[camel] branch master updated: CAMEL-14161 - Remove default key from camel-shiro

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[camel] branch master updated: CAMEL-14161 - Remove default key from camel-shiro

coheigea
This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/camel.git


The following commit(s) were added to refs/heads/master by this push:
     new 115b516  CAMEL-14161 - Remove default key from camel-shiro
115b516 is described below

commit 115b51666cb97eb33f9d57ca96ed18b8cd08b858
Author: Colm O hEigeartaigh <[hidden email]>
AuthorDate: Fri Nov 8 12:01:47 2019 +0000

    CAMEL-14161 - Remove default key from camel-shiro
---
 .../shiro/security/ShiroSecurityPolicy.java        | 38 ++++++-------
 .../shiro/security/ShiroSecurityTokenInjector.java | 16 +-----
 .../shiro/security/ShiroAuthenticationTest.java    | 64 ++++++++++++++++------
 .../ROOT/pages/camel-3-migration-guide.adoc        |  5 ++
 4 files changed, 68 insertions(+), 55 deletions(-)

diff --git a/components/camel-shiro/src/main/java/org/apache/camel/component/shiro/security/ShiroSecurityPolicy.java b/components/camel-shiro/src/main/java/org/apache/camel/component/shiro/security/ShiroSecurityPolicy.java
index fc6a607..1b342e0 100644
--- a/components/camel-shiro/src/main/java/org/apache/camel/component/shiro/security/ShiroSecurityPolicy.java
+++ b/components/camel-shiro/src/main/java/org/apache/camel/component/shiro/security/ShiroSecurityPolicy.java
@@ -36,11 +36,6 @@ import org.slf4j.LoggerFactory;
 
 public class ShiroSecurityPolicy implements AuthorizationPolicy {
     private static final Logger LOG = LoggerFactory.getLogger(ShiroSecurityPolicy.class);
-    private final byte[] bits128 = {
-        (byte) 0x08, (byte) 0x09, (byte) 0x0A, (byte) 0x0B,
-        (byte) 0x0C, (byte) 0x0D, (byte) 0x0E, (byte) 0x0F,
-        (byte) 0x10, (byte) 0x11, (byte) 0x12, (byte) 0x13,
-        (byte) 0x14, (byte) 0x15, (byte) 0x16, (byte) 0x17};
     private CipherService cipherService;
     private byte[] passPhrase;
     private SecurityManager securityManager;
@@ -50,57 +45,56 @@ public class ShiroSecurityPolicy implements AuthorizationPolicy {
     private boolean base64;
     private boolean allPermissionsRequired;
     private boolean allRolesRequired;
-    
+
     public ShiroSecurityPolicy() {
-        this.passPhrase = bits128;
-        // Set up AES encryption based cipher service, by default
+        // Set up AES encryption based cipher service, by default
         cipherService = new AesCipherService();
         permissionsList = new ArrayList<>();
         rolesList = new ArrayList<>();
         alwaysReauthenticate = true;
-    }  
-    
+    }
+
     public ShiroSecurityPolicy(String iniResourcePath) {
         this();
         Factory<SecurityManager> factory = new IniSecurityManagerFactory(iniResourcePath);
         securityManager = factory.getInstance();
         SecurityUtils.setSecurityManager(securityManager);
     }
-    
+
     public ShiroSecurityPolicy(Ini ini) {
         this();
         Factory<SecurityManager> factory = new IniSecurityManagerFactory(ini);
         securityManager = factory.getInstance();
         SecurityUtils.setSecurityManager(securityManager);
     }
-    
+
     public ShiroSecurityPolicy(String iniResourcePath, byte[] passPhrase) {
-        this(iniResourcePath);        
+        this(iniResourcePath);
         this.setPassPhrase(passPhrase);
     }
 
     public ShiroSecurityPolicy(Ini ini, byte[] passPhrase) {
-        this(ini);        
+        this(ini);
         this.setPassPhrase(passPhrase);
     }
-    
+
     public ShiroSecurityPolicy(String iniResourcePath, byte[] passPhrase, boolean alwaysReauthenticate) {
-        this(iniResourcePath, passPhrase);
+        this(iniResourcePath, passPhrase);
         this.setAlwaysReauthenticate(alwaysReauthenticate);
     }
 
     public ShiroSecurityPolicy(Ini ini, byte[] passPhrase, boolean alwaysReauthenticate) {
-        this(ini, passPhrase);
+        this(ini, passPhrase);
         this.setAlwaysReauthenticate(alwaysReauthenticate);
     }
-    
+
     public ShiroSecurityPolicy(String iniResourcePath, byte[] passPhrase, boolean alwaysReauthenticate, List<Permission> permissionsList) {
-        this(iniResourcePath, passPhrase, alwaysReauthenticate);
+        this(iniResourcePath, passPhrase, alwaysReauthenticate);
         this.setPermissionsList(permissionsList);
     }
-    
+
     public ShiroSecurityPolicy(Ini ini, byte[] passPhrase, boolean alwaysReauthenticate, List<Permission> permissionsList) {
-        this(ini, passPhrase, alwaysReauthenticate);
+        this(ini, passPhrase, alwaysReauthenticate);
         this.setPermissionsList(permissionsList);
     }
 
