I believe the Proton python binding wont use PLAIN if offered, unless the connection is using TLS or it was instructed it can use it regardless:
https://qpid.apache.org/releases/qpid-proton-0.38.0/proton/python/docs/proton.reactor.html#proton.reactor.Container.connect "allow_insecure_mechs (bool), a flag indicating whether insecure mechanisms, such as PLAIN over a non-encrypted socket, are allowed." The broker defaults to offering PLAIN + ANONYMOUS, which it will keep doing even if you only have "PropertiesLoginModule required" since unfortunately the bits saying what SASL mechanisms to offer have absolutely no knowledge of what JAAS login config exists and what mechanisms can actually work. One of the more annoying things about the use of JAAS. You can specifically configure what mechanisms to offer however, using the "saslMechanisms" option on the acceptor URI, e.g as you would need to when enabling support for SCRAM-SHA-*, EXTERNAL or GSSAPI. Covered at https://activemq.apache.org/components/artemis/documentation/latest/security.html Robbie On Tue, 17 Jan 2023 at 10:28, Dondorp, Erwin <erwin.dond...@cgi.com.invalid> wrote: > > Hello, > > So far I've been happy connecting to Artemis using either the Artemis JMS > (CORE protocol) or with QPid JMS (AMQP protocol). > But attempts with using Python QpidProton (AMQP protocol) are only successful > when an anonymous user is allowed, but I actually need username+password. > I now did a Wireshark trace to see what happened when a username+password is > used: > > Client <---> broker > =============== > --> Protocol header 1-0-0 > <-- Protocol header 1-0-0 sasl.mechanisms(PLAIN+ANONYMOUS) > --> sasl.init ANONYMOUS > <-- sasl.outcome OK > --> Protocol header 1-0-0 open begin attach(correct client-id and correct > address) > <-- Protocol header 1-0-0 > --> open close(error-desciption=NullPointerException) > --> close > > First observation is that Artemis is returning "NullPointerException" in the > description of the 'close' sub-packet. The Artemis logfile shows a real NPE > in location > "org.apache.activemq.artemis.protocol.amqp.broker.AMQPSessionCallback.getAddress(AMQPSessionCallback.java:724)" > for that. > I'm not sure whether that is a bug, or just some unpolished code. > > Second observation is that Artemis offers the PLAIN+ANONYMOUS mechanisms. > But my server only has "PropertiesLoginModule required" in etc/login.config, > which does not actually allow anonymous login. > I'm not sure whether that is a bug, or just an incorrect expectation from my > side. > > Does anyone have useful remarks on these 2 observations? > Does anyone have a working Python QpidProton client that uses > username+password? > > thx, > Erwin
