Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: AMQ 7.4.0.CR1
Affects Version/s: AMQ 7.2.1.GA
Component/s: amqp-protocol
Labels:
None

Story Points:
1
Affects:

Release Notes
Release Note Text:

Hide
In prior releases, if a client attempted an anonymous login to a broker that did not have guest access enabled, the broker produced an exception. However, this exception was not recognizable to the client as an authentication error. This issue is now resolved.

Show
In prior releases, if a client attempted an anonymous login to a broker that did not have guest access enabled, the broker produced an exception. However, this exception was not recognizable to the client as an authentication error. This issue is now resolved.
Release Note Status:
Documented as Resolved Issue
Target Release:

AMQ 7.4.0.GA
Upstream Jira:
https://issues.apache.org/jira/browse/ARTEMIS-2344
Workaround Description:

Hide

<acceptor name="amqp">tcp://0.0.0.0:5672?protocols=AMQP;saslMechanisms=PLAIN</acceptor>

will restrict the advertised mechanisms to PLAIN.

Show
<acceptor name="amqp">tcp://0.0.0.0:5672?protocols=AMQP;saslMechanisms=PLAIN</acceptor> will restrict the advertised mechanisms to PLAIN.
Git Pull Request:
https://github.com/apache/activemq-artemis/pull/2671

Sprint:
AMQ Broker 2019, AMQ Broker 2319, AMQ Broker 2619

SFDC Cases Counter:
SFDC Cases Links:

The attached test uses factory.createConnection() (that is, without username and password), and if I delete GuestLoginModule from etc/login.conf, the auth fails, but I do not get real auth error from the Artemis broker. That means, the client ends up reconnecting in a loop.

I'd expect to get a clear auth error, so I can respond to that.

Protocol trace (see the attached html from Adverb):

◊  ◊◊ 0.113713  Frame 4  127.0.0.1:50298  -> 127.0.0.1:32945  ->   init SASL (3): (1.0.0)
◊  ◊◊ 0.205381  Frame 6  127.0.0.1:50298 <-  127.0.0.1:32945 <-    init SASL (3): (1.0.0), method Method:
◊  ◊◊ 0.223594  Frame 8  127.0.0.1:50298  -> 127.0.0.1:32945  ->   method Method:
◊  ◊◊ 0.227009  Frame 10  127.0.0.1:50298 <-  127.0.0.1:32945 <-    method Method:
◊  ◊◊ 0.227115  Frame 11  127.0.0.1:50298 <-  127.0.0.1:32945 <-    init AMQP (0): (1.0.0)
◊  ◊◊ 0.233142  Frame 13  127.0.0.1:50298  -> 127.0.0.1:32945  ->   init AMQP (0): (1.0.0)
◊  ◊◊ 0.274729  Frame 15  127.0.0.1:50298  -> 127.0.0.1:32945  ->   open [0]
◊  ◊◊ 0.277839  Frame 17  127.0.0.1:50298 <-  127.0.0.1:32945 <-    open [0]
◊  ◊◊ 0.294913  Frame 18  127.0.0.1:50298  -> 127.0.0.1:32945  ->   begin [0,null]
◊  ◊◊ 0.480050  Frame 20  127.0.0.1:50298 <-  127.0.0.1:32945 <-    close [0]
◊  ◊◊ 0.484355  Frame 21  127.0.0.1:50298  -> 127.0.0.1:32945  ->   close [0]

Log:

javax.security.auth.login.LoginException: Invalid null input: name
	at java.base/javax.security.auth.login.LoginContext.init(LoginContext.java:235)
	at java.base/javax.security.auth.login.LoginContext.<init>(LoginContext.java:501)
	at org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.getAuthenticatedSubject(ActiveMQJAASSecurityManager.java:185)
	at org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.validateUser(ActiveMQJAASSecurityManager.java:94)
	at org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.authenticate(SecurityStoreImpl.java:135)
	at org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl.createSession(ActiveMQServerImpl.java:1408)
	at org.apache.activemq.artemis.protocol.amqp.broker.AMQPSessionCallback.init(AMQPSessionCallback.java:200)
	at org.apache.activemq.artemis.protocol.amqp.proton.AMQPSessionContext.initialise(AMQPSessionContext.java:71)
	at org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.onRemoteOpen(AMQPConnectionContext.java:433)
	at org.apache.activemq.artemis.protocol.amqp.proton.handler.Events.dispatch(Events.java:50)
	at org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.dispatch(ProtonHandler.java:494)
	at org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.flush(ProtonHandler.java:307)
	at org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.inputBuffer(ProtonHandler.java:272)
	at org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.inputBuffer(AMQPConnectionContext.java:158)
	at org.apache.activemq.artemis.protocol.amqp.broker.ActiveMQProtonRemotingConnection.bufferReceived(ActiveMQProtonRemotingConnection.java:147)
	at org.apache.activemq.artemis.core.remoting.server.impl.RemotingServiceImpl$DelegatingBufferHandler.bufferReceived(RemotingServiceImpl.java:643)
	at org.apache.activemq.artemis.core.remoting.impl.netty.ActiveMQChannelHandler.channelRead(ActiveMQChannelHandler.java:73)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965)
	at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:808)
	at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:417)
	at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:317)
	at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:884)
	at org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118)
DEBUG - Couldn't find any bindings for address=activemq.notifications on message=CoreMessage[messageID=77309411656,durable=true,userID=null,priority=0, timestamp=0,expiration=0, durable=true, address=activemq.notifications,size=244,properties=TypedProperties[_AMQ_NotifType=SECURITY_AUTHENTICATION_VIOLATION,_AMQ_NotifTimestamp=1539871547925]]@1180466632
DEBUG - Message CoreMessage[messageID=77309411656,durable=true,userID=null,priority=0, timestamp=0,expiration=0, durable=true, address=activemq.notifications,size=244,properties=TypedProperties[_AMQ_NotifType=SECURITY_AUTHENTICATION_VIOLATION,_AMQ_NotifTimestamp=1539871547925]]@1180466632 is not going anywhere as it didn't have a binding on address:activemq.notifications
WARN - AMQ119031: Unable to validate user from /127.0.0.1:50512. Username: null; SSL certificate subject DN: unavailable
ActiveMQAMQPInternalErrorException[errorType=INTERNAL_ERROR message=AMQ119031: Unable to validate user from /127.0.0.1:50512. Username: null; SSL certificate subject DN: unavailable]
	at org.apache.activemq.artemis.protocol.amqp.proton.AMQPSessionContext.initialise(AMQPSessionContext.java:73)
	at org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.onRemoteOpen(AMQPConnectionContext.java:433)
	at org.apache.activemq.artemis.protocol.amqp.proton.handler.Events.dispatch(Events.java:50)
	at org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.dispatch(ProtonHandler.java:494)
	at org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.flush(ProtonHandler.java:307)
	at org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.inputBuffer(ProtonHandler.java:272)
	at org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.inputBuffer(AMQPConnectionContext.java:158)
	at org.apache.activemq.artemis.protocol.amqp.broker.ActiveMQProtonRemotingConnection.bufferReceived(ActiveMQProtonRemotingConnection.java:147)
	at org.apache.activemq.artemis.core.remoting.server.impl.RemotingServiceImpl$DelegatingBufferHandler.bufferReceived(RemotingServiceImpl.java:643)
	at org.apache.activemq.artemis.core.remoting.impl.netty.ActiveMQChannelHandler.channelRead(ActiveMQChannelHandler.java:73)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965)
	at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:808)
	at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:417)
	at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:317)
	at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:884)
	at org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118)
Caused by: ActiveMQSecurityException[errorType=SECURITY_EXCEPTION message=AMQ119031: Unable to validate user from /127.0.0.1:50512. Username: null; SSL certificate subject DN: unavailable]
	at org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.authenticate(SecurityStoreImpl.java:157)
	at org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl.createSession(ActiveMQServerImpl.java:1408)
	at org.apache.activemq.artemis.protocol.amqp.broker.AMQPSessionCallback.init(AMQPSessionCallback.java:200)
	at org.apache.activemq.artemis.protocol.amqp.proton.AMQPSessionContext.initialise(AMQPSessionContext.java:71)
	... 21 more
DEBUG - Request received error: Unrecoverable error: AMQ119031: Unable to validate user from /127.0.0.1:50512. Username: null; SSL certificate subject DN: unavailable [condition = amqp:internal-error]

Source code of the test (with embedded broker configured correctly, without GuestLoginModule):

https://github.com/jdanekrh/cli-java/blob/9bb2cdd8021567216fd71295a00990d83eeeb0a5/cli-qpid-jms/src/test/java/ConnectWithoutPassword.java#L42-L56 (branch jd_broker_test of the repo).

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

NoCredentialsWithoutGuestLoginModule.html
58 kB
2018/10/18 11:34 AM
NoCredentialsWithoutGuestLoginModule.html
58 kB
2018/10/18 11:34 AM
NoCredentialsWithoutGuestLoginModule.pcap
3 kB
2018/10/18 11:29 AM
NoCredentialsWithoutGuestLoginModule.pcap
3 kB
2018/10/18 11:29 AM

Assignee:: Domenico Francesco Bruscino

Reporter:: Jiri Daněk

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2018/10/18 11:31 AM

Updated:: 2021/10/24 5:23 AM

Resolved:: 2019/06/28 8:21 AM

Details

Description

Attachments

Attachments

Activity

People

Dates