Hi All I am new to working with ActiveMQ and I have a requirement to connect ActiveMQ (version 5.9.0) with OpenLDAP for authentication and authorization. I have started doing this and currently stuck with an issue for few days. Given below is the error I see when running my Java Client.
javax.jms.JMSSecurityException: *User amqadmin is not authorized to write to: queue://TEST.FOO* at org.apache.activemq.util.JMSExceptionSupport.create(JMSExceptionSupport.java:52) at org.apache.activemq.ActiveMQConnection.syncSendPacket(ActiveMQConnection.java:1405) at org.apache.activemq.ActiveMQSession.syncSendPacket(ActiveMQSession.java:1925) at org.apache.activemq.ActiveMQMessageProducer.<init>(ActiveMQMessageProducer.java:125) at org.apache.activemq.ActiveMQSession.createProducer(ActiveMQSession.java:969) at org.gvr.keystore.client.BrokerUserMgtClient.brokerProducer(BrokerUserMgtClient.java:102) at org.gvr.keystore.client.BrokerUserMgtClient.main(BrokerUserMgtClient.java:24) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120) Caused by: java.lang.SecurityException: User amqadmin is not authorized to write to: queue://TEST.FOO at org.apache.activemq.security.AuthorizationBroker.addProducer(AuthorizationBroker.java:179) at org.apache.activemq.broker.MutableBrokerFilter.addProducer(MutableBrokerFilter.java:107) at org.apache.activemq.broker.TransportConnection.processAddProducer(TransportConnection.java:534) at org.apache.activemq.command.ProducerInfo.visit(ProducerInfo.java:105) at org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:292) at org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:149) at org.apache.activemq.transport.MutexTransport.onCommand(MutexTransport.java:50) at org.apache.activemq.transport.WireFormatNegotiator.onCommand(WireFormatNegotiator.java:113) at org.apache.activemq.transport.AbstractInactivityMonitor.onCommand(AbstractInactivityMonitor.java:270) at org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83) at org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:214) at org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:196) at java.lang.Thread.run(Thread.java:662) At the beginning I got this issue for ActiveMQ Advisory topics but then I turned them off. Without Authorization I noticed that the Authentication part does work properly when I removed the authorization config from the activemq.xml. Given below are my configurations for Authentication and Authorization. Authentication config at [ACTIVEMQ_HOME]/conf/login.config ------------------------------------------------------------------------------------------- LdapConfiguration { org.apache.activemq.jaas.LDAPLoginModule required debug=true initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory connectionURL="ldap://localhost:389" connectionUsername="cn=admin,dc=wso2,dc=com" connectionPassword=********** connectionProtocol=s authentication=simple userBase="ou=Users,dc=wso2,dc=com" userRoleName=dummy userSearchMatching="(uid={0})" userSearchSubtree=false roleBase="ou=Groups,dc=wso2,dc=com" roleName=cn roleSearchMatching="(member=uid={1})" roleSearchSubtree=true; }; Authorization config at [ACTIVEMQ_HOME]/conf/activemq.xml ---------------------------------------------------------------------------------------------- <plugins> <jaasAuthenticationPlugin configuration="LdapConfiguration" /> <authorizationPlugin> <map> <cachedLDAPAuthorizationMap connectionURL="ldap://localhost:389" connectionUsername="cn=admin,dc=wso2,dc=com" connectionPassword="*********" queueSearchBase="ou=Queue,ou=Destination,ou=ActiveMQ,ou=systems,dc=wso2,dc=com" topicSearchBase="ou=Topic,ou=Destination,ou=ActiveMQ,ou=systems,dc=wso2,dc=com" tempSearchBase="ou=Temp,ou=Destination,ou=ActiveMQ,ou=systems,dc=wso2,dc=com" refreshInterval="60000" legacyGroupMapping="false" userObjectClass="identityPerson"/> </map> </authorizationPlugin> </plugins> And I even tried with the given below configuration as well, but was still getting the same issue. <authorizationPlugin> <map> <bean id="lDAPAuthorizationMap" class="org.apache.activemq.security.LDAPAuthorizationMap" xmlns="http://www.springframework.org/schema/beans"> <property name="initialContextFactory" value="com.sun.jndi.ldap.LdapCtxFactory"/> <property name="connectionURL" value="ldap://localhost:389"/> <property name="authentication" value="simple"/> <property name="connectionUsername" value="cn=admin,dc=wso2,dc=com"/> <property name="connectionPassword" value="***********"/> <property name="connectionProtocol" value=""/> <property name="topicSearchMatchingFormat" value="cn={0},ou=Topic,ou=Destination,dc=wso2,dc=com"/> <property name="topicSearchSubtreeBool" value="true"/> <property name="queueSearchMatchingFormat" value="cn={0},ou=Queue,ou=Destination,dc=wso2,dc=com"/> <property name="queueSearchSubtreeBool" value="true"/> <property name="advisorySearchBase" value="cn=ActiveMQ.Advisory,ou=Topic,ou=Destination,dc=wso2,dc=com"/> <property name="tempSearchBase" value="cn=ActiveMQ.Temp,ou=Topic,ou=Destination,dc=wso2,dc=com"/> <property name="adminBase" value="(cn=admin)"/> <property name="adminAttribute" value="member"/> <property name="readBase" value="(cn=read)"/> <property name="readAttribute" value="member"/> <property name="writeBase" value="(cn=write)"/> <property name="writeAttribute" value="member"/> </bean> </map> </authorizationPlugin> My LDAP structure looks like below. Authorization structure <http://activemq.2283324.n4.nabble.com/file/n4678364/authorization_structure.png> User / Group structure <http://activemq.2283324.n4.nabble.com/file/n4678364/ldap_user_group.png> I followed given below guides when enabling authentication and authorization for ActiveMQ . http://fusesource.com/docs/broker/5.5/security/LDAP-AddUserEntries.html <http://fusesource.com/docs/broker/5.5/security/LDAP-AddUserEntries.html> http://activemq.apache.org/security <http://activemq.apache.org/security> The Java client I use to create a queue and produce a message is as below. private static String connectionString = "tcp://localhost:61616"; private static String queueName = "TEST.FOO"; private static String message=" This is with user authentication "; ActiveMQConnectionFactory connectionFactory = new ActiveMQConnectionFactory("amqadmin","amqadmin",connectionString); connectionFactory.setWatchTopicAdvisories(false); Connection connection = connectionFactory.createConnection(); connection.start(); Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE); Destination destination = session.createQueue(queueName); MessageProducer producer = session.createProducer(destination); producer.setDeliveryMode(DeliveryMode.NON_PERSISTENT); String text = message+System.currentTimeMillis(); TextMessage message = session.createTextMessage(text); producer.send(message); System.out.println("Message Sent to - "+connectionString); session.close(); connection.close(); I am unable to think of any reason why this error is occurring, and request your kind support over this urgent issue. Best Regards Isuru -- View this message in context: http://activemq.2283324.n4.nabble.com/ActiveMQ-authorization-error-with-OpenLDAP-tp4678364.html Sent from the ActiveMQ - User mailing list archive at Nabble.com.