MINOR: Cleanups in JaasUtils (apache#18522)

Reviewers: Luke Chen <[email protected]>, Chia-Ping Tsai <[email protected]>

Author: mimaison

clients/src/main/java/org/apache/kafka/common/security/JaasUtils.java

@@ -19,7 +19,8 @@
 public final class JaasUtils {
     public static final String JAVA_LOGIN_CONFIG_PARAM = "java.security.auth.login.config";
     public static final String DISALLOWED_LOGIN_MODULES_CONFIG = "org.apache.kafka.disallowed.login.modules";
-    public static final String DISALLOWED_LOGIN_MODULES_DEFAULT = "com.sun.security.auth.module.JndiLoginModule";
+    public static final String DISALLOWED_LOGIN_MODULES_DEFAULT =
+            "com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule";
     public static final String SERVICE_NAME = "serviceName";
 
     private JaasUtils() {}

clients/src/test/java/org/apache/kafka/common/security/JaasContextTest.java

@@ -189,6 +189,10 @@ public void testDisallowedLoginModulesSystemProperty() throws Exception {
         String jaasConfigProp1 = "com.sun.security.auth.module.JndiLoginModule required;";
         assertThrows(IllegalArgumentException.class, () -> configurationEntry(JaasContext.Type.CLIENT, jaasConfigProp1));
 
+        //test LdapLoginModule is not allowed by default
+        String jaasConfigProp2 = "com.sun.security.auth.module.LdapLoginModule required;";
+        assertThrows(IllegalArgumentException.class, () -> configurationEntry(JaasContext.Type.CLIENT, jaasConfigProp2));
+
         //test ListenerName Override
         writeConfiguration(Arrays.asList(
                 "KafkaServer { test.LoginModuleDefault required; };",
@@ -197,11 +201,19 @@ public void testDisallowedLoginModulesSystemProperty() throws Exception {
         assertThrows(IllegalArgumentException.class, () -> JaasContext.loadServerContext(new ListenerName("plaintext"),
                 "SOME-MECHANISM", Collections.emptyMap()));
 
+        //test ListenerName Override
+        writeConfiguration(Arrays.asList(
+                "KafkaServer { test.LoginModuleDefault required; };",
+                "plaintext.KafkaServer { com.sun.security.auth.module.LdapLoginModule requisite; };"
+        ));
+        assertThrows(IllegalArgumentException.class, () -> JaasContext.loadServerContext(new ListenerName("plaintext"),
+                "SOME-MECHANISM", Collections.emptyMap()));
+
         //test org.apache.kafka.disallowed.login.modules system property with multiple modules
         System.setProperty(DISALLOWED_LOGIN_MODULES_CONFIG, " com.ibm.security.auth.module.LdapLoginModule , com.ibm.security.auth.module.Krb5LoginModule ");
 
-        String jaasConfigProp2 = "com.ibm.security.auth.module.LdapLoginModule required;";
-        assertThrows(IllegalArgumentException.class, () ->  configurationEntry(JaasContext.Type.CLIENT, jaasConfigProp2));
+        String jaasConfigProp3 = "com.ibm.security.auth.module.LdapLoginModule required;";
+        assertThrows(IllegalArgumentException.class, () ->  configurationEntry(JaasContext.Type.CLIENT, jaasConfigProp3));
 
         //test ListenerName Override
         writeConfiguration(Arrays.asList(
@@ -216,6 +228,7 @@ public void testDisallowedLoginModulesSystemProperty() throws Exception {
         System.setProperty(DISALLOWED_LOGIN_MODULES_CONFIG, "");
 
         checkConfiguration("com.sun.security.auth.module.JndiLoginModule", LoginModuleControlFlag.REQUIRED, new HashMap<>());
+        checkConfiguration("com.sun.security.auth.module.LdapLoginModule", LoginModuleControlFlag.REQUIRED, new HashMap<>());
 
         //test ListenerName Override
         writeConfiguration(Arrays.asList(
@@ -227,6 +240,17 @@ public void testDisallowedLoginModulesSystemProperty() throws Exception {
         assertEquals(1, context.configurationEntries().size());
         checkEntry(context.configurationEntries().get(0), "com.sun.security.auth.module.JndiLoginModule",
                 LoginModuleControlFlag.REQUISITE, Collections.emptyMap());
+
+        //test ListenerName Override
+        writeConfiguration(Arrays.asList(
+                "KafkaServer { com.sun.security.auth.module.LdapLoginModule required; };",
+                "plaintext.KafkaServer { com.sun.security.auth.module.LdapLoginModule requisite; };"
+        ));
+        context = JaasContext.loadServerContext(new ListenerName("plaintext"),
+                "SOME-MECHANISM", Collections.emptyMap());
+        assertEquals(1, context.configurationEntries().size());
+        checkEntry(context.configurationEntries().get(0), "com.sun.security.auth.module.LdapLoginModule",
+                LoginModuleControlFlag.REQUISITE, Collections.emptyMap());
     }
 
     @Test