JaasCertificateAuthenticationBroker


1   /**
2    *
3    * Licensed to the Apache Software Foundation (ASF) under one or more
4    * contributor license agreements.  See the NOTICE file distributed with
5    * this work for additional information regarding copyright ownership.
6    * The ASF licenses this file to You under the Apache License, Version 2.0
7    * (the "License"); you may not use this file except in compliance with
8    * the License.  You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  
19  package org.apache.activemq.security;
20  
21  import org.apache.activemq.broker.Broker;
22  import org.apache.activemq.broker.BrokerFilter;
23  import org.apache.activemq.broker.ConnectionContext;
24  import org.apache.activemq.command.ConnectionInfo;
25  import org.apache.activemq.jaas.JaasCertificateCallbackHandler;
26  import org.apache.activemq.jaas.UserPrincipal;
27  import org.apache.activemq.security.JaasAuthenticationBroker.JaasSecurityContext;
28  
29  import java.security.Principal  ;
30  import java.security.cert.X509Certificate  ;
31  import java.util.Iterator  ;
32  
33  import javax.security.auth.Subject  ;
34  import javax.security.auth.callback.CallbackHandler  ;
35  import javax.security.auth.login.LoginContext  ;
36  
37  /**
38   * A JAAS Authentication Broker that uses SSL Certificates.
39   * 
40   * This class will provide the JAAS framework with a JaasCertificateCallbackHandler that will grant JAAS access to
41   *      incoming connections' SSL certificate chains. 
42   * NOTE: There is a chance that the incoming connection does not have a valid certificate (has null).
43   * 
44   * @author sepandm@gmail.com (Sepand)
45   */
46  public class JaasCertificateAuthenticationBroker extends BrokerFilter {
47      private final String   jaasConfiguration;
48      
49      /**
50       * Simple constructor. Leaves everything to superclass.
51       * 
52       * @param next The Broker that does the actual work for this Filter.
53       * @param jassConfiguration The JAAS domain configuration name (refere to JAAS documentation).
54       */
55      public JaasCertificateAuthenticationBroker(Broker next, String   jaasConfiguration) {
56          super(next);
57          
58          this.jaasConfiguration = jaasConfiguration; 
59      }
60      
61      /**
62       * Overridden to allow for authentication based on client certificates.
63       * 
64       * Connections being added will be authenticated based on their certificate chain and the JAAS module specified
65       *      through the JAAS framework.
66       * NOTE: The security context's username will be set to the first UserPrincipal created by the login module.
67       * 
68       * @param context The context for the incoming Connection.
69       * @param info The ConnectionInfo Command representing the incoming connection.
70       */
71      public void addConnection(ConnectionContext context, ConnectionInfo info) throws Exception   {
72  
73          if (context.getSecurityContext() == null) {
74              if (!( info.getTransportContext() instanceof X509Certificate  [] )) {
75                  throw new SecurityException  ("Unable to authenticate transport without SSL certificate.");
76              }
77              
78              // Set the TCCL since it seems JAAS needs it to find the login module classes.
79              ClassLoader   original = Thread.currentThread().getContextClassLoader();
80              Thread.currentThread().setContextClassLoader(JaasAuthenticationBroker.class.getClassLoader());
81              try {
82                  // Do the login.
83                  try {
84                      CallbackHandler callback =
85                          new JaasCertificateCallbackHandler((X509Certificate  [])info.getTransportContext());
86                      LoginContext   lc = new LoginContext  (jaasConfiguration, callback);
87                      lc.login();
88                      Subject   subject = lc.getSubject();
89                      
90                      String   dnName = "";
91                      
92                      for (Iterator   iter = subject.getPrincipals().iterator(); iter.hasNext(); ) {
93                          Principal nextPrincipal = (Principal)iter.next();
94                          if (nextPrincipal instanceof UserPrincipal) {
95                              dnName = ((UserPrincipal)nextPrincipal).getName();
96                              break;
97                          }
98                      }
99                      SecurityContext s = new JaasCertificateSecurityContext(
100                         dnName, subject, (X509Certificate  [])info.getTransportContext());
101                     context.setSecurityContext(s);
102                 } catch (Exception   e) {
103                     throw new SecurityException  ("User name or password is invalid: " + e.getMessage(), e);
104                 }
105             } finally {
106                 Thread.currentThread().setContextClassLoader(original);
107             }
108         }
109         super.addConnection(context, info);
110     }
111     
112     /**
113      * Overriding removeConnection to make sure the security context is cleaned.
114      */
115     public void removeConnection(ConnectionContext context, ConnectionInfo info, Throwable   error) throws Exception   {
116         super.removeConnection(context, info, error);
117         
118         context.setSecurityContext(null);
119     }
120 }
121
A to Z: JavaDoc & Examples Daily Java News & Articles Open Source Projects Open Source Codes Free Computer Books Remove Frame
Popular Tags