Hi All

I am new to working with ActiveMQ and I have a requirement to connect
ActiveMQ (version 5.9.0) with OpenLDAP for authentication and authorization.
I have started doing this and currently stuck with an issue for few days.
Given below is the error I see when running my Java Client. 

javax.jms.JMSSecurityException: *User amqadmin is not authorized to write
to: queue://TEST.FOO*
        at
org.apache.activemq.util.JMSExceptionSupport.create(JMSExceptionSupport.java:52)
        at
org.apache.activemq.ActiveMQConnection.syncSendPacket(ActiveMQConnection.java:1405)
        at
org.apache.activemq.ActiveMQSession.syncSendPacket(ActiveMQSession.java:1925)
        at
org.apache.activemq.ActiveMQMessageProducer.<init>(ActiveMQMessageProducer.java:125)
        at
org.apache.activemq.ActiveMQSession.createProducer(ActiveMQSession.java:969)
        at
org.gvr.keystore.client.BrokerUserMgtClient.brokerProducer(BrokerUserMgtClient.java:102)
        at
org.gvr.keystore.client.BrokerUserMgtClient.main(BrokerUserMgtClient.java:24)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
Caused by: java.lang.SecurityException: User amqadmin is not authorized to
write to: queue://TEST.FOO
        at
org.apache.activemq.security.AuthorizationBroker.addProducer(AuthorizationBroker.java:179)
        at
org.apache.activemq.broker.MutableBrokerFilter.addProducer(MutableBrokerFilter.java:107)
        at
org.apache.activemq.broker.TransportConnection.processAddProducer(TransportConnection.java:534)
        at org.apache.activemq.command.ProducerInfo.visit(ProducerInfo.java:105)
        at
org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:292)
        at
org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:149)
        at
org.apache.activemq.transport.MutexTransport.onCommand(MutexTransport.java:50)
        at
org.apache.activemq.transport.WireFormatNegotiator.onCommand(WireFormatNegotiator.java:113)
        at
org.apache.activemq.transport.AbstractInactivityMonitor.onCommand(AbstractInactivityMonitor.java:270)
        at
org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83)
        at
org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:214)
        at
org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:196)
        at java.lang.Thread.run(Thread.java:662)

At the beginning I got this issue for ActiveMQ Advisory topics but then I
turned them off.

Without Authorization I noticed that the Authentication part does work
properly when I removed the authorization config from the activemq.xml. 

Given below are my configurations for Authentication and Authorization. 

Authentication config at [ACTIVEMQ_HOME]/conf/login.config 
-------------------------------------------------------------------------------------------

LdapConfiguration {
  org.apache.activemq.jaas.LDAPLoginModule required
    debug=true
    initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
    connectionURL="ldap://localhost:389";
    connectionUsername="cn=admin,dc=wso2,dc=com"
    connectionPassword=**********
    connectionProtocol=s
    authentication=simple
    userBase="ou=Users,dc=wso2,dc=com"
    userRoleName=dummy
    userSearchMatching="(uid={0})"
    userSearchSubtree=false
    roleBase="ou=Groups,dc=wso2,dc=com"
    roleName=cn
    roleSearchMatching="(member=uid={1})"
    roleSearchSubtree=true;
};

Authorization config at  [ACTIVEMQ_HOME]/conf/activemq.xml
----------------------------------------------------------------------------------------------

<plugins>
         <jaasAuthenticationPlugin configuration="LdapConfiguration" />
         <authorizationPlugin>
                <map>
                        <cachedLDAPAuthorizationMap
                        connectionURL="ldap://localhost:389";
                        connectionUsername="cn=admin,dc=wso2,dc=com"
                        connectionPassword="*********"
                       
queueSearchBase="ou=Queue,ou=Destination,ou=ActiveMQ,ou=systems,dc=wso2,dc=com"
                       
topicSearchBase="ou=Topic,ou=Destination,ou=ActiveMQ,ou=systems,dc=wso2,dc=com"
                       
tempSearchBase="ou=Temp,ou=Destination,ou=ActiveMQ,ou=systems,dc=wso2,dc=com"
                        refreshInterval="60000"
                        legacyGroupMapping="false"
                        userObjectClass="identityPerson"/>
                </map>
        </authorizationPlugin>
</plugins>

And I even tried with the given below configuration as well, but was still
getting the same issue. 

<authorizationPlugin>
            <map>
                <bean id="lDAPAuthorizationMap"
class="org.apache.activemq.security.LDAPAuthorizationMap"
                xmlns="http://www.springframework.org/schema/beans";>
                        <property name="initialContextFactory"
value="com.sun.jndi.ldap.LdapCtxFactory"/>
                        <property name="connectionURL"
value="ldap://localhost:389"/>
                        <property name="authentication" value="simple"/>
                        <property name="connectionUsername"
value="cn=admin,dc=wso2,dc=com"/>
                        <property name="connectionPassword"
value="***********"/>
                        <property name="connectionProtocol" value=""/>
                        <property name="topicSearchMatchingFormat"
                               
value="cn={0},ou=Topic,ou=Destination,dc=wso2,dc=com"/>
                        <property name="topicSearchSubtreeBool"
value="true"/>
                        <property name="queueSearchMatchingFormat"
                               
value="cn={0},ou=Queue,ou=Destination,dc=wso2,dc=com"/>
                        <property name="queueSearchSubtreeBool"
value="true"/>
                        <property name="advisorySearchBase"
                               
value="cn=ActiveMQ.Advisory,ou=Topic,ou=Destination,dc=wso2,dc=com"/>
                        <property name="tempSearchBase"
                               
value="cn=ActiveMQ.Temp,ou=Topic,ou=Destination,dc=wso2,dc=com"/>
                        <property name="adminBase" value="(cn=admin)"/>
                        <property name="adminAttribute" value="member"/>
                        <property name="readBase" value="(cn=read)"/>
                        <property name="readAttribute" value="member"/>
                        <property name="writeBase" value="(cn=write)"/>
                        <property name="writeAttribute" value="member"/>
                </bean>
           </map>
</authorizationPlugin>

My LDAP structure looks like below. 

Authorization structure

<http://activemq.2283324.n4.nabble.com/file/n4678364/authorization_structure.png>
 

User / Group structure 

<http://activemq.2283324.n4.nabble.com/file/n4678364/ldap_user_group.png> 


I followed given below guides when enabling authentication and authorization
for ActiveMQ .

http://fusesource.com/docs/broker/5.5/security/LDAP-AddUserEntries.html
<http://fusesource.com/docs/broker/5.5/security/LDAP-AddUserEntries.html>  

http://activemq.apache.org/security <http://activemq.apache.org/security>  

The Java client I use to create a queue and produce a message is as below.

private static String connectionString = "tcp://localhost:61616";
private static String queueName = "TEST.FOO";
private static String message=" This is with user authentication ";

ActiveMQConnectionFactory connectionFactory = new 
ActiveMQConnectionFactory("amqadmin","amqadmin",connectionString);
           connectionFactory.setWatchTopicAdvisories(false);

           Connection connection = connectionFactory.createConnection();
           connection.start();

            Session session = connection.createSession(false,
Session.AUTO_ACKNOWLEDGE);

            Destination destination = session.createQueue(queueName);

            MessageProducer producer = session.createProducer(destination);
            producer.setDeliveryMode(DeliveryMode.NON_PERSISTENT);

            String text = message+System.currentTimeMillis();
            TextMessage message = session.createTextMessage(text);

            producer.send(message);
            System.out.println("Message Sent to - "+connectionString);

            session.close();
            connection.close();

I am unable to think of any reason why this error is occurring, and request
your kind support over this urgent issue.  

Best Regards
Isuru





--
View this message in context: 
http://activemq.2283324.n4.nabble.com/ActiveMQ-authorization-error-with-OpenLDAP-tp4678364.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Reply via email to