@@ -108,7 +102,7 @@ public class ShiroSecurityPolicy implements AuthorizationPolicy {
     public void beforeWrap(RouteContext routeContext, NamedNode definition) {
         // noop
     }
-    
+
     @Override
     public Processor wrap(RouteContext routeContext, final Processor processor) {
         if (LOG.isDebugEnabled()) {
diff --git a/components/camel-shiro/src/main/java/org/apache/camel/component/shiro/security/ShiroSecurityTokenInjector.java b/components/camel-shiro/src/main/java/org/apache/camel/component/shiro/security/ShiroSecurityTokenInjector.java
index b4c8cf2..2019f90 100644
--- a/components/camel-shiro/src/main/java/org/apache/camel/component/shiro/security/ShiroSecurityTokenInjector.java
+++ b/components/camel-shiro/src/main/java/org/apache/camel/component/shiro/security/ShiroSecurityTokenInjector.java
@@ -21,25 +21,14 @@ import org.apache.camel.Processor;
 import org.apache.shiro.crypto.AesCipherService;
 import org.apache.shiro.crypto.CipherService;
 import org.apache.shiro.util.ByteSource;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 
 public class ShiroSecurityTokenInjector implements Processor {
-    private static final Logger LOG = LoggerFactory.getLogger(ShiroSecurityTokenInjector.class);
-                                                              
-    private final byte[] bits128 = {
-        (byte) 0x08, (byte) 0x09, (byte) 0x0A, (byte) 0x0B,
-        (byte) 0x0C, (byte) 0x0D, (byte) 0x0E, (byte) 0x0F,
-        (byte) 0x10, (byte) 0x11, (byte) 0x12, (byte) 0x13,
-        (byte) 0x14, (byte) 0x15, (byte) 0x16, (byte) 0x17};
     private byte[] passPhrase;
     private ShiroSecurityToken securityToken;
     private CipherService cipherService;
     private boolean base64;
-    
-    public ShiroSecurityTokenInjector() {
-        this.passPhrase = bits128;
 
+    public ShiroSecurityTokenInjector() {
         // Set up AES encryption based cipher service, by default
         cipherService = new AesCipherService();
     }
@@ -56,9 +45,6 @@ public class ShiroSecurityTokenInjector implements Processor {
     }
 
     public ByteSource encrypt() throws Exception {
-        if (passPhrase == bits128) {
-            LOG.warn("Using the default encryption key is not secure");
-        }
         return ShiroSecurityHelper.encrypt(securityToken, passPhrase, cipherService);
     }
 
diff --git a/components/camel-shiro/src/test/java/org/apache/camel/component/shiro/security/ShiroAuthenticationTest.java b/components/camel-shiro/src/test/java/org/apache/camel/component/shiro/security/ShiroAuthenticationTest.java
index dfdb9ba..48e0408 100644
--- a/components/camel-shiro/src/test/java/org/apache/camel/component/shiro/security/ShiroAuthenticationTest.java
+++ b/components/camel-shiro/src/test/java/org/apache/camel/component/shiro/security/ShiroAuthenticationTest.java
@@ -19,6 +19,7 @@ package org.apache.camel.component.shiro.security;
 import java.util.HashMap;
 import java.util.Map;
 
