF GitHub Bot commented on QPIDJMS-303:
----------------------------------------
Github user gemmellr commented on a diff in the pull request:
https://github.com/apache/qpid-jms/pull/10#discussion_r128809457
--- Diff:
qpid-jms-client/src/test/java/org/apache/qpid/jms/test/testpeer/TestAmqpPeer.java
---
@@ -495,6 +512,169 @@ public void run()
}
}
+ public void expectGSSAPIFail(Symbol mech) throws Exception {
+ SaslMechanismsFrame saslMechanismsFrame = new
SaslMechanismsFrame().setSaslServerMechanisms(mech);
+
+ addHandler(new HeaderHandlerImpl(AmqpHeader.SASL_HEADER,
AmqpHeader.SASL_HEADER,
+ new FrameSender(
+ this, FrameType.SASL, 0,
+ saslMechanismsFrame, null)));
+
+ addHandler(new SaslInitMatcher().withMechanism(equalTo(mech)));
+
+ }
+
+ public void expectGSSAPI(Symbol mech, String serviceName) throws
Exception {
+
+ SaslMechanismsFrame saslMechanismsFrame = new
SaslMechanismsFrame().setSaslServerMechanisms(mech);
+
+ addHandler(new HeaderHandlerImpl(AmqpHeader.SASL_HEADER,
AmqpHeader.SASL_HEADER,
+ new FrameSender(
+ this, FrameType.SASL, 0,
+ saslMechanismsFrame, null)));
+
+ // setup server gss context
+ LoginContext loginContext = new LoginContext("", null, null,
+ kerb5InlineConfig(serviceName, false));
+ loginContext.login();
+ final Subject serverSubject =loginContext.getSubject();
+
+ LOGGER.info("saslServer subject:" +
serverSubject.getPrivateCredentials());
+
+ Map<String, ?> config = new HashMap();
+ final CallbackHandler handler = new CallbackHandler() {
+ @Override
+ public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
+ LOGGER.info("Here with: " + Arrays.asList(callbacks));
+ for (Callback callback :callbacks) {
+ if (callback instanceof AuthorizeCallback) {
+ AuthorizeCallback authorizeCallback =
(AuthorizeCallback) callback;
+
authorizeCallback.setAuthorized(authorizeCallback.getAuthenticationID().equals(authorizeCallback.getAuthorizationID()));
+ }
+ }
+ }
+ };
+ final SaslServer saslServer = Subject.doAs(serverSubject, new
PrivilegedExceptionAction<SaslServer>() {
+ @Override
+ public SaslServer run() throws Exception {
+ return Sasl.createSaslServer(mech.toString(), null, null,
config, handler);
+ }
+ });
+
+ final SaslChallengeFrame challengeFrame = new SaslChallengeFrame();
+
+ SaslInitMatcher saslInitMatcher = new SaslInitMatcher()
+ .withMechanism(equalTo(mech))
+ .withInitialResponse(new BaseMatcher<Binary>() {
+
+ @Override
+ public void describeTo(Description description) {}
+
+ @Override
+ public boolean matches(Object o) {
+ if (o == null) {
+ LOGGER.error("Got null initial response!");
+ return false;
+ }
+ final Binary binary = (Binary) o;
+ // validate via sasl
+ byte[] token = null;
+ try {
+ token = Subject.doAs(serverSubject, new
PrivilegedExceptionAction<byte[]>() {
+ @Override
+ public byte[] run() throws Exception {
+ LOGGER.info("Evaluate Response..
size:" + binary.getLength());
+ return
saslServer.evaluateResponse(binary.getArray());
+ }
+ });
+ } catch (PrivilegedActionException e) {
+ e.printStackTrace();
+ }
+ LOGGER.info("Complete:" + saslServer.isComplete());
+
+ if (token != null) {
+ // fling it back in on complete
+ challengeFrame.setChallenge(new Binary(token));
+ }
+ return true;
+ }
+ }).onCompletion(new AmqpPeerRunnable() {
+ @Override
+ public void run() {
+ TestAmqpPeer.this.sendFrame(
+ FrameType.SASL, 0,
+ challengeFrame,
+ null,
+ false, 0);
+ }
+ });
+
+ AtomicBoolean response = new AtomicBoolean(false);
+ SaslResponseMatcher challengeMatcher = new
SaslResponseMatcher().withResponse(new BaseMatcher<Binary>() {
+
+ @Override
+ public void describeTo(Description description) {}
+
+ @Override
+ public boolean matches(Object o) {
+ final Binary binary = (Binary) o;
+ if (!saslServer.isComplete()) {
+ // validate via sasl
+ byte[] token = null;
+ try {
+ token = Subject.doAs(serverSubject, new
PrivilegedExceptionAction<byte[]>() {
+ @Override
+ public byte[] run() throws Exception {
+ LOGGER.info("Evaluate challenge response..
size:" + binary.getLength());
+ return
saslServer.evaluateResponse(binary.getArray());
+ }
+ });
+ } catch (PrivilegedActionException e) {
+ e.printStackTrace();
+ }
+ LOGGER.info("Complete:" + saslServer.isComplete());
+ if (token != null) {
+ // fling it back
+ challengeFrame.setChallenge(new Binary(token));
+ response.set(true);
+ }
+ return true;
+ }
+
+ return false;
+ }
+ }).onCompletion(new AmqpPeerRunnable() {
+ @Override
+ public void run() {
+ if (response.get()) {
+ TestAmqpPeer.this.sendFrame(
+ FrameType.SASL, 0,
+ challengeFrame,
+ null,
+ false, 0);
+ }
+
+ if (saslServer.isComplete()) {
--- End diff --
if it goes on its own it suggests the other bit can be removed or theres an
'else' missing, which doesnt make sense either as there should likely always be
an outcome. I also missed earlier that it is sending a successfull auth
outcome..the server being complete doesnt necessarily mean it succeeded, and
the previous bit allows for it to fail, so it still seems something is off here
to me.
> Add support for SASL GSSAPI Kerberos mechanism
> ----------------------------------------------
>
> Key: QPIDJMS-303
> URL: https://issues.apache.org/jira/browse/QPIDJMS-303
> Project: Qpid JMS
> Issue Type: Bug
> Components: qpid-jms-client
> Reporter: Gary Tully
>
> It would be great to be able to authenticate using kerberos credentials using
> the SASL GSSAPI mechanism.
> Authentication would be sufficient leaving TLS to do encryption of the
> channel if that is necessary.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
