[
https://issues.apache.org/jira/browse/ARTEMIS-5751?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Justin Bertram updated ARTEMIS-5751:
------------------------------------
Description:
Currently if an MQTT 3.1.1 client attempts to publish a message when it isn't
authorized to do so a stack-trace is logged, e.g.:
{noformat}
2025-11-04 00:00:36,376 ERROR [org.apache.activemq.artemis.core.protocol.mqtt]
AMQ834002: Error processing control packet:
MqttPublishMessage[fixedHeader=MqttFixedHeader[messageType=PUBLISH,
isDup=false, qosLevel=AT_LEAST_ONCE, isRetain=false, remainingLength=123],
variableHeader=MqttPublishVariableHeader[topicName=my/topic, packetId=1],
payload=PooledSlicedByteBuf(ridx: 0, widx: 123, cap: 123/123, unwrapped:
PooledUnsafeDirectByteBuf(ridx: 123, widx: 123, cap: 123))]
org.apache.activemq.artemis.api.core.ActiveMQSecurityException: AMQ229031:
Unable to validate user from 1.2.3.4:123. Username: myUsername; SSL certificate
subject DN: unavailable
at
org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.authenticationFailed(SecurityStoreImpl.java:448)
at
org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.check(SecurityStoreImpl.java:340)
at
org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.securityCheck(ServerSessionImpl.java:515)
at
org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.doSend(ServerSessionImpl.java:2318)
at
org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.send(ServerSessionImpl.java:1948)
at
org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.send(ServerSessionImpl.java:1887)
at
org.apache.activemq.artemis.core.protocol.mqtt.MQTTPublishManager.sendToQueue(MQTTPublishManager.java:241)
at
org.apache.activemq.artemis.core.protocol.mqtt.MQTTProtocolHandler.handlePublish(MQTTProtocolHandler.java:322)
at
org.apache.activemq.artemis.core.protocol.mqtt.MQTTProtocolHandler.act(MQTTProtocolHandler.java:164)
at org.apache.activemq.artemis.utils.actors.Actor.doTask(Actor.java:32)
at
org.apache.activemq.artemis.utils.actors.ProcessorBase.executePendingTasks(ProcessorBase.java:68)
at
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635){noformat}
We should conform to broker norms for logging authorization failures instead.
was:
Currently if an MQTT 3.1.1 client attempt to publish a message when it isn't
authorized to do so a stack-trace is logged, e.g.:
{noformat}
2025-11-04 00:00:36,376 ERROR [org.apache.activemq.artemis.core.protocol.mqtt]
AMQ834002: Error processing control packet:
MqttPublishMessage[fixedHeader=MqttFixedHeader[messageType=PUBLISH,
isDup=false, qosLevel=AT_LEAST_ONCE, isRetain=false, remainingLength=123],
variableHeader=MqttPublishVariableHeader[topicName=my/topic, packetId=1],
payload=PooledSlicedByteBuf(ridx: 0, widx: 123, cap: 123/123, unwrapped:
PooledUnsafeDirectByteBuf(ridx: 123, widx: 123, cap: 123))]
org.apache.activemq.artemis.api.core.ActiveMQSecurityException: AMQ229031:
Unable to validate user from 1.2.3.4:123. Username: myUsername; SSL certificate
subject DN: unavailable
at
org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.authenticationFailed(SecurityStoreImpl.java:448)
at
org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.check(SecurityStoreImpl.java:340)
at
org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.securityCheck(ServerSessionImpl.java:515)
at
org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.doSend(ServerSessionImpl.java:2318)
at
org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.send(ServerSessionImpl.java:1948)
at
org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.send(ServerSessionImpl.java:1887)
at
org.apache.activemq.artemis.core.protocol.mqtt.MQTTPublishManager.sendToQueue(MQTTPublishManager.java:241)
at
org.apache.activemq.artemis.core.protocol.mqtt.MQTTProtocolHandler.handlePublish(MQTTProtocolHandler.java:322)
at
org.apache.activemq.artemis.core.protocol.mqtt.MQTTProtocolHandler.act(MQTTProtocolHandler.java:164)
at org.apache.activemq.artemis.utils.actors.Actor.doTask(Actor.java:32)
at
org.apache.activemq.artemis.utils.actors.ProcessorBase.executePendingTasks(ProcessorBase.java:68)
at
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635){noformat}
We should conform to broker norms for logging authorization failures instead.
> Don't log stack-trace when MQTT 3.1.1 client isn't authorized to publish
> ------------------------------------------------------------------------
>
> Key: ARTEMIS-5751
> URL: https://issues.apache.org/jira/browse/ARTEMIS-5751
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Reporter: Justin Bertram
> Assignee: Justin Bertram
> Priority: Major
>
> Currently if an MQTT 3.1.1 client attempts to publish a message when it isn't
> authorized to do so a stack-trace is logged, e.g.:
> {noformat}
> 2025-11-04 00:00:36,376 ERROR
> [org.apache.activemq.artemis.core.protocol.mqtt] AMQ834002: Error processing
> control packet:
> MqttPublishMessage[fixedHeader=MqttFixedHeader[messageType=PUBLISH,
> isDup=false, qosLevel=AT_LEAST_ONCE, isRetain=false, remainingLength=123],
> variableHeader=MqttPublishVariableHeader[topicName=my/topic, packetId=1],
> payload=PooledSlicedByteBuf(ridx: 0, widx: 123, cap: 123/123, unwrapped:
> PooledUnsafeDirectByteBuf(ridx: 123, widx: 123, cap: 123))]
> org.apache.activemq.artemis.api.core.ActiveMQSecurityException: AMQ229031:
> Unable to validate user from 1.2.3.4:123. Username: myUsername; SSL
> certificate subject DN: unavailable
> at
> org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.authenticationFailed(SecurityStoreImpl.java:448)
>
> at
> org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.check(SecurityStoreImpl.java:340)
>
> at
> org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.securityCheck(ServerSessionImpl.java:515)
>
> at
> org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.doSend(ServerSessionImpl.java:2318)
>
> at
> org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.send(ServerSessionImpl.java:1948)
>
> at
> org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.send(ServerSessionImpl.java:1887)
>
> at
> org.apache.activemq.artemis.core.protocol.mqtt.MQTTPublishManager.sendToQueue(MQTTPublishManager.java:241)
>
> at
> org.apache.activemq.artemis.core.protocol.mqtt.MQTTProtocolHandler.handlePublish(MQTTProtocolHandler.java:322)
>
> at
> org.apache.activemq.artemis.core.protocol.mqtt.MQTTProtocolHandler.act(MQTTProtocolHandler.java:164)
>
> at org.apache.activemq.artemis.utils.actors.Actor.doTask(Actor.java:32)
> at
> org.apache.activemq.artemis.utils.actors.ProcessorBase.executePendingTasks(ProcessorBase.java:68)
> at
> java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
> at
> java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635){noformat}
> We should conform to broker norms for logging authorization failures instead.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact
