[ https://issues.apache.org/jira/browse/ARTEMIS-1758?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16411312#comment-16411312 ]
ASF GitHub Bot commented on ARTEMIS-1758: ----------------------------------------- Github user gemmellr commented on a diff in the pull request: https://github.com/apache/activemq-artemis/pull/1961#discussion_r176719439 --- Diff: artemis-protocols/artemis-amqp-protocol/src/main/java/org/apache/activemq/artemis/protocol/amqp/broker/AMQPConnectionCallback.java --- @@ -113,7 +116,20 @@ public ServerSASL getServerSASL(final String mechanism) { result = gssapiServerSASL; break; + case ExternalServerSASL.NAME: + // validate ssl cert present + Principal principal = CertificateUtil.getPeerPrincipalFromConnection(protonConnectionDelegate); + if (principal != null) { + ExternalServerSASL externalServerSASL = new ExternalServerSASL(); + externalServerSASL.setPrincipal(principal); + result = externalServerSASL; + } else { + logger.debug("SASL EXTERNAL mechanism requires a TLS peer principal"); --- End diff -- This feels like it should be an exception rather than just a log message. Things shouldn't get here if the connection cant actually do EXTERNAL, since the server shouldn't offer it in that case (as it can tell before offering that it cant work), and should fail before here if the client selected it when it wasn't actually offered. > Support SASL EXTERNAL > --------------------- > > Key: ARTEMIS-1758 > URL: https://issues.apache.org/jira/browse/ARTEMIS-1758 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: AMQP > Affects Versions: 2.5.0 > Reporter: Gary Tully > Assignee: Gary Tully > Priority: Major > Fix For: 2.6.0 > > > Add support for SASL EXTERNAL > https://tools.ietf.org/html/rfc4422#appendix-A > Peer principal from TLS client cert is used as the client identity on the > broker. > The identity is mapped to a broker user and role via the > TextFileCertificateLoginModule -- This message was sent by Atlassian JIRA (v7.6.3#76005)