Re: svn commit: r742267 - in /qpid/trunk/qpid/java: client/src/main/java/org/apache/qpid/jms/ common/src/main/java/org/apache/qpid/transport/ tools/src/main/java/org/apache/qpid/tools/
Hi Rajith,
Why not use the CallBackHandlerRegistry to automatically pick the
mechanism from the intersection of the supported mechanisms from the
broker and client? Or is this more to say only use GSSAPI? Might still
be nice to be able to automatically pick an available mechanism when
you don't actually care about it.
See ConnectionStartMethodHandler.chooseMechanism in the client.
Cheers
Martin
2009/2/9 raj...@apache.org:
Author: rajith
Date: Mon Feb 9 05:14:09 2009
New Revision: 742267
URL: http://svn.apache.org/viewvc?rev=742267view=rev
Log:
This is related to QPID-1645
Added support to specify the sasl_mechs as a space separated list in the
connection URL.
By default it will use PLAIN.
You could provide a list of mechs to support or force to use one GASSAPI or
CRAM-MD5 by specifying only that in the connection URL.
Modified:
qpid/trunk/qpid/java/client/src/main/java/org/apache/qpid/jms/BrokerDetails.java
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/ClientDelegate.java
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/Connection.java
qpid/trunk/qpid/java/tools/src/main/java/org/apache/qpid/tools/JNDICheck.java
Modified:
qpid/trunk/qpid/java/client/src/main/java/org/apache/qpid/jms/BrokerDetails.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/client/src/main/java/org/apache/qpid/jms/BrokerDetails.java?rev=742267r1=742266r2=742267view=diff
==
---
qpid/trunk/qpid/java/client/src/main/java/org/apache/qpid/jms/BrokerDetails.java
(original)
+++
qpid/trunk/qpid/java/client/src/main/java/org/apache/qpid/jms/BrokerDetails.java
Mon Feb 9 05:14:09 2009
@@ -35,6 +35,7 @@
public static final String OPTIONS_CONNECT_TIMEOUT = connecttimeout;
public static final String OPTIONS_CONNECT_DELAY = connectdelay;
public static final String OPTIONS_IDLE_TIMEOUT = idle_timeout;
+public static final String OPTIONS_SASL_MECHS = sasl_mechs;
public static final int DEFAULT_PORT = 5672;
public static final String SOCKET = socket;
Modified:
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/ClientDelegate.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/ClientDelegate.java?rev=742267r1=742266r2=742267view=diff
==
---
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/ClientDelegate.java
(original)
+++
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/ClientDelegate.java
Mon Feb 9 05:14:09 2009
@@ -46,12 +46,21 @@
private String vhost;
private String username;
private String password;
-
-public ClientDelegate(String vhost, String username, String password)
+private String[] saslMechs;
+private String protocol;
+private String serverName;
+
+public ClientDelegate(String vhost, String username, String
password,String saslMechs)
{
this.vhost = vhost;
this.username = username;
this.password = password;
+this.saslMechs = saslMechs.split( );
+
+// Looks kinda of silly but the Sun SASL Kerberos client uses the
+// protocol + servername as the service key.
+this.protocol = System.getProperty(qpid.sasl_protocol,AMQP);
+this.serverName =
System.getProperty(qpid.sasl_server_name,localhost);
}
public void init(Connection conn, ProtocolHeader hdr)
@@ -84,7 +93,7 @@
new UsernamePasswordCallbackHandler();
handler.initialise(username, password);
SaslClient sc = Sasl.createSaslClient
-(new String[] {PLAIN}, null, AMQP, localhost, null,
handler);
+(saslMechs, null, protocol, serverName, null, handler);
conn.setSaslClient(sc);
byte[] response = sc.hasInitialResponse() ?
