From aed1e67116518680ab5bdd448751297faf6d1d7a Mon Sep 17 00:00:00 2001 From: Matt Pavlovich Date: Tue, 29 Jul 2025 18:28:08 -0500 Subject: [PATCH 1/2] [AMQ-9749] Update JaasDualAuthenticationBroker isSSL method to be protected to allow override --- .../apache/activemq/security/JaasDualAuthenticationBroker.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/activemq-broker/src/main/java/org/apache/activemq/security/JaasDualAuthenticationBroker.java b/activemq-broker/src/main/java/org/apache/activemq/security/JaasDualAuthenticationBroker.java index c2aacdef10c..9a8d4dfd0ee 100644 --- a/activemq-broker/src/main/java/org/apache/activemq/security/JaasDualAuthenticationBroker.java +++ b/activemq-broker/src/main/java/org/apache/activemq/security/JaasDualAuthenticationBroker.java @@ -110,7 +110,7 @@ public void removeConnection(ConnectionContext context, ConnectionInfo info, Thr } } - private boolean isSSL(ConnectionContext context, ConnectionInfo info) throws Exception { + protected boolean isSSL(ConnectionContext context, ConnectionInfo info) throws Exception { boolean sslCapable = false; Connector connector = context.getConnector(); if (connector instanceof TransportConnector) { From f50f37756685f2b615892be88e4c3538301287e7 Mon Sep 17 00:00:00 2001 From: Matt Pavlovich Date: Tue, 29 Jul 2025 18:35:04 -0500 Subject: [PATCH 2/2] [AMQ-9750] Update JaasDualAuthenticationBroker to support mixed-mode SSL --- .../JaasDualAuthenticationBroker.java | 19 +++++++++++++++---- .../JaasDualAuthenticationPlugin.java | 11 ++++++++++- .../JaasDualAuthenticationBrokerTest.java | 2 +- 3 files changed, 26 insertions(+), 6 deletions(-) diff --git a/activemq-broker/src/main/java/org/apache/activemq/security/JaasDualAuthenticationBroker.java b/activemq-broker/src/main/java/org/apache/activemq/security/JaasDualAuthenticationBroker.java index 9a8d4dfd0ee..a05f2772c1d 100644 --- a/activemq-broker/src/main/java/org/apache/activemq/security/JaasDualAuthenticationBroker.java +++ b/activemq-broker/src/main/java/org/apache/activemq/security/JaasDualAuthenticationBroker.java @@ -60,7 +60,7 @@ public class JaasDualAuthenticationBroker extends BrokerFilter implements AuthenticationBroker { private final JaasCertificateAuthenticationBroker sslBroker; private final JaasAuthenticationBroker nonSslBroker; - + private final boolean certificateRequired; /*** Simple constructor. Leaves everything to superclass. * @@ -70,11 +70,12 @@ public class JaasDualAuthenticationBroker extends BrokerFilter implements Authen * @param jaasSslConfiguration The JAAS domain configuration name for * SSL connections (refer to JAAS documentation). */ - public JaasDualAuthenticationBroker(Broker next, String jaasConfiguration, String jaasSslConfiguration) { + public JaasDualAuthenticationBroker(Broker next, String jaasConfiguration, String jaasSslConfiguration, boolean certificateRequired) { super(next); this.nonSslBroker = new JaasAuthenticationBroker(new EmptyBroker(), jaasConfiguration); this.sslBroker = new JaasCertificateAuthenticationBroker(new EmptyBroker(), jaasSslConfiguration); + this.certificateRequired = certificateRequired; } /** @@ -112,16 +113,26 @@ public void removeConnection(ConnectionContext context, ConnectionInfo info, Thr protected boolean isSSL(ConnectionContext context, ConnectionInfo info) throws Exception { boolean sslCapable = false; + boolean sslCertificatePresent = false; + Connector connector = context.getConnector(); if (connector instanceof TransportConnector) { TransportConnector transportConnector = (TransportConnector) connector; sslCapable = transportConnector.getServer().isSslServer(); } + // AMQ-5943, also check if transport context carries X509 cert - if (!sslCapable && info.getTransportContext() instanceof X509Certificate[]) { + // AMQ-9750, optionally require a sslCertificate be present in order to support both one-way and two-way + if (info.getTransportContext() instanceof X509Certificate[]) { sslCapable = true; + sslCertificatePresent = true; + } + + if(certificateRequired) { + return sslCertificatePresent; + } else { + return sslCapable; } - return sslCapable; } @Override diff --git a/activemq-broker/src/main/java/org/apache/activemq/security/JaasDualAuthenticationPlugin.java b/activemq-broker/src/main/java/org/apache/activemq/security/JaasDualAuthenticationPlugin.java index e350598e76b..91d7648d295 100644 --- a/activemq-broker/src/main/java/org/apache/activemq/security/JaasDualAuthenticationPlugin.java +++ b/activemq-broker/src/main/java/org/apache/activemq/security/JaasDualAuthenticationPlugin.java @@ -29,10 +29,11 @@ */ public class JaasDualAuthenticationPlugin extends JaasAuthenticationPlugin { private String sslConfiguration = "activemq-ssl-domain"; + private boolean certificateRequired = false; public Broker installPlugin(Broker broker) { initialiseJaas(); - return new JaasDualAuthenticationBroker(broker, configuration, sslConfiguration); + return new JaasDualAuthenticationBroker(broker, configuration, sslConfiguration, certificateRequired); } // Properties @@ -48,4 +49,12 @@ public void setSslConfiguration(String sslConfiguration) { public String getSslConfiguration() { return sslConfiguration; } + + public void setCertificateRequired(boolean certificateRequired) { + this.certificateRequired = certificateRequired; + } + + public boolean isCertificateRequired() { + return this.certificateRequired; + } } diff --git a/activemq-unit-tests/src/test/java/org/apache/activemq/security/JaasDualAuthenticationBrokerTest.java b/activemq-unit-tests/src/test/java/org/apache/activemq/security/JaasDualAuthenticationBrokerTest.java index 7d7f3b6e71a..f8f5aefc5e9 100644 --- a/activemq-unit-tests/src/test/java/org/apache/activemq/security/JaasDualAuthenticationBrokerTest.java +++ b/activemq-unit-tests/src/test/java/org/apache/activemq/security/JaasDualAuthenticationBrokerTest.java @@ -90,7 +90,7 @@ void createLoginConfig() { protected void setUp() throws Exception { receiveBroker = new StubBroker(); - authBroker = new JaasDualAuthenticationBroker(receiveBroker, "activemq-domain", "activemq-ssl-domain"); + authBroker = new JaasDualAuthenticationBroker(receiveBroker, "activemq-domain", "activemq-ssl-domain", false); connectionContext = new ConnectionContext();