+import org.apache.camel.CamelExecutionException;
 import org.apache.camel.EndpointInject;
 import org.apache.camel.Exchange;
 import org.apache.camel.builder.RouteBuilder;
@@ -42,33 +43,33 @@ public class ShiroAuthenticationTest extends CamelTestSupport {
         (byte) 0x08, (byte) 0x09, (byte) 0x0A, (byte) 0x0B,
         (byte) 0x0C, (byte) 0x0D, (byte) 0x0E, (byte) 0x0F,
         (byte) 0x10, (byte) 0x11, (byte) 0x12, (byte) 0x13,
-        (byte) 0x14, (byte) 0x15, (byte) 0x16, (byte) 0x17};    
-    
+        (byte) 0x14, (byte) 0x15, (byte) 0x16, (byte) 0x17};
+
     @Test
-    public void testShiroAuthenticationFailure() throws Exception {        
+    public void testShiroAuthenticationFailure() throws Exception {
         //Incorrect password
         ShiroSecurityToken shiroSecurityToken = new ShiroSecurityToken("ringo", "stirr");
         TestShiroSecurityTokenInjector shiroSecurityTokenInjector = new TestShiroSecurityTokenInjector(shiroSecurityToken, passPhrase);
-        
+
         successEndpoint.expectedMessageCount(0);
         failureEndpoint.expectedMessageCount(1);
-        
+
         template.send("direct:secureEndpoint", shiroSecurityTokenInjector);
-        
+
         successEndpoint.assertIsSatisfied();
         failureEndpoint.assertIsSatisfied();
     }
-    
+
     @Test
-    public void testSuccessfulShiroAuthenticationWithNoAuthorization() throws Exception {        
+    public void testSuccessfulShiroAuthenticationWithNoAuthorization() throws Exception {
         ShiroSecurityToken shiroSecurityToken = new ShiroSecurityToken("ringo", "starr");
         TestShiroSecurityTokenInjector shiroSecurityTokenInjector = new TestShiroSecurityTokenInjector(shiroSecurityToken, passPhrase);
-        
+
         successEndpoint.expectedMessageCount(1);
         failureEndpoint.expectedMessageCount(0);
-        
+
         template.send("direct:secureEndpoint", shiroSecurityTokenInjector);
-        
+
         successEndpoint.assertIsSatisfied();
         failureEndpoint.assertIsSatisfied();
     }
@@ -100,11 +101,26 @@ public class ShiroAuthenticationTest extends CamelTestSupport {
         failureEndpoint.assertIsSatisfied();
     }
 
+    @Test
+    public void testMissingEncryptionKey() throws Exception {
+        Map<String, Object> headers = new HashMap<>();
+        headers.put(ShiroSecurityConstants.SHIRO_SECURITY_USERNAME, "ringo");
+        headers.put(ShiroSecurityConstants.SHIRO_SECURITY_PASSWORD, "starr");
+        try {
+            template.sendBodyAndHeaders("direct:secureEndpointMissingKey", "Beatle Mania", headers);
+            fail("Failure expected on a missing key");
+        } catch (CamelExecutionException ex) {
+            // expected
+            assertTrue(ex.getCause() instanceof IllegalArgumentException);
+        }
+    }
+
     @Override
-    protected RouteBuilder createRouteBuilder() throws Exception {
+    protected RouteBuilder[] createRouteBuilders() throws Exception {
         final ShiroSecurityPolicy securityPolicy = new ShiroSecurityPolicy("src/test/resources/securityconfig.ini", passPhrase);
-        
-        return new RouteBuilder() {
+        final ShiroSecurityPolicy securityPolicy2 = new ShiroSecurityPolicy("src/test/resources/securityconfig.ini");
+
+        return new RouteBuilder[] {new RouteBuilder() {
             @SuppressWarnings("unchecked")
             public void configure() {
                 onException(UnknownAccountException.class, IncorrectCredentialsException.class,
@@ -116,21 +132,33 @@ public class ShiroAuthenticationTest extends CamelTestSupport {
                     to("log:incoming payload").
                     to("mock:success");
             }
-        };
+        }, new RouteBuilder() {
+            @SuppressWarnings("unchecked")
+            public void configure() {
+                onException(UnknownAccountException.class, IncorrectCredentialsException.class,
+                        LockedAccountException.class, AuthenticationException.class).
+                    to("mock:authenticationException");
+
+                from("direct:secureEndpointMissingKey").
+                    policy(securityPolicy2).
+                    to("log:incoming payload").
+                    to("mock:success");
+            }
+        }};
     }
 
-    
+
     private static class TestShiroSecurityTokenInjector extends ShiroSecurityTokenInjector {
 
         TestShiroSecurityTokenInjector(ShiroSecurityToken shiroSecurityToken, byte[] bytes) {
             super(shiroSecurityToken, bytes);
         }
-        
+
         @Override
         public void process(Exchange exchange) throws Exception {
             exchange.getIn().setHeader(ShiroSecurityConstants.SHIRO_SECURITY_TOKEN, encrypt());
             exchange.getIn().setBody("Beatle Mania");
         }
     }
-    
+
 }
diff --git a/docs/user-manual/modules/ROOT/pages/camel-3-migration-guide.adoc b/docs/user-manual/modules/ROOT/pages/camel-3-migration-guide.adoc
index 47ded17..52fd846 100644
--- a/docs/user-manual/modules/ROOT/pages/camel-3-migration-guide.adoc
+++ b/docs/user-manual/modules/ROOT/pages/camel-3-migration-guide.adoc
@@ -332,6 +332,11 @@ is now SHA256withRSA (before it was SHA1WithDSA).
 
 The default JSon library with the JSon dataformat has changed from `XStream` to `Jackson`.
 
+=== Shiro Component
+
+The default encryption key for the Shiro component has been removed, so now it
+is mandatory to supply the key/passphrase.
+
 === XML Security Component
 
 The default signature algorithm has changed for the XML Security Component - it