QPID-7779 : [Qpid JMS Client 0-x] [0-8..0-91] sasl_mechs and other SASL connection options not supported
diff --git a/client/src/main/java/org/apache/qpid/client/handler/ConnectionStartMethodHandler.java b/client/src/main/java/org/apache/qpid/client/handler/ConnectionStartMethodHandler.java
index 56ac655..13ac6c6 100644
--- a/client/src/main/java/org/apache/qpid/client/handler/ConnectionStartMethodHandler.java
+++ b/client/src/main/java/org/apache/qpid/client/handler/ConnectionStartMethodHandler.java
@@ -21,6 +21,8 @@
package org.apache.qpid.client.handler;
import java.io.UnsupportedEncodingException;
+import java.util.Collections;
+import java.util.Map;
import java.util.StringTokenizer;
import javax.security.sasl.Sasl;
@@ -46,6 +48,7 @@
import org.apache.qpid.framing.ProtocolVersion;
import org.apache.qpid.jms.ConnectionURL;
import org.apache.qpid.properties.ConnectionStartProperties;
+import org.apache.qpid.transport.ConnectionSettings;
public class ConnectionStartMethodHandler implements StateAwareMethodListener<ConnectionStartBody>
{
@@ -97,6 +100,7 @@
{
// Used to hold the SASL mechanism to authenticate with.
String mechanism;
+ final ConnectionSettings connectionSettings = session.getAMQConnection().getConnectionSettings();
if (body.getMechanisms()== null)
{
@@ -104,7 +108,8 @@
}
else
{
- mechanism = chooseMechanism(body.getMechanisms());
+ String restriction = connectionSettings.getSaslMechs();
+ mechanism = chooseMechanism(body.getMechanisms(), restriction);
_log.debug("mechanism = " + mechanism);
}
@@ -116,8 +121,24 @@
byte[] saslResponse;
try
{
+ final Map<String, ?> saslProps;
+ if (connectionSettings.isUseSASLEncryption())
+ {
+ saslProps = Collections.singletonMap(Sasl.QOP, "auth-conf");
+ }
+ else
+ {
+ saslProps = null;
+ }
+
+ String saslProtocol = connectionSettings.getSaslProtocol();
+ String saslServerName = connectionSettings.getSaslServerName();
+ if(saslServerName == null)
+ {
+ saslServerName = connectionSettings.getHost();
+ }
SaslClient sc =
- Sasl.createSaslClient(new String[] { mechanism }, null, "AMQP", "localhost", null,
+ Sasl.createSaslClient(new String[] { mechanism }, null, saslProtocol, saslServerName, saslProps,
createCallbackHandler(mechanism, session));
if (sc == null)
{
@@ -198,10 +219,10 @@
}
}
- private String chooseMechanism(byte[] availableMechanisms) throws UnsupportedEncodingException
+ private String chooseMechanism(byte[] availableMechanisms, final String restriction) throws UnsupportedEncodingException
{
final String mechanisms = new String(availableMechanisms, "utf8");
- return CallbackHandlerRegistry.getInstance().selectMechanism(mechanisms);
+ return CallbackHandlerRegistry.getInstance().selectMechanism(mechanisms, restriction);
}
private AMQCallbackHandler createCallbackHandler(String mechanism, AMQProtocolSession protocolSession)
diff --git a/doc/jms-client-0-8/src/docbkx/JMS-Client-Connection-URL.xml b/doc/jms-client-0-8/src/docbkx/JMS-Client-Connection-URL.xml
index 96b9e3a..7bc179f 100644
--- a/doc/jms-client-0-8/src/docbkx/JMS-Client-Connection-URL.xml
+++ b/doc/jms-client-0-8/src/docbkx/JMS-Client-Connection-URL.xml
@@ -243,17 +243,15 @@
supported.</para>
</entry>
</row>
- <!-- 0-10 only
<row>
<entry> sasl_mechs </entry>
<entry> - </entry>
- <entry> For secure applications, we suggest CRAM-MD5, DIGEST-MD5, or GSSAPI. The
- ANONYMOUS method is not secure. The PLAIN method is secure only when used
- together with SSL. For Kerberos, sasl_mechs must be set to GSSAPI,
- sasl_protocol must be set to the principal for the qpidd broker, e.g.
- qpidd/, and sasl_server must be set to the host for the SASL server, e.g.
- sasl.com. SASL External is supported using SSL certification, e.g.
