com.classactionpl.jaas.activemq
Class CertificateLoginDirectoryRolesModule
java.lang.Object
org.apache.activemq.jaas.CertificateLoginModule
com.classactionpl.jaas.activemq.CertificateLoginDirectoryRolesModule
- All Implemented Interfaces:
- javax.security.auth.spi.LoginModule
public class CertificateLoginDirectoryRolesModule
- extends org.apache.activemq.jaas.CertificateLoginModule
This module builds on the ActiveMQ CertificateLoginModule to provide
directory based authorisation. The CertificateLoginModule's responsibility is
to obtain client-side certificates that are trusted by a server. This
CertificateLoginDirectoryRolesModule's responsibility is to take the subject
DN from the certificates and determine the roles (groups) that they are
members of. Note that there can be multiple client certificates presented.
Directory searches correlate one-to-one with the number of client
certificates.
Directory services are accessed via the JNDI directory API. If credentials
are provided (securityAuthentication != "none" i.e. "simple" or
sasl_mech etc.) then a bind occurs using the supplied
securityPrincipal and securityCredentials. Otherwise anonymous access is
performed. For more information: LDAP Authentication
What is searched for depends on searchBase as a starting point and
searchFilter. Search filters take one parameter denoted by the expression
{0}. The expression will be substituted with the subject DN of a client
certificate. Only the first level of the search base is searched. Search
filter syntax is described further at Search Filters
Here is a list of JAAS parameters that are required:
| initialContextFactory |
The fully distinguished JNDI context factory class name |
| providerURL |
The URL required to connect to the directory |
| securityPrincipal |
The name of the principal to bind to the directory. Can be omitted for
anonymous access. |
| securityCredentials |
The password of the principal to bind to the directory. Can be omitted
for anonymous access. |
| securityAuthentication |
"none", "simple" or sasl_mech |
| searchBase |
The part of the directory to perform one-level searches on. |
| searchFilter |
The directory search specification. {0} will be substituted with each
certificate's subject DN. |
| searchReturnAttributeAsGroupName |
The name of the attribute returned from the search that is used for the
name of the group. |
Here is a sample JAAS login configuration that performs an anonymous search
of each group below "ou=activemq,ou=groups,ou=system". The
entry's "member" attribute equals the subject dn of each client certificate
presented to this module. The "cn" attribute is the part of the entry that is
used to provide the name of the group.
activemq-domain {
com.classactionpl.jaas.activemq.CertificateLoginDirectoryRolesModule required
initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
providerURL="ldap://localhost:10389"
securityAuthentication=none
searchBase="ou=activemq,ou=groups,ou=system"
searchFilter="(member={0})"
searchReturnAttributeAsGroupName="cn"
;};
- Author:
- Christopher Hunt
|
Method Summary |
void |
initialize(javax.security.auth.Subject subject,
javax.security.auth.callback.CallbackHandler callbackHandler,
java.util.Map sharedState,
java.util.Map options)
|
| Methods inherited from class org.apache.activemq.jaas.CertificateLoginModule |
abort, commit, login, logout |
| Methods inherited from class java.lang.Object |
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
CertificateLoginDirectoryRolesModule
public CertificateLoginDirectoryRolesModule()
initialize
public void initialize(javax.security.auth.Subject subject,
javax.security.auth.callback.CallbackHandler callbackHandler,
java.util.Map sharedState,
java.util.Map options)
- Specified by:
initialize in interface javax.security.auth.spi.LoginModule- Overrides:
initialize in class org.apache.activemq.jaas.CertificateLoginModule