[jira] [Commented] (ARTEMIS-1758) Support SASL EXTERNAL

Fri, 23 Mar 2018 08:23:26 -0700 

    [ 
https://issues.apache.org/jira/browse/ARTEMIS-1758?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16411552#comment-16411552
 ] 

ASF GitHub Bot commented on ARTEMIS-1758:
-----------------------------------------

Github user gemmellr commented on a diff in the pull request:

    https://github.com/apache/activemq-artemis/pull/1961#discussion_r176769932
  
    --- Diff: 
artemis-protocols/artemis-amqp-protocol/src/main/java/org/apache/activemq/artemis/protocol/amqp/broker/AMQPConnectionCallback.java
 ---
    @@ -113,7 +116,20 @@ public ServerSASL getServerSASL(final String 
mechanism) {
                    result = gssapiServerSASL;
                    break;
     
    +            case ExternalServerSASL.NAME:
    +               // validate ssl cert present
    +               Principal principal = 
CertificateUtil.getPeerPrincipalFromConnection(protonConnectionDelegate);
    +               if (principal != null) {
    +                  ExternalServerSASL externalServerSASL = new 
ExternalServerSASL();
    +                  externalServerSASL.setPrincipal(principal);
    +                  result = externalServerSASL;
    +               } else {
    +                  logger.debug("SASL EXTERNAL mechanism requires a TLS 
peer principal");
    --- End diff --
    
    I noticed that it fails eventually when returning null, though without 
indication why unless the debug logging is on, but the main thing is it 
shouldn't get to this bit of code without being able to succeed, except through 
malicious intent on a clients part. EXTERNAL can be supported by the broker but 
still not be used/usable by all clients, so it really shouldn't be offered to 
those that cant actually do it.


> Support SASL EXTERNAL
> ---------------------
>
>                 Key: ARTEMIS-1758
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-1758
>             Project: ActiveMQ Artemis
>          Issue Type: Improvement
>          Components: AMQP
>    Affects Versions: 2.5.0
>            Reporter: Gary Tully
>            Assignee: Gary Tully
>            Priority: Major
>             Fix For: 2.6.0
>
>
> Add support for SASL EXTERNAL
> https://tools.ietf.org/html/rfc4422#appendix-A
> Peer principal from TLS client cert is used as the client identity on the 
> broker.
> The identity is mapped to a broker user and role via the 
> TextFileCertificateLoginModule



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to