AMQ-8035 - ensure propagated credentials are visible for bind and removed for subsequent mapping operations
diff --git a/activemq-jaas/src/main/java/org/apache/activemq/jaas/LDAPLoginModule.java b/activemq-jaas/src/main/java/org/apache/activemq/jaas/LDAPLoginModule.java
index aad8f50..e1dc703 100644
--- a/activemq-jaas/src/main/java/org/apache/activemq/jaas/LDAPLoginModule.java
+++ b/activemq-jaas/src/main/java/org/apache/activemq/jaas/LDAPLoginModule.java
@@ -440,6 +440,7 @@
if (log.isDebugEnabled()) {
log.debug("Binding the user.");
}
+ context.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple");
context.addToEnvironment(Context.SECURITY_PRINCIPAL, dn);
context.addToEnvironment(Context.SECURITY_CREDENTIALS, password);
try {
@@ -465,7 +466,7 @@
} else {
context.removeFromEnvironment(Context.SECURITY_CREDENTIALS);
}
-
+ context.addToEnvironment(Context.SECURITY_AUTHENTICATION, getLDAPPropertyValue(AUTHENTICATION));
return isValid;
}
diff --git a/activemq-jaas/src/test/java/org/apache/activemq/jaas/LDAPLoginModuleTest.java b/activemq-jaas/src/test/java/org/apache/activemq/jaas/LDAPLoginModuleTest.java
index ea2fb57..208dba2 100644
--- a/activemq-jaas/src/test/java/org/apache/activemq/jaas/LDAPLoginModuleTest.java
+++ b/activemq-jaas/src/test/java/org/apache/activemq/jaas/LDAPLoginModuleTest.java
@@ -18,7 +18,6 @@
import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
import org.apache.directory.server.core.integ.FrameworkRunner;
-import org.apache.directory.server.integ.ServerIntegrationUtils;
import org.apache.directory.server.ldap.LdapServer;
import org.apache.directory.server.annotations.CreateLdapServer;
import org.apache.directory.server.annotations.CreateTransport;
@@ -34,11 +33,11 @@
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.security.auth.callback.*;
+import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import java.io.IOException;
-import java.net.URL;
import java.util.HashSet;
import java.util.Hashtable;
@@ -47,7 +46,7 @@
import static org.junit.Assert.fail;
@RunWith ( FrameworkRunner.class )
-@CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP", port=1024)})
+@CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP", port=1024)}, allowAnonymousAccess = true)
@ApplyLdifFiles(
"test.ldif"
)
@@ -172,4 +171,47 @@
}
+ @Test
+ public void testAuthenticatedViaBindOnAnonConnection() throws Exception {
+ LoginContext context = new LoginContext("AnonBindCheckUserLDAPLogin", new CallbackHandler() {
+ @Override
+ public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
+ for (int i = 0; i < callbacks.length; i++) {
+ if (callbacks[i] instanceof NameCallback) {
+ ((NameCallback) callbacks[i]).setName("first");
+ } else if (callbacks[i] instanceof PasswordCallback) {
+ ((PasswordCallback) callbacks[i]).setPassword("wrongSecret".toCharArray());
+ } else {
+ throw new UnsupportedCallbackException(callbacks[i]);
+ }
+ }
+ }
+ });
+ try {
+ context.login();
+ fail("Should have failed authenticating");
+ } catch (FailedLoginException expected) {
+ }
+ }
+
+ @Test
+ public void testAuthenticatedOkViaBindOnAnonConnection() throws Exception {
+ LoginContext context = new LoginContext("AnonBindCheckUserLDAPLogin", new CallbackHandler() {
+ @Override
+ public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
+ for (int i = 0; i < callbacks.length; i++) {
+ if (callbacks[i] instanceof NameCallback) {
+ ((NameCallback) callbacks[i]).setName("first");
+ } else if (callbacks[i] instanceof PasswordCallback) {
+ ((PasswordCallback) callbacks[i]).setPassword("secret".toCharArray());
+ } else {
+ throw new UnsupportedCallbackException(callbacks[i]);
+ }
+ }
+ }
+ });
+ context.login();
+ context.logout();
+ }
+
}
diff --git a/activemq-jaas/src/test/resources/login.config b/activemq-jaas/src/test/resources/login.config
index aad35cf..b5e8cf8 100644
--- a/activemq-jaas/src/test/resources/login.config
+++ b/activemq-jaas/src/test/resources/login.config
@@ -105,6 +105,25 @@
;
};
+AnonBindCheckUserLDAPLogin {
+ org.apache.activemq.jaas.LDAPLoginModule required
+ debug=true
+ initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
+ connectionURL="ldap://localhost:1024"
+ connectionUsername=none
+ connectionPassword=none
+ connectionProtocol=s
+ authentication=none
+ userBase="ou=system"
+ userSearchMatching="(uid={0})"
+ userSearchSubtree=false
+ roleBase="ou=system"
+ roleName=cn
+ roleSearchMatching="(member=uid={1},ou=system)"
+ roleSearchSubtree=false
+ ;
+};
+
ExpandedLDAPLogin {
org.apache.activemq.jaas.LDAPLoginModule required
debug=true