Modified:
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/Connection.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/Connection.java?rev=742267r1=742266r2=742267view=diff
==
---
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/Connection.java
(original)
+++
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/Connection.java
Mon Feb 9 05:14:09 2009
@@ -161,14 +161,19 @@
{
connect(host, port, vhost, username, password, false);
}
-
+
public void connect(String host, int port, String vhost, String username,
String password, boolean ssl)
{
+connect(host, port, vhost, username, password, false,PLAIN);
+}
+
+public void connect(String host, int port, String vhost, String
Re: svn commit: r742267 - in /qpid/trunk/qpid/java: client/src/main/java/org/apache/qpid/jms/ common/src/main/java/org/apache/qpid/transport/ tools/src/main/java/org/apache/qpid/tools/
Hello Martin, Thanks for raising this point. I was actually going to start a thread on this last night, but was a bit too sleepy:). I was aware of the CallBackHandlerRegistry and the related classes. In fact I had some of that code duplicated in the common module that I removed in rev 742269. The chooseMechanisms method currently selects the very first match between the broker and client supported mechanisms. I noticed that the mechs specified in CallbackHandlerRegistry.properties are arranged by strength and the strongest mech would be the first choice. However it is difficult to force the client to use a particular mechanism on a per connection basis. (You could use the amq.callbackhandler.properties to specify a prop file with only one mechanism to do the above, but this will be per JVM). The only drawback in not using something like chooseMechanisms is that the client may specify a mech (using the connection property) not supported by the broker as we currently don't check our prefered mech is included in the list provided by the broker. (I will be adding that very shortly). But for the most parts organizations have very specify security requirements and would mandate what the broker/clients should be using. For people who don't care PLAIN will work out of the box with no additional config. Also looking at http://java.sun.com/j2se/1.5.0/docs/guide/security/sasl/sasl-refguide.htmlwe can get away with the simple UsernamePasswordCallbackHandler for all the mechanism we intend to support. Ex PLAIN, CRAM-MD5,DIGEST-MD5, GSSAPI (doesn't use any callbacks), AMQPLAIN ..etc Therefore I wouldn't think we need an elaborate mechanism like the CallBackHandlerRegistry. I see we have a UsernameHashedPasswordCallbackHandler that uses Digest MD5, but I am not sure why we need to do that as we could easily use the DIGEST-MD5 mech supported by most SASL implementations rather than writing our own. Appologies in advance if I missed something here, but I feel that the UsernameHashedPasswordCallbackHandler is redundent. So in conclusion I would think for simplicity it's best we default to PLAIN and if a more secure method of auth is needed, then the user could specify the mechanism(s) explicitly in the connection URL. I agree however that we need to do a quick check of the preferred mechs with the list supplied by the broker. Regards, Rajith On Mon, Feb 9, 2009 at 5:27 AM, Martin Ritchie ritch...@apache.org wrote: Hi Rajith, Why not use the CallBackHandlerRegistry to automatically pick the mechanism from the intersection of the supported mechanisms from the broker and client? Or is this more to say only use GSSAPI? Might still be nice to be able to automatically pick an available mechanism when you don't actually care about it. See ConnectionStartMethodHandler.chooseMechanism in the client. Cheers Martin 2009/2/9 raj...@apache.org: Author: rajith Date: Mon Feb 9 05:14:09 2009 New Revision: 742267 URL: http://svn.apache.org/viewvc?rev=742267view=rev Log: This is related to QPID-1645 Added support to specify the sasl_mechs as a space separated list in the connection URL. By default it will use PLAIN. You could provide a list of mechs to support or force to use one GASSAPI or CRAM-MD5 by specifying only that in the connection URL. Modified: qpid/trunk/qpid/java/client/src/main/java/org/apache/qpid/jms/BrokerDetails.java qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/ClientDelegate.java qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/Connection.java qpid/trunk/qpid/java/tools/src/main/java/org/apache/qpid/tools/JNDICheck.java Modified: qpid/trunk/qpid/java/client/src/main/java/org/apache/qpid/jms/BrokerDetails.java URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/client/src/main/java/org/apache/qpid/jms/BrokerDetails.java?rev=742267r1=742266r2=742267view=diff == --- qpid/trunk/qpid/java/client/src/main/java/org/apache/qpid/jms/BrokerDetails.java (original) +++ qpid/trunk/qpid/java/client/src/main/java/org/apache/qpid/jms/BrokerDetails.java Mon Feb 9 05:14:09 2009 @@ -35,6 +35,7 @@ public static final String OPTIONS_CONNECT_TIMEOUT = connecttimeout; public static final String OPTIONS_CONNECT_DELAY = connectdelay; public static final String OPTIONS_IDLE_TIMEOUT = idle_timeout; +public static final String OPTIONS_SASL_MECHS = sasl_mechs; public static final int DEFAULT_PORT = 5672; public static final String SOCKET = socket; Modified: qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/ClientDelegate.java URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/ClientDelegate.java?rev=742267r1=742266r2=742267view=diff == ---
Re: svn commit: r742267 - in /qpid/trunk/qpid/java: client/src/main/java/org/apache/qpid/jms/ common/src/main/java/org/apache/qpid/transport/ tools/src/main/java/org/apache/qpid/tools/
Martin,
As I mentioned I got rid of some duplicated code as the same functionality
is available in the client module. There is still a bit more.
