Commit c9403bce authored by Andre Freyssinet's avatar Andre Freyssinet

Allows to configure client authentication in SSL/JMS connector

(JORAM-368).
parent 9218093b
......@@ -43,9 +43,9 @@ import fr.dyade.aaa.agent.AgentServer;
import fr.dyade.aaa.common.Debug;
/**
* Starts a SSLTCP entry point for MOM clients.
* Starts a SSL entry point for JMS clients.
*/
public class SSLTcpProxyService extends TcpProxyService {
public class SSLTcpProxyService extends TcpProxyService implements SSLTcpProxyServiceMBean {
/** logger */
public static Logger logger = Debug.getLogger(SSLTcpProxyService.class.getName());
......@@ -54,9 +54,47 @@ public class SSLTcpProxyService extends TcpProxyService {
private final static String KS_PASS = "org.objectweb.joram.keystorepass";
private final static String KS_TYPE = "org.objectweb.joram.keystoretype";
private final static String SSLCONTEXT = "org.objectweb.joram.sslCtx";
private final static String CLIENT_AUTH = "org.objectweb.joram.clientAuth";
private static final String MBEAN_NAME = "type=Connection,mode=tcp-ssl";
private static final String MBEAN_NAME = "type=Connection,mode=ssl";
private static final String CLIENT_AUTH_NONE = "NONE";
private static final String CLIENT_AUTH_WANT = "WANT";
private static final String CLIENT_AUTH_NEED = "NEED";
private static final String CLIENT_AUTH_DFLT = CLIENT_AUTH_NEED;
private static String clientAuth = CLIENT_AUTH_DFLT;
/**
* Returns the actual configuration for client authentication:<ul>
* <li>WANT:client authentication required</li>
* <li>NEED:client authentication requested</li>
* <li>NONNEno client authentication desired</li>
* </ul>
*
* @return the actual configuration for client authentication.
*/
public String getClientAuth() {
return clientAuth;
}
/**
* Controls whether accepted server-mode SSLSockets will be initially configured to require or not client authentication.
* A socket's client authentication setting is one of the following:<ul>
* <li>WANT: client authentication required.</li>
* <li>NEED: client authentication requested.</li>
* <li>NONE: no client authentication desired.</li>
* </ul>
*
* The initial value of this parameter depends of the org.objectweb.joram.clientAuth configuration property.
* It can be overloaded for new connections using the corresponding MBean.
*
* @param clientAuth "WANT", "NEED" or "NONE".
*/
public void setClientAuth(String clientAuth) {
this.clientAuth = clientAuth;
}
/**
* The proxy service reference (used to stop it).
*/
......@@ -70,8 +108,7 @@ public class SSLTcpProxyService extends TcpProxyService {
* @param firstTime <code>true</code>
* when the agent server starts.
*/
public static void init(String args, boolean firstTime)
throws Exception {
public static void init(String args, boolean firstTime) throws Exception {
if (logger.isLoggable(BasicLevel.DEBUG))
logger.log(BasicLevel.DEBUG,
"SSLTcpProxyService.init(" + args + ',' + firstTime + ')');
......@@ -87,16 +124,16 @@ public class SSLTcpProxyService extends TcpProxyService {
}
int backlog = AgentServer.getInteger(BACKLOG_PROP, DEFAULT_BACKLOG).intValue();
clientAuth = AgentServer.getProperty(CLIENT_AUTH, clientAuth);
// Create the socket here in order to throw an exception
// if the socket can't be created (even if firstTime is false).
if (logger.isLoggable(BasicLevel.DEBUG))
logger.log(BasicLevel.DEBUG,
"SSLTcpProxyService.init() - binding to address " + address + ", port " + port);
"SSLTcpProxyService.init() - binding to address " + address + ", port " + port + ", client authentication=" + clientAuth);
proxyService = new SSLTcpProxyService(port, backlog, address);
proxyService.start();
}
public String getMBeanName() {
......@@ -115,7 +152,7 @@ public class SSLTcpProxyService extends TcpProxyService {
if (logger.isLoggable(BasicLevel.DEBUG))
logger.log(BasicLevel.DEBUG,
"SSLTcpProxyService.createServerSocketFactory:" + keystoreFile + ':' + new String(keyStorePass));
"SSLTcpProxyService.createServerSocketFactory: keystore=" + keystoreFile);
KeyStore keystore = KeyStore.getInstance(ksType);
keystore.load(new FileInputStream(keystoreFile), keyStorePass);
......@@ -146,10 +183,18 @@ public class SSLTcpProxyService extends TcpProxyService {
serverSocket = (SSLServerSocket) serverSocketFactory.createServerSocket(port, backlog, InetAddress.getByName(address));
}
// require mutual authentication
serverSocket.setNeedClientAuth(true);
// request mutual authentication
//serverSocket.setWantClientAuth(true);
logger.log(BasicLevel.DEBUG,
"SSLTcpProxyService.createServerSocket(" + port + ',' + backlog + ',' + address + ") use " + clientAuth);
if (CLIENT_AUTH_NEED.equalsIgnoreCase(clientAuth)) {
// require mutual authentication
serverSocket.setNeedClientAuth(true);
} else if (CLIENT_AUTH_WANT.equalsIgnoreCase(clientAuth)) {
// request mutual authentication
serverSocket.setWantClientAuth(true);
} else {
// could set need with the same effect
serverSocket.setWantClientAuth(false);
}
String[] cipherTable = getCipherList();
if (cipherTable != null && cipherTable.length > 0)
serverSocket.setEnabledCipherSuites(cipherTable);
......
/*
* JORAM: Java(TM) Open Reliable Asynchronous Messaging
* Copyright (C) 2020 ScalAgent Distributed Technologies
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
* USA.
*
* Initial developer(s): ScalAgent Distributed Technologies
*/
package org.objectweb.joram.mom.proxies.tcp;
public interface SSLTcpProxyServiceMBean extends TcpProxyServiceMBean {
/**
* Returns the actual configuration for client authentication:<ul>
* <li>WANT:client authentication required</li>
* <li>NEED:client authentication requested</li>
* <li>NONNEno client authentication desired</li>
* </ul>
*
* @return the actual configuration for client authentication.
*/
public String getClientAuth() ;
/**
* Controls whether accepted server-mode SSLSockets will be initially configured to require or not client authentication.
* A socket's client authentication setting is one of the following:<ul>
* <li>WANT:client authentication required</li>
* <li>NEED:client authentication requested</li>
* <li>NONNEno client authentication desired</li>
* </ul>
*
* The initial value of this parameter depends of the org.objectweb.joram.clientAuth configuration property.
* It can be overloaded for new connections using the corresponding MBean.
*
* @param clientAuth "WANT", "NEED" or "NONE".
*/
public void setClientAuth(String clientAuth);
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment