Hi Timothy,
Yes, I'm using sasl_allow_insecure_mechs. Here's the full "on_container_start"
method I'm using:
void on_container_start(proton::container &c) override {
proton::connection_options co;
co.user(user);
co.password(password);
co.sasl_enabled(true);
co.sasl_allow_insecure_mechs(true);
co.sasl_allowed_mechs("PLAIN");
sender = c.open_sender(url, co);
}
Seems like this ought to work?
Peter
-----Original Message-----
From: Timothy Bish <[email protected]>
Sent: Monday, May 5, 2025 6:29 PM
To: [email protected]
Subject: EXTERNAL: Re: EXTERNAL: Re: Username/password authentication example
from C++ docs doesn't work?
Sorry I typo'd the frame tracing option. Quite right PN_TRACE_FRM
I think there is also a connection option in the C++ client that might be
needed.
From the connection_options API
connection_options & sasl_allow_insecure_mechs (bool)
Force the enabling of SASL mechanisms that disclose cleartext passwords
over the connection.
I'm not very familiar with the C++ client but that sounds like it'd be needed
for PLAIN to work.
On Mon, May 5, 2025 at 6:26 PM [email protected]
<[email protected]> wrote:
>
> Hi Timothy,
>
> I added PN_TRACE_FRM=true (not PN_TRACE_FROM) to the C# client and see this
> output:
>
> -> SASL:[1488863629:0] AMQP,3,1,0,0
> <- SASL:[1488863629:0] AMQP,3,1,0,0
> <- SASL:[1488863629:0] SaslMechanisms{mechanisms=PLAIN,ANONYMOUS}
> -> SASL:[1488863629:0] SaslInit{mechanismPLAIN,
> -> initialResponse="%00admin%00admin", hostname=localhost}
> <- SASL:[1488863629:0] Ok
>
> It looks like the C# client successfully uses PLAIN?
>
> I then added PN_TRACE_FRM=true to the C++ client, and now I see this output:
>
> [0x1edc0b0]: SASL:FRAME: -> SASL
> [0x1edc0b0]: SASL:FRAME: <- SASL
> [0x1edc0b0]: AMQP:FRAME:0 <- @sasl-mechanisms(64)
> [sasl-server-mechanisms=@<symbol>[:PLAIN, :ANONYMOUS]]
> [0x1edc0b0]: IO:FRAME: -> EOS
> amqp:unauthorized-access: SASL(-4): no mechanism available: No worthy
> mechs found (Authentication failed [mech=none])
>
> It looks like "PLAIN" is in the "sasl-server-mechanisms", but then it still
> says "no mechanism available". Does that mean the C++ client still doesn't
> have PLAIN enabled?
>
> Peter
>
> -----Original Message-----
> From: Timothy Bish <[email protected]>
> Sent: Monday, May 5, 2025 6:08 PM
> To: [email protected]
> Subject: EXTERNAL: Re: EXTERNAL: Re: Username/password authentication example
> from C++ docs doesn't work?
>
> When running the Qpid proton-dotnet client you can define the
> PN_TRACE_FROM=true environment variable to have the AMQP frames printed to
> the console, my guess would be PLAIN is being used since you set a password
> and the broker offers that by default.
>
> On Mon, May 5, 2025 at 5:21 PM [email protected]
> <[email protected]> wrote:
> >
> > Hi Ted,
> >
> > > Try setting the sasl_allowed_mechs in your connection options. Try using
> > > "PLAIN".
> >
> > I added this line to on_container_start:
> >
> > co.sasl_allowed_mechs("PLAIN");
> >
> > And now I get a different error:
> >
> > amqp:unauthorized-access: SASL(-4): no mechanism available: No
> > worthy mechs found (Authentication failed [mech=none])
> >
> > Any idea why it's ignoring the PLAIN mechanism? I also tried adding these:
> >
> > co.sasl_enabled(true);
> > co.sasl_allow_insecure_mechs(true);
> >
> > But this made no difference (same error).
> >
> > > Whatever you use must match what is supported on the broker-side.
> >
> > I believe the broker supports PLAIN, since the C# client library
> > authenticated fine.
> >
> > Peter
> >
> > -----Original Message-----
> > From: Ted Ross <[email protected]>
> > Sent: Monday, May 5, 2025 4:48 PM
> > To: [email protected]
> > Subject: EXTERNAL: Re: Username/password authentication example from C++
> > docs doesn't work?
> >
> > Try setting the sasl_allowed_mechs in your connection options. I believe
> > it is defaulting to ANONYMOUS, which does not use the user/password values.
> > Try using "PLAIN". Whatever you use must match what is supported on the
> > broker-side.
> >
> > -Ted
> >
> > On Mon, May 5, 2025 at 3:37 PM [email protected] <
> > [email protected]> wrote:
> >
> > > Hi, I'm using version 0.37.0 of the C++ library
> > > (qpid-proton-cpp-0.37.0) and can't figure out how to authenticate
> > > with a username/password. My test
> > > setup:
> > >
> > > For the broker, I run ActiveMQ Classic using this command: podman
> > > run -it --rm --net=host --env ACTIVEMQ_CONNECTION_USER=admin --env
> > > ACTIVEMQ_CONNECTION_PASSWORD=admin
> > > docker.io/apache/activemq-classic
> > >
> > > For the C++ client, I run the code from the "simple_send.cpp"
> > > example at
> > > https://qpid.apache.org/releases/qpid-proton-0.37.0/proton/cpp/api
> > > /s im ple_send_8cpp-example.html, which I simplified to hardcode
> > > the username/password to admin/admin:
> > >
> > > #include <proton/connection.hpp>
> > > #include <proton/connection_options.hpp> #include
> > > <proton/container.hpp> #include <proton/message.hpp> #include
> > > <proton/message_id.hpp> #include <proton/messaging_handler.hpp>
> > > #include <proton/reconnect_options.hpp> #include
> > > <proton/tracker.hpp> #include <proton/types.hpp>
> > >
> > > #include <iostream>
> > > #include <map>
> > >
> > >
> > > class simple_send : public proton::messaging_handler {
> > > private:
> > > std::string url;
> > > std::string user;
> > > std::string password;
> > > bool reconnect;
> > > proton::sender sender;
> > > int sent;
> > > int confirmed;
> > > int total;
> > >
> > > public:
> > > simple_send(const std::string &s, const std::string &u, const
> > > std::string &p, bool r, int c) :
> > > url(s), user(u), password(p), reconnect(r), sent(0),
> > > confirmed(0),
> > > total(c) {}
> > >
> > > void on_container_start(proton::container &c) override {
> > > proton::connection_options co;
> > > if (!user.empty()) co.user(user);
> > > if (!password.empty()) co.password(password);
> > > if (reconnect) co.reconnect(proton::reconnect_options());
> > > sender = c.open_sender(url, co);
> > > }
> > >
> > > void on_connection_open(proton::connection& c) override {
> > > if (c.reconnected()) {
> > > sent = confirmed; // Re-send unconfirmed messages after a
> > > reconnect
> > > }
> > > }
> > >
> > > void on_sendable(proton::sender &s) override {
> > > while (s.credit() && sent < total) {
> > > proton::message msg;
> > > std::map<std::string, int> m;
> > > m["sequence"] = sent + 1;
> > >
> > > msg.id(sent + 1);
> > > msg.body(m);
> > >
> > > s.send(msg);
> > > sent++;
> > > }
> > > }
> > >
> > > void on_tracker_accept(proton::tracker &t) override {
> > > confirmed++;
> > >
> > > if (confirmed == total) {
> > > std::cout << "all messages confirmed" << std::endl;
> > > t.connection().close();
> > > }
> > > }
> > >
> > > void on_transport_close(proton::transport &) override {
> > > sent = confirmed;
> > > }
> > > };
> > >
> > > int main(int argc, char **argv) {
> > > std::string address = "127.0.0.1:5672/examples";
> > > std::string user = "admin";
> > > std::string password = "admin";
> > > bool reconnect = false;
> > > int message_count = 100;
> > >
> > > try {
> > > simple_send send(address, user, password, reconnect,
> > > message_count);
> > > proton::container(send).run();
> > >
> > > return 0;
> > > } catch (const std::exception& e) {
> > > std::cerr << e.what() << std::endl;
> > > }
> > >
> > > return 1;
> > > }
> > >
> > > When run, the C++ client crashes with this error:
> > >
> > > amqp:unauthorized-access: Authentication failed [mech=ANONYMOUS]
> > >
> > > The error message suggests (?) that the username/password I
> > > specify are not being used, since it says "mech=ANONYMOUS". Can
> > > anyone see an obvious mistake in my C++ code? Am I not setting the
> > > username/password correctly?
> > > Is this a known bug in version 0.37.0?
> > >
> > > In contrast, I can successfully authenticate to the broker using
> > > the C# library example at
> > > https://docs.redhat.com/en/documentation/red_hat_build_of_apache_qpid_proton_dotnet/1.0/html-single/using_qpid_proton_dotnet/index.
> > > In the C# example, if I specify the username/password as
> > > admin/admin then message posting succeeds, and when I specify a
> > > wrong password it fails with an authentication error.
> > >
> > >
>
>
>
> --
> --
> Tim Bish
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected] For
> additional commands, e-mail: [email protected]
>
--
--
Tim Bish
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected] For additional
commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
