activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Timothy Bish <tabish...@gmail.com>
Subject Re: [jira] [Resolved] (AMQ-4126) stomp+nio+ssl + jaasDualAuthenticationPlugin + certificate authentication fails
Date Wed, 24 Oct 2012 14:01:18 GMT
On Wed, 2012-10-24 at 15:26 +0200, Massimo Paladin wrote: 
> Hi Timothy,
> 
> I have a couple of questions.
> 
> One is related to the unit test which I provided for this bug.
> In the xml configuration file (JaasStompSSLBroker.xml) if you remove the
> "transport.enabledCipherSuites"
> option from the openwire+nio+ssl connector it stops working generating and
> EOFException
> on the client side, is this intended?
> Why isn't there a default for that option?

I'm sure there are more issues to be found.  The best thing to do is
create a test case showing the differences and issues and opening more
Jira tickets.  

> 
> javax.jms.JMSException: java.io.EOFException
>         at
> org.apache.activemq.util.JMSExceptionSupport.create(JMSExceptionSupport.java:49)
>         at
> org.apache.activemq.ActiveMQConnection.syncSendPacket(ActiveMQConnection.java:1377)
>         at
> org.apache.activemq.ActiveMQConnection.ensureConnectionInfoSent(ActiveMQConnection.java:1481)
>         at
> org.apache.activemq.ActiveMQConnection.start(ActiveMQConnection.java:516)
>         at
> org.apache.activemq.bugs.AMQ4126Test.openwireConnectTo(AMQ4126Test.java:136)
>         at
> org.apache.activemq.bugs.AMQ4126Test.testOpenwireNIOSSLWithUsernameAndPassword(AMQ4126Test.java:152)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 
> The other question is related to the validation of the connectors URIs.
> We noticed that there is no error checking on the given options in the URI.
> In our brokers we were using "needClientAuth" set to true for the ssl
> connectors,
> with stomp+nio+ssl connector we kept "needClientAuth" which did not work
> because the correct option is "transport.needClientAuth".
> This resulted in a non-obvious error generating an exception in the server
> side (below).
> 
> The actual behaviour is not consistent between the stomp+ssl and the
> stomp+nio+ssl connectors,
> stomp+ssl seems working fine with "needClientAuth" option and for
> stomp+nio+ssl
> "transport.needClientAuth" is required in order to work.
> 
> It would be nice if these kind of situations would not be made possible
> doing some
> sort of error checking in the provided connector's options, would this be
> possible?
> 
> java.lang.SecurityException: Unable to authenticate transport without SSL
> certificate.
> at
> org.apache.activemq.security.JaasCertificateAuthenticationBroker.addConnection(JaasCertificateAuthenticationBroker.java:74)
>  at
> org.apache.activemq.security.JaasDualAuthenticationBroker.addConnection(JaasDualAuthenticationBroker.java:98)
> at
> org.apache.activemq.broker.MutableBrokerFilter.addConnection(MutableBrokerFilter.java:91)
>  at
> org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:712)
> at
> org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection.java:80)
>  at
> org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:139)
> at
> org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:294)
>  at
> org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:152)
> at
> org.apache.activemq.transport.MutexTransport.onCommand(MutexTransport.java:45)
>  at
> org.apache.activemq.transport.AbstractInactivityMonitor.onCommand(AbstractInactivityMonitor.java:256)
> at
> org.apache.activemq.transport.stomp.StompTransportFilter.sendToActiveMQ(StompTransportFilter.java:84)
>  at
> org.apache.activemq.transport.stomp.ProtocolConverter.sendToActiveMQ(ProtocolConverter.java:164)
> at
> org.apache.activemq.transport.stomp.ProtocolConverter.onStompConnect(ProtocolConverter.java:678)
>  at
> org.apache.activemq.transport.stomp.ProtocolConverter.onStompCommand(ProtocolConverter.java:219)
> at
> org.apache.activemq.transport.stomp.StompTransportFilter.onCommand(StompTransportFilter.java:73)
>  at
> org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83)
> at
> org.apache.activemq.transport.nio.NIOSSLTransport.doConsume(NIOSSLTransport.java:335)
>  at
> org.apache.activemq.transport.stomp.StompNIOSSLTransport.doConsume(StompNIOSSLTransport.java:72)
> at
> org.apache.activemq.transport.stomp.StompCodec.processCommand(StompCodec.java:113)
>  at org.apache.activemq.transport.stomp.StompCodec.parse(StompCodec.java:92)
> at
> org.apache.activemq.transport.stomp.StompNIOSSLTransport.processCommand(StompNIOSSLTransport.java:60)
>  at
> org.apache.activemq.transport.nio.NIOSSLTransport.serviceRead(NIOSSLTransport.java:196)
> at
> org.apache.activemq.transport.nio.NIOSSLTransport$1.onSelect(NIOSSLTransport.java:148)
>  at
> org.apache.activemq.transport.nio.SelectorSelection.onSelect(SelectorSelection.java:94)
> at
> org.apache.activemq.transport.nio.SelectorWorker$1.run(SelectorWorker.java:119)
>  at
> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
>  at java.lang.Thread.run(Thread.java:662)
> 
> Cheers,
> ---
> Massimo Paladin
> 
> email: massimo.paladin@gmail.com
> website: http://www.mpaladin.com
> flickr's page: http://flickr.com/photos/massimop
> 
> 
> On Wed, Oct 24, 2012 at 1:08 AM, Timothy Bish (JIRA) <jira@apache.org>wrote:
> 
> >
> >      [
> > https://issues.apache.org/jira/browse/AMQ-4126?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel]
> >
> > Timothy Bish resolved AMQ-4126.
> > -------------------------------
> >
> >     Resolution: Fixed
> >
> > Fixed now in trunk, test cases added so this should stay fixed now.
> >
> > > stomp+nio+ssl + jaasDualAuthenticationPlugin + certificate
> > authentication fails
> > >
> > -------------------------------------------------------------------------------
> > >
> > >                 Key: AMQ-4126
> > >                 URL: https://issues.apache.org/jira/browse/AMQ-4126
> > >             Project: ActiveMQ
> > >          Issue Type: Bug
> > >          Components: stomp, Transport
> > >    Affects Versions: 5.7.0
> > >            Reporter: Massimo Paladin
> > >            Assignee: Timothy Bish
> > >             Fix For: 5.8.0
> > >
> > >         Attachments: AMQ4126.tgz
> > >
> > >
> > > Hello,
> > > ActiveMQ's trunk currently fails for the current use case:
> > > - server: stomp+nio+ssl connector + jaasDualAuthenticationPlugin
> > > - client: connecting to the server and expecting private certificate
> > authentication
> > > Unit test reproducing the problem provided.
> > > {noformat}
> > > 2012-10-23 17:13:01,207 [MQ NIO Worker 4] - WARN  ProtocolConverter
> >          - Exception occurred processing:
> > > CONNECT
> > > ^@: java.lang.SecurityException: User name [null] or password is invalid.
> > > 2012-10-23 17:13:01,210 [MQ NIO Worker 4] - WARN  Transport
> >          - Transport Connection to: tcp://128.141.156.34:59500 failed:
> > java.io.IOException: User name [null] or password is invalid.
> > > {noformat}
> >
> > --
> > This message is automatically generated by JIRA.
> > If you think it was sent incorrectly, please contact your JIRA
> > administrators
> > For more information on JIRA, see: http://www.atlassian.com/software/jira
> >

-- 
Tim Bish
Sr Software Engineer | RedHat Inc.
tim.bish@redhat.com | www.fusesource.com | www.redhat.com 
skype: tabish121 | twitter: @tabish121
blog: http://timbish.blogspot.com/


Mime
View raw message