QPID-5922 : [Java Broker] restrict the use of PLAIN authentication to secure channels

git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1613068 13f79535-47bb-0310-9956-ffa450edef68
author: Robert Godfrey <rgodfrey@apache.org> 2014-07-24 11:27:03 +0000
committer: Robert Godfrey <rgodfrey@apache.org> 2014-07-24 11:27:03 +0000
commit: 79c88e13948c79d85aa84dd241f4dcdc7a0ced6b (patch)
tree: b6ffe0198e102c3b33e01778df0ed584357e7760 /qpid/java/broker-plugins/management-http
parent: 38f6dea5a16eda38a50489d500de234b34916df3 (diff)
download: qpid-python-79c88e13948c79d85aa84dd241f4dcdc7a0ced6b.tar.gz
2 files changed, 30 insertions, 25 deletions
diff --git a/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java b/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java
index 1937ee8744..ef0a68a42b 100644
--- a/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java
+++ b/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java
@@ -45,6 +45,7 @@ import org.apache.qpid.server.security.auth.AuthenticatedPrincipal;
 import org.apache.qpid.server.security.auth.AuthenticationResult.AuthenticationStatus;
 import org.apache.qpid.server.security.auth.SubjectAuthenticationResult;
 import org.apache.qpid.server.security.auth.UsernamePrincipal;
+import org.apache.qpid.server.security.auth.manager.AnonymousAuthenticationManager;
 import org.apache.qpid.server.security.auth.manager.ExternalAuthenticationManager;
 import org.apache.qpid.transport.network.security.ssl.SSLUtil;
 
@@ -146,14 +147,14 @@ public class HttpManagementUtil
         Subject subject = null;
         SocketAddress localAddress = getSocketAddress(request);
         final AuthenticationProvider authenticationProvider = managementConfig.getAuthenticationProvider(localAddress);
-        SubjectCreator subjectCreator = authenticationProvider.getSubjectCreator();
+        SubjectCreator subjectCreator = authenticationProvider.getSubjectCreator(request.isSecure());
         String remoteUser = request.getRemoteUser();
 
-        if (remoteUser != null || subjectCreator.isAnonymousAuthenticationAllowed())
+        if (remoteUser != null || authenticationProvider instanceof AnonymousAuthenticationManager)
         {
             subject = authenticateUser(subjectCreator, remoteUser, null);
         }
-        else if(subjectCreator.isExternalAuthenticationAllowed()
+        else if(authenticationProvider instanceof ExternalAuthenticationManager
                 && Collections.list(request.getAttributeNames()).contains("javax.servlet.request.X509Certificate"))
         {
             Principal principal = null;
diff --git a/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.java b/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.java
index af3973c7b3..81d67caf96 100644
--- a/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.java
+++ b/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.java
@@ -20,34 +20,36 @@
  */
 package org.apache.qpid.server.management.plugin.servlet.rest;
 
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.net.SocketAddress;
+import java.security.Principal;
+import java.security.SecureRandom;
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Random;
+
+import javax.security.auth.Subject;
+import javax.security.sasl.SaslException;
+import javax.security.sasl.SaslServer;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+
 import org.apache.commons.codec.binary.Base64;
-import org.apache.qpid.server.management.plugin.servlet.ServletConnectionPrincipal;
-import org.apache.qpid.server.util.ConnectionScopedRuntimeException;
+import org.apache.log4j.Logger;
 import org.codehaus.jackson.map.ObjectMapper;
 import org.codehaus.jackson.map.SerializationConfig;
 
-import org.apache.log4j.Logger;
 import org.apache.qpid.server.management.plugin.HttpManagementConfiguration;
 import org.apache.qpid.server.management.plugin.HttpManagementUtil;
+import org.apache.qpid.server.management.plugin.servlet.ServletConnectionPrincipal;
 import org.apache.qpid.server.model.Broker;
 import org.apache.qpid.server.security.SubjectCreator;
 import org.apache.qpid.server.security.auth.AuthenticatedPrincipal;
-
-import javax.security.auth.Subject;
-import javax.security.sasl.SaslException;
-import javax.security.sasl.SaslServer;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpSession;
-import java.io.IOException;
-import java.io.PrintWriter;
-import java.net.SocketAddress;
-import java.security.Principal;
-import java.security.SecureRandom;
-import java.util.LinkedHashMap;
-import java.util.Map;
-import java.util.Random;
+import org.apache.qpid.server.util.ConnectionScopedRuntimeException;
 
 public class SaslServlet extends AbstractServlet
 {
@@ -81,7 +83,8 @@ public class SaslServlet extends AbstractServlet
         getRandom(session);
 
         SubjectCreator subjectCreator = getSubjectCreator(request);
-        String[] mechanisms = subjectCreator.getMechanisms().split(" ");
+        List<String> mechanismsList = subjectCreator.getMechanisms();
+        String[] mechanisms = mechanismsList.toArray(new String[mechanismsList.size()]);
         Map<String, Object> outputObject = new LinkedHashMap<String, Object>();
 
         final Subject subject = getAuthorisedSubject(request);
@@ -237,7 +240,7 @@ public class SaslServlet extends AbstractServlet
 
         if(saslServer.isComplete())
         {
-            Subject originalSubject = subjectCreator.createSubjectWithGroups(saslServer.getAuthorizationID());
+            Subject originalSubject = subjectCreator.createSubjectWithGroups(new AuthenticatedPrincipal(saslServer.getAuthorizationID()));
             Subject subject = new Subject(false,
                                           originalSubject.getPrincipals(),
                                           originalSubject.getPublicCredentials(),
@@ -298,7 +301,8 @@ public class SaslServlet extends AbstractServlet
     private SubjectCreator getSubjectCreator(HttpServletRequest request)
     {
         SocketAddress localAddress = HttpManagementUtil.getSocketAddress(request);
-        return HttpManagementUtil.getManagementConfiguration(getServletContext()).getAuthenticationProvider(localAddress).getSubjectCreator();
+        return HttpManagementUtil.getManagementConfiguration(getServletContext()).getAuthenticationProvider(localAddress).getSubjectCreator(
+                request.isSecure());
     }
 
     @Override
author	Robert Godfrey <rgodfrey@apache.org>	2014-07-24 11:27:03 +0000
committer	Robert Godfrey <rgodfrey@apache.org>	2014-07-24 11:27:03 +0000
commit	79c88e13948c79d85aa84dd241f4dcdc7a0ced6b (patch)
tree	b6ffe0198e102c3b33e01778df0ed584357e7760 /qpid/java/broker-plugins/management-http
parent	38f6dea5a16eda38a50489d500de234b34916df3 (diff)
download	qpid-python-79c88e13948c79d85aa84dd241f4dcdc7a0ced6b.tar.gz