The AMQPCallbackHandler and the UsernamePasswordCallback handler in the
common module are duplicates of the AMQCallbackHandler and
UsernamePasswordCallback defined in the client module.
It would be great if we can eliminate this duplication. The ones in the
client module passes the AMQProtocolSession in the init method while the
ones in the common module directly passes the username and password. I would
assume the AMQCallbackHandler was written with the clear intention of
supporting any type of call back that would need more info than the
user/password if we are to write our own SASL extensions.
As for the standard mechs supported in both Sun and IBM SASL impls, you can
easily get away with UsernamePasswordCallback.
So I think we could simplify the code and just use UsernamePasswordCallback.
OR if we want to preserve the ability to be extensible then we could
parametrise using generics to get there.
Either way it would be good to use a single set of classes instead of code
duplication. Once we agree on a method, I would propose that we move the
classes to the common module. This way it prevents cyclic dependency between
the common and client modules.
Regards,
Rajith
Btw,I assume the JCAProvider, DynamicSASLRegistra stuff are there for us to
register as a SASL provide in order to do the AMQPLAIN stuff?
Is the AMQPlain stuff mandated by the spec or is this done to support
OpenMQ?
On Mon, Feb 9, 2009 at 5:27 AM, Martin Ritchie ritch...@apache.org wrote:
Hi Rajith,
Why not use the CallBackHandlerRegistry to automatically pick the
mechanism from the intersection of the supported mechanisms from the
broker and client? Or is this more to say only use GSSAPI? Might still
be nice to be able to automatically pick an available mechanism when
you don't actually care about it.
See ConnectionStartMethodHandler.chooseMechanism in the client.
Cheers
Martin
2009/2/9 raj...@apache.org:
Author: rajith
Date: Mon Feb 9 05:14:09 2009
New Revision: 742267
URL: http://svn.apache.org/viewvc?rev=742267view=rev
Log:
This is related to QPID-1645
Added support to specify the sasl_mechs as a space separated list in the
connection URL.
By default it will use PLAIN.
You could provide a list of mechs to support or force to use one GASSAPI
or CRAM-MD5 by specifying only that in the connection URL.
Modified:
qpid/trunk/qpid/java/client/src/main/java/org/apache/qpid/jms/BrokerDetails.java
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/ClientDelegate.java
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/Connection.java
qpid/trunk/qpid/java/tools/src/main/java/org/apache/qpid/tools/JNDICheck.java
Modified:
qpid/trunk/qpid/java/client/src/main/java/org/apache/qpid/jms/BrokerDetails.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/client/src/main/java/org/apache/qpid/jms/BrokerDetails.java?rev=742267r1=742266r2=742267view=diff
==
---
qpid/trunk/qpid/java/client/src/main/java/org/apache/qpid/jms/BrokerDetails.java
(original)
+++
qpid/trunk/qpid/java/client/src/main/java/org/apache/qpid/jms/BrokerDetails.java
Mon Feb 9 05:14:09 2009
@@ -35,6 +35,7 @@
public static final String OPTIONS_CONNECT_TIMEOUT =
connecttimeout;
public static final String OPTIONS_CONNECT_DELAY = connectdelay;
public static final String OPTIONS_IDLE_TIMEOUT = idle_timeout;
+public static final String OPTIONS_SASL_MECHS = sasl_mechs;
public static final int DEFAULT_PORT = 5672;
public static final String SOCKET = socket;
Modified:
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/ClientDelegate.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/ClientDelegate.java?rev=742267r1=742266r2=742267view=diff
==
---
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/ClientDelegate.java
(original)
+++
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/ClientDelegate.java
Mon Feb 9 05:14:09 2009
@@ -46,12 +46,21 @@
private String vhost;
private String username;
private String password;
-
-public ClientDelegate(String vhost, String username, String
password)
+private String[] saslMechs;
+private String protocol;
+private String serverName;
+
+public ClientDelegate(String vhost, String username, String
password,String saslMechs)
{
this.vhost = vhost;
this.username = username;
this.password = password;
+this.saslMechs = saslMechs.split( );
+
+// Looks kinda of silly but the Sun