- <literal>ssl='true'&sasl_mechs='EXTERNAL'</literal>
+ <entry> A comma separated list of SASL mechanisms which may be used. If not present then
+ any method offered by the broker may be used.
+ For secure applications, we suggest SCRAM-SHA-256. The
+ ANONYMOUS mechanism is not secure. The PLAIN mechanism is secure only when used
+ together with SSL. SASL External is supported using SSL certification, e.g.
+ <literal>ssl='true'&sasl_mechs='EXTERNAL'</literal>
</entry>
</row>
<row>
@@ -274,10 +272,9 @@
<row>
<entry> sasl_server </entry>
<entry> - </entry>
- <entry> For Kerberos, sasl_mechs must be set to GSSAPI, sasl_server must be set
+ <entry> For Kerberos, sasl_server must be set
to the host for the SASL server, e.g. <literal>sasl.com</literal>. </entry>
</row>
- -->
<row>
<entry> ssl </entry>
<entry> Boolean </entry>
diff --git a/doc/jms-client-0-8/src/docbkx/JMS-Client-System-Properties.xml b/doc/jms-client-0-8/src/docbkx/JMS-Client-System-Properties.xml
index 8c2fb93..59657bc 100644
--- a/doc/jms-client-0-8/src/docbkx/JMS-Client-System-Properties.xml
+++ b/doc/jms-client-0-8/src/docbkx/JMS-Client-System-Properties.xml
@@ -432,12 +432,13 @@
<para>It is only applicable for AMQP 0-8/0-9/0-9-1 clients.</para>
</entry>
</row>
+
+
</tbody>
</tgroup>
</table>
- <!-- These are all 0-10 related
- <table pgwide="1">
+ <table pgwide="1">
<title>Config Options For Security</title>
<tgroup cols="4">
<thead>
@@ -449,39 +450,39 @@
</row>
</thead>
<tbody>
-
<row>
<entry>qpid.sasl_mechs</entry>
<entry>string</entry>
- <entry>PLAIN</entry>
- <entry><para>The SASL mechanism to be used. More than one could be specified as
- a comma separated list.</para><para>We currently support the following
- mechanisms {PLAIN | GSSAPI | EXTERNAL}.</para><para>This can also be set
- per connection using the <link linkend="JMS-Client-0-8-Connection-URL"
- >Connection URL</link> options.</para></entry>
+ <entry></entry>
+ <entry><para>Restriction on the SASL mechanisms which can be used.
+ More than one could be specified as
+ a comma separated list.</para><para>We currently support the following
+ mechanisms {PLAIN | GSSAPI | EXTERNAL}.</para><para>This can also be set
+ per connection using the
+ <link linkend="JMS-Client-0-8-Connection-URL">Connection URL</link> options.</para>
+ </entry>
</row>
-
<row>
<entry>qpid.sasl_protocol</entry>
<entry>string</entry>
<entry>AMQP</entry>
<entry><para>When using GSSAPI as the SASL mechanism,
- <varname>sasl_protocol</varname> must be set to the principal for
- the qpidd broker, e.g. <varname>qpidd</varname>.</para><para>This can
- also be set per connection using the <link
+ <varname>sasl_protocol</varname> must be set to the principal for
+ the qpid broker, e.g. <varname>qpidd</varname>.</para><para>This can
+ also be set per connection using the <link
linkend="JMS-Client-0-8-Connection-URL">Connection URL</link>
- options.</para></entry>
+ options.</para></entry>
</row>
<row>
<entry>qpid.sasl_server_name</entry>
<entry>string</entry>
<entry>localhost</entry>
<entry><para>When using GSSAPI as the SASL mechanism,
- <varname>sasl_server</varname> must be set to the host for the SASL
- server, e.g. <varname>example.com</varname>.</para><para>This can also
- be set per connection using the <link
+ <varname>sasl_server</varname> must be set to the host for the SASL
+ server, e.g. <varname>example.com</varname>.</para><para>This can also
+ be set per connection using the <link
linkend="JMS-Client-0-8-Connection-URL">Connection URL</link>
- options.</para></entry>
+ options.</para></entry>
</row>
</tbody>
</tgroup>
@@ -529,7 +530,7 @@
</tbody>
</tgroup>
</table>
- -->
+
<table pgwide="1">
<title>Config Options For Security - Using SSL for securing connections or using EXTERNAL as
the SASL mechanism.</title>