Paul Shields created ARTEMIS-5724:
-------------------------------------
Summary: MQTT Last Will not sent because denied authorization
Key: ARTEMIS-5724
URL: https://issues.apache.org/jira/browse/ARTEMIS-5724
Project: ActiveMQ Artemis
Issue Type: New Feature
Affects Versions: 2.42.0
Reporter: Paul Shields
We are using the Last Lill and Testament (LWT) feature of MQTT but are also
using JWTs for authentication. We are using a custom JASSSecurityManager plugin
for this. The usage of JWT and LWT are competing features, since JWT expires
and LWT is intended to alert for unplanned disconnect of long-running
connections. We are seeing LWT messages not being sent because the LWT SEND
message is being sent after the expiration time of the JWT and Artemis issues
an ERROR.
2025-10-14 15:07:21,076 WARN [org.apache.activemq.artemis.core.server]
AMQ222216: Security problem while authenticating: AMQ229031: Unable to validate
user from 127.0.0.6:36441. Username: x3000c0s11b0n0; SSL certificate subject
DN: unavailable
2025-10-14 15:07:21,077 ERROR [org.apache.activemq.artemis.core.protocol.mqtt]
AMQ834007: Authorization failure sending will message: AMQ229031: Unable to
validate user from 127.0.0.6:36441. Username: x3000c0s11b0n0; SSL certificate
subject DN: unavailable
It seems that Artemis is performing the authorization for the LWT when the LWT
is being sent and not when the client makes the connection to the broker and
the LWT is configured/set for the client.
A possible solution is that a feature could be added to Artemis so that LWT are
authorized on connect to avoid this kind of problem. This behavior would be off
by default so as not to impact existing users.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact
