Re: Secure broker and web console: Cannot send to queue

Wed, 16 Dec 2015 01:51:26 -0800 

I just tried it on my local machine and I get the same behaviour with
ActiveMQ 5.12.1:

 WARN | Failed to add Connection ID:localhost-55849-1450257982869-9:1 due to
java.lang.SecurityException: User name [admin] or password is invalid.
 WARN | Security Error occurred on connection to: vm://localhost#6, User
name [admin] or password is invalid.
 WARN |
org.springframework.web.util.NestedServletException: Request processing
failed; nested exception is javax.jms.JMSSecurityException: User name
[admin]
or password is invalid.
        at
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:965)[spring-webmvc-3.2.11.RELEASE.jar:3.2.11.RELEASE]
...


The strange thing is that browsing of queues etc works fine - even though
there is no user with name 'admin' defined in ActiveMQ. Anonymous access is
enabled but I can even browse those queues the anonymous user shouldn't have
access to. Therefore I assume that read access from the web console uses the
'system' user as configured.
I am also able to create new queues from the web console which again
indicates that the 'system' user is used in this case. Only sending a
message to a queue doesn't work.


Any ideas?


For completeness, here my full authorization map:

                    <authorizationMap>
                        <authorizationEntries>
                            <authorizationEntry queue=">" read="admins"
write="admins" admin="admins"/>
                            <authorizationEntry queue="USER_A.>"
read="group_a" write="group_a" admin="admins"/>
                            <authorizationEntry queue="USER_B.>"
read="group_b" write="group_b" admin="group_b"/>
                            <authorizationEntry queue="GENERAL.>"
read="group_a,anonymous" write="group_a,anonymous"
admin="group_a,anonymous"/>
                            <authorizationEntry topic="ActiveMQ.Advisory.>"
read="group_a,group_b,anonymous" write="group_a,group_b,anonymous"
admin="group_a,group_b,anonymous"/>
                        </authorizationEntries>
                    </authorizationMap>


Kai


christopher.l.shannon wrote
> Did this used to work in an older version of ActiveMQ, such as 5.12.1?  If
> so, you can open up a JIRA and I will take a look.
> 
> It's possible there is a regression here because a lot of changes were
> made
> when the upgrade was done from Jetty 8 to Jetty 9.2 since there are API
> incompatibilities between the two versions.
> 
> On Tue, Dec 15, 2015 at 10:34 AM, Kai B &lt;

> kai.broszat@

> &gt; wrote:
> 
>> I have added the simpleAuthenticationPlugin to my broker (ActiveMQ 5.13.0
>> on
>> linux) and configured a few users and groups. This works fine so far and
>> users can only access those queues they are authorized for.
>>
>> I have also configured the 'system' user that has full rights on all
>> queues:
>>
>>         
> <plugins>
>>             
> <simpleAuthenticationPlugin anonymousAccessAllowed="true">
>>                 
> <users>
>>                     
> <authenticationUser username="system"
>>
>  password="mypassword" groups="admins"/>
>>                 
> </users>
>>             
> </simpleAuthenticationPlugin>
>>             
> <authorizationPlugin>
>>                 
> <map>
>>                     
> <authorizationMap>
>>                         
> <authorizationEntries>
>>                             
> <authorizationEntry queue=">
> " read="admins"
>> write="admins" admin="admins"/>
>>                         
> </authorizationEntries>
>>                     
> </authorizationMap>
>>                 
> </map>
>>             
> </authorizationPlugin>
>>         
> </plugins>
>>
>>
>> I have also configured this username/password in the
>> credentials.properties
>> file:
>>
>> activemq.username=system
>> activemq.password=mypassword
>>
>> I have not really changed the configuration of the embedded Jetty - it is
>> still configured to use the basic admin/admin user configured in
>> jetty-realm.properties.
>>
>> I can log-in to the Web console (using admin/admin) and browse queues
>> without problems. Sending a message to a queue doesn't work however. It
>> looks like the web console is using the credentials of the Jetty-User
>> instead of the credentials from the credentials.properties file
>> (referenced
>> from webapps/admin/WEB-INF/webconsole-embedded.xml):
>>
>> 2015-12-15 16:43:47,309 | WARN  | Failed to add Connection
>> ID:multi-com-dev.csf.local-52937-1450194172730-10:1 due to
>> java.lang.SecurityException: User name [admin] or password is invalid. |
>> org.apache.activ
>> emq.broker.TransportConnection | ActiveMQ VMTransport:
>> vm://localhost#11-1
>> 2015-12-15 16:43:47,311 | WARN  | Security Error occurred on connection
>> to:
>> vm://localhost#10, User name [admin] or password is invalid. |
>> org.apache.activemq.broker.TransportConnection.Service | ActiveMQ VM
>> Transport: vm://localhost#11-1
>> 2015-12-15 16:43:47,321 | WARN  |  |
>> org.eclipse.jetty.servlet.ServletHandler | qtp2044695538-17
>> org.springframework.web.util.NestedServletException: Request processing
>> failed; nested exception is javax.jms.JMSSecurityException: User name
>> [admin] or password is invalid.
>>         at
>>
>> org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:979)[spring-webmvc-4.1.8.RELEASE.jar:4.1.8.RELEASE]
>>         at
>>
>> org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:869)[spring-webmvc-4.1.8.RELEASE.jar:4.1.8.RELEASE]
>>         at
>>
> ...
> 
>> What am I missing?
>>
>> Thanks,
>> Kai





--
View this message in context: 
http://activemq.2283324.n4.nabble.com/Secure-broker-and-web-console-Cannot-send-to-queue-tp4704992p4705035.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Reply via email to