[ https://issues.apache.org/jira/browse/ARTEMIS-2431?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robbie Gemmell resolved ARTEMIS-2431. ------------------------------------- Fix Version/s: 2.29.0 Resolution: Fixed > [AMQP] Broker does not send security errors for unauthorized anonymous sasl > with pipelined open > ----------------------------------------------------------------------------------------------- > > Key: ARTEMIS-2431 > URL: https://issues.apache.org/jira/browse/ARTEMIS-2431 > Project: ActiveMQ Artemis > Issue Type: Bug > Components: AMQP > Affects Versions: 2.9.0 > Reporter: Jiri Daněk > Assignee: Timothy A. Bish > Priority: Major > Fix For: 2.29.0 > > Time Spent: 1h > Remaining Estimate: 0h > > If a client sends open, begin and attach frames all at once, then the issue > ARTEMIS-2344 still manifests itself. Sending the initial frames all at once > is known as the pipelined open, > http://docs.oasis-open.org/amqp/core/v1.0/os/amqp-core-transport-v1.0-os.html#doc-idp157520 > and one client that does this is qpid-proton-cpp. > {noformat} > $ PN_TRACE_FRM=1 ./target/bin/aac3_sender -b "localhost:34949/examples" > --log-msgs dict -c 1 > [0x9ea9d0]: -> SASL > [0x9ea9d0]: <- SASL > [0x9ea9d0]:0 <- @sasl-mechanisms(64) > [sasl-server-mechanisms=@PN_SYMBOL[:PLAIN, :ANONYMOUS]] > [0x9ea9d0]:0 -> @sasl-init(65) [mechanism=:ANONYMOUS, > initial-response=b"anonymous@nixos"] > [0x9ea9d0]:0 <- @sasl-outcome(68) [code=0] > [0x9ea9d0]: -> AMQP > [0x9ea9d0]:0 -> @open(16) > [container-id="204c1d45-9c47-402d-809f-7d17a4d97d6e", hostname="localhost", > channel-max=32767] > [0x9ea9d0]:0 -> @begin(17) [next-outgoing-id=0, incoming-window=2147483647, > outgoing-window=2147483647] > [0x9ea9d0]:0 -> @attach(18) [name="2b46ad5b-834b-454e-a2f7-2e5e0e324e21", > handle=0, role=false, snd-settle-mode=2, rcv-settle-mode=0, > source=@source(40) [durable=0, timeout=0, dynamic=false], target=@target(41) > [address="examples", durable=0, timeout=0, dynamic=false], > initial-delivery-count=0, max-message-size=0] > [0x9ea9d0]: <- AMQP > [0x9ea9d0]:0 <- @open(16) [container-id="localhost", max-frame-size=131072, > channel-max=65535, idle-time-out=30000, > offered-capabilities=@PN_SYMBOL[:"sole-connection-for-container", > :"DELAYED_DELIVERY", :"SHARED-SUBS", :"ANONYMOUS-RELAY"], > properties={:product="apache-activemq-artemis", :version="2.9.0"}] > [0x9ea9d0]:0 <- @close(24) [error=@error(29) > [condition=:"amqp:internal-error", description="Unrecoverable error: > NullPointerException"]] > [0x9ea9d0]: <- EOS > [error]: Failed to connect to localhost:34949 > [0x9ea9d0]:0 -> @close(24) [] > [0x9ea9d0]: -> EOS > {noformat} > The broker side then looks like this > {noformat} > DEBUG - -Dio.netty.recycler.maxCapacityPerThread: 4096 > DEBUG - -Dio.netty.recycler.maxSharedCapacityFactor: 2 > DEBUG - -Dio.netty.recycler.linkCapacity: 16 > DEBUG - -Dio.netty.recycler.ratio: 8 > DEBUG - onSaslInit: SaslImpl [_outcome=PN_SASL_NONE, state=PN_SASL_STEP, > done=false, role=SERVER] > DEBUG - saslComplete: SaslImpl [_outcome=PN_SASL_NONE, state=PN_SASL_STEP, > done=false, role=SERVER] > DEBUG - using hardware address 2:42:ffffffbb:ffffffa4:4d:-110 > INFO - AMQ601267: User anonymous is creating a core session on target > resource ActiveMQServerImpl::serverUUID=85b3269d-8773-11e9-8808-c0b6f9980288 > [with parameters: [dbdce52b-ae0f-11e9-8b93-0242bba44d92, null, ****, 102400, > org.apache.activemq.artemis.protocol.amqp.broker.ActiveMQProtonRemotingConnection@26c5379b, > false, false, false, true, null, > org.apache.activemq.artemis.protocol.amqp.broker.AMQPSessionCallback@673826ee, > true, OperationContextImpl [834445691] [minimalStore=9223372036854775807, > storeLineUp=0, stored=0, minimalReplicated=9223372036854775807, > replicationLineUp=0, replicated=0, paged=0, minimalPage=9223372036854775807, > pageLineUp=0, errorCode=-1, errorMessage=null, executorsPending=0, > executor=OrderedExecutor(tasks=[])], {}]] > DEBUG - Couldn't validate user > javax.security.auth.login.LoginException: Invalid null input: name > at javax.security.auth.login.LoginContext.init(LoginContext.java:238) > at javax.security.auth.login.LoginContext.<init>(LoginContext.java:512) > at > org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.getAuthenticatedSubject(ActiveMQJAASSecurityManager.java:190) > at > org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.validateUser(ActiveMQJAASSecurityManager.java:99) > at > org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.authenticate(SecurityStoreImpl.java:137) > at > org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl.createSession(ActiveMQServerImpl.java:1519) > at > org.apache.activemq.artemis.protocol.amqp.broker.AMQPSessionCallback.init(AMQPSessionCallback.java:181) > at > org.apache.activemq.artemis.protocol.amqp.proton.AMQPSessionContext.initialise(AMQPSessionContext.java:72) > at > org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.onRemoteOpen(AMQPConnectionContext.java:460) > at > org.apache.activemq.artemis.protocol.amqp.proton.handler.Events.dispatch(Events.java:50) > at > org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.dispatch(ProtonHandler.java:485) > at > org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.flush(ProtonHandler.java:285) > at > org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.inputBuffer(ProtonHandler.java:242) > at > org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.inputBuffer(AMQPConnectionContext.java:170) > at > org.apache.activemq.artemis.protocol.amqp.broker.ActiveMQProtonRemotingConnection.bufferReceived(ActiveMQProtonRemotingConnection.java:149) > at > org.apache.activemq.artemis.core.remoting.server.impl.RemotingServiceImpl$DelegatingBufferHandler.bufferReceived(RemotingServiceImpl.java:649) > at > org.apache.activemq.artemis.core.remoting.impl.netty.ActiveMQChannelHandler.channelRead(ActiveMQChannelHandler.java:73) > at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374) > at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360) > at > io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352) > at > io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1408) > at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374) > at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360) > at > io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:930) > at > io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:796) > at > io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:432) > at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:333) > at > io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:906) > at > io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) > at > org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118) > DEBUG - Couldn't find any bindings for address=activemq.notifications on > message=CoreMessage[messageID=10737418300,durable=true,userID=null,priority=0, > timestamp=0,expiration=0, durable=true, > address=activemq.notifications,size=411,properties=TypedProperties[_AMQ_User=NULL-value,_AMQ_RemoteAddress=/127.0.0.1:42740,_AMQ_NotifType=SECURITY_AUTHENTICATION_VIOLATION,_AMQ_CertSubjectDN=unavailable,_AMQ_NotifTimestamp=1563971874800]]@762983860 > DEBUG - Message > CoreMessage[messageID=10737418300,durable=true,userID=null,priority=0, > timestamp=0,expiration=0, durable=true, > address=activemq.notifications,size=411,properties=TypedProperties[_AMQ_User=NULL-value,_AMQ_RemoteAddress=/127.0.0.1:42740,_AMQ_NotifType=SECURITY_AUTHENTICATION_VIOLATION,_AMQ_CertSubjectDN=unavailable,_AMQ_NotifTimestamp=1563971874800]]@762983860 > is not going anywhere as it didn't have a binding on > address:activemq.notifications > WARN - AMQ222216: Security problem while authenticating: AMQ229031: Unable to > validate user from /127.0.0.1:42740. Username: null; SSL certificate subject > DN: unavailable > WARN - AMQ229031: Unable to validate user from /127.0.0.1:42740. Username: > null; SSL certificate subject DN: unavailable > ActiveMQSecurityException[errorType=SECURITY_EXCEPTION message=AMQ229031: > Unable to validate user from /127.0.0.1:42740. Username: null; SSL > certificate subject DN: unavailable] > at > org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.authenticate(SecurityStoreImpl.java:162) > at > org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl.createSession(ActiveMQServerImpl.java:1519) > at > org.apache.activemq.artemis.protocol.amqp.broker.AMQPSessionCallback.init(AMQPSessionCallback.java:181) > at > org.apache.activemq.artemis.protocol.amqp.proton.AMQPSessionContext.initialise(AMQPSessionContext.java:72) > at > org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.onRemoteOpen(AMQPConnectionContext.java:460) > at > org.apache.activemq.artemis.protocol.amqp.proton.handler.Events.dispatch(Events.java:50) > at > org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.dispatch(ProtonHandler.java:485) > at > org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.flush(ProtonHandler.java:285) > at > org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.inputBuffer(ProtonHandler.java:242) > at > org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.inputBuffer(AMQPConnectionContext.java:170) > at > org.apache.activemq.artemis.protocol.amqp.broker.ActiveMQProtonRemotingConnection.bufferReceived(ActiveMQProtonRemotingConnection.java:149) > at > org.apache.activemq.artemis.core.remoting.server.impl.RemotingServiceImpl$DelegatingBufferHandler.bufferReceived(RemotingServiceImpl.java:649) > at > org.apache.activemq.artemis.core.remoting.impl.netty.ActiveMQChannelHandler.channelRead(ActiveMQChannelHandler.java:73) > at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374) > at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360) > at > io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352) > at > io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1408) > at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374) > at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360) > at > io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:930) > at > io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:796) > at > io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:432) > at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:333) > at > io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:906) > at > io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) > at > org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118) > WARN - null > java.lang.NullPointerException > at > org.apache.activemq.artemis.protocol.amqp.broker.AMQPSessionCallback.getAddress(AMQPSessionCallback.java:679) > at > org.apache.activemq.artemis.protocol.amqp.proton.ProtonServerReceiverContext.getRoutingType(ProtonServerReceiverContext.java:247) > at > org.apache.activemq.artemis.protocol.amqp.proton.ProtonServerReceiverContext.initialise(ProtonServerReceiverContext.java:172) > at > org.apache.activemq.artemis.protocol.amqp.proton.AMQPSessionContext.addReceiver(AMQPSessionContext.java:201) > at > org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.remoteLinkOpened(AMQPConnectionContext.java:251) > at > org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.onRemoteOpen(AMQPConnectionContext.java:481) > at > org.apache.activemq.artemis.protocol.amqp.proton.handler.Events.dispatch(Events.java:68) > at > org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.dispatch(ProtonHandler.java:485) > at > org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.flush(ProtonHandler.java:285) > at > org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.inputBuffer(ProtonHandler.java:242) > at > org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.inputBuffer(AMQPConnectionContext.java:170) > at > org.apache.activemq.artemis.protocol.amqp.broker.ActiveMQProtonRemotingConnection.bufferReceived(ActiveMQProtonRemotingConnection.java:149) > at > org.apache.activemq.artemis.core.remoting.server.impl.RemotingServiceImpl$DelegatingBufferHandler.bufferReceived(RemotingServiceImpl.java:649) > at > org.apache.activemq.artemis.core.remoting.impl.netty.ActiveMQChannelHandler.channelRead(ActiveMQChannelHandler.java:73) > at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374) > at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360) > at > io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352) > at > io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1408) > at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374) > at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360) > at > io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:930) > at > io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:796) > at > io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:432) > at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:333) > at > io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:906) > at > io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) > at > org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118) > DEBUG - RemotingServiceImpl::removing connection ID 4d86c1cb > {noformat} > The NullPointerException happens when the broker is acting on the Attach > frame. This is wrong, because at this point we know the client has not > authenticated, and any subsequent communication should be ignored. > Furthermore, the broker authenticates the client on the initial SASL > exchange, and only throws the auth error on processing the Begin frame. Is > that correct? Shouldn't the broker fail the initial sasl exchange? (Assuming > broker configured as in test > org.apache.activemq.artemis.tests.integration.amqp.JMSConnectionWithSecurityTest#testNoUserOrPasswordWithoutSaslRestrictions). > And should the broker advertise SASL ANONYMOUS? > Failing test for this is attached in a PR. -- This message was sent by Atlassian Jira (v8.20.10#820010)