activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Massimo Paladin <Massimo.Pala...@cern.ch>
Subject Re: [jira] [Resolved] (AMQ-4126) stomp+nio+ssl + jaasDualAuthenticationPlugin + certificate authentication fails
Date Wed, 24 Oct 2012 13:26:51 GMT
Hi Timothy,

I have a couple of questions.

One is related to the unit test which I provided for this bug.
In the xml configuration file (JaasStompSSLBroker.xml) if you remove the
"transport.enabledCipherSuites"
option from the openwire+nio+ssl connector it stops working generating and
EOFException
on the client side, is this intended?
Why isn't there a default for that option?

javax.jms.JMSException: java.io.EOFException
        at
org.apache.activemq.util.JMSExceptionSupport.create(JMSExceptionSupport.java:49)
        at
org.apache.activemq.ActiveMQConnection.syncSendPacket(ActiveMQConnection.java:1377)
        at
org.apache.activemq.ActiveMQConnection.ensureConnectionInfoSent(ActiveMQConnection.java:1481)
        at
org.apache.activemq.ActiveMQConnection.start(ActiveMQConnection.java:516)
        at
org.apache.activemq.bugs.AMQ4126Test.openwireConnectTo(AMQ4126Test.java:136)
        at
org.apache.activemq.bugs.AMQ4126Test.testOpenwireNIOSSLWithUsernameAndPassword(AMQ4126Test.java:152)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

The other question is related to the validation of the connectors URIs.
We noticed that there is no error checking on the given options in the URI.
In our brokers we were using "needClientAuth" set to true for the ssl
connectors,
with stomp+nio+ssl connector we kept "needClientAuth" which did not work
because the correct option is "transport.needClientAuth".
This resulted in a non-obvious error generating an exception in the server
side (below).

The actual behaviour is not consistent between the stomp+ssl and the
stomp+nio+ssl connectors,
stomp+ssl seems working fine with "needClientAuth" option and for
stomp+nio+ssl
"transport.needClientAuth" is required in order to work.

It would be nice if these kind of situations would not be made possible
doing some
sort of error checking in the provided connector's options, would this be
possible?

java.lang.SecurityException: Unable to authenticate transport without SSL
certificate.
at
org.apache.activemq.security.JaasCertificateAuthenticationBroker.addConnection(JaasCertificateAuthenticationBroker.java:74)
 at
org.apache.activemq.security.JaasDualAuthenticationBroker.addConnection(JaasDualAuthenticationBroker.java:98)
at
org.apache.activemq.broker.MutableBrokerFilter.addConnection(MutableBrokerFilter.java:91)
 at
org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:712)
at
org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection.java:80)
 at
org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:139)
at
org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:294)
 at
org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:152)
at
org.apache.activemq.transport.MutexTransport.onCommand(MutexTransport.java:45)
 at
org.apache.activemq.transport.AbstractInactivityMonitor.onCommand(AbstractInactivityMonitor.java:256)
at
org.apache.activemq.transport.stomp.StompTransportFilter.sendToActiveMQ(StompTransportFilter.java:84)
 at
org.apache.activemq.transport.stomp.ProtocolConverter.sendToActiveMQ(ProtocolConverter.java:164)
at
org.apache.activemq.transport.stomp.ProtocolConverter.onStompConnect(ProtocolConverter.java:678)
 at
org.apache.activemq.transport.stomp.ProtocolConverter.onStompCommand(ProtocolConverter.java:219)
at
org.apache.activemq.transport.stomp.StompTransportFilter.onCommand(StompTransportFilter.java:73)
 at
org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83)
at
org.apache.activemq.transport.nio.NIOSSLTransport.doConsume(NIOSSLTransport.java:335)
 at
org.apache.activemq.transport.stomp.StompNIOSSLTransport.doConsume(StompNIOSSLTransport.java:72)
at
org.apache.activemq.transport.stomp.StompCodec.processCommand(StompCodec.java:113)
 at org.apache.activemq.transport.stomp.StompCodec.parse(StompCodec.java:92)
at
org.apache.activemq.transport.stomp.StompNIOSSLTransport.processCommand(StompNIOSSLTransport.java:60)
 at
org.apache.activemq.transport.nio.NIOSSLTransport.serviceRead(NIOSSLTransport.java:196)
at
org.apache.activemq.transport.nio.NIOSSLTransport$1.onSelect(NIOSSLTransport.java:148)
 at
org.apache.activemq.transport.nio.SelectorSelection.onSelect(SelectorSelection.java:94)
at
org.apache.activemq.transport.nio.SelectorWorker$1.run(SelectorWorker.java:119)
 at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
 at java.lang.Thread.run(Thread.java:662)

Cheers,
---
Massimo Paladin

email: massimo.paladin@gmail.com
website: http://www.mpaladin.com
flickr's page: http://flickr.com/photos/massimop


On Wed, Oct 24, 2012 at 1:08 AM, Timothy Bish (JIRA) <jira@apache.org>wrote:

>
>      [
> https://issues.apache.org/jira/browse/AMQ-4126?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel]
>
> Timothy Bish resolved AMQ-4126.
> -------------------------------
>
>     Resolution: Fixed
>
> Fixed now in trunk, test cases added so this should stay fixed now.
>
> > stomp+nio+ssl + jaasDualAuthenticationPlugin + certificate
> authentication fails
> >
> -------------------------------------------------------------------------------
> >
> >                 Key: AMQ-4126
> >                 URL: https://issues.apache.org/jira/browse/AMQ-4126
> >             Project: ActiveMQ
> >          Issue Type: Bug
> >          Components: stomp, Transport
> >    Affects Versions: 5.7.0
> >            Reporter: Massimo Paladin
> >            Assignee: Timothy Bish
> >             Fix For: 5.8.0
> >
> >         Attachments: AMQ4126.tgz
> >
> >
> > Hello,
> > ActiveMQ's trunk currently fails for the current use case:
> > - server: stomp+nio+ssl connector + jaasDualAuthenticationPlugin
> > - client: connecting to the server and expecting private certificate
> authentication
> > Unit test reproducing the problem provided.
> > {noformat}
> > 2012-10-23 17:13:01,207 [MQ NIO Worker 4] - WARN  ProtocolConverter
>          - Exception occurred processing:
> > CONNECT
> > ^@: java.lang.SecurityException: User name [null] or password is invalid.
> > 2012-10-23 17:13:01,210 [MQ NIO Worker 4] - WARN  Transport
>          - Transport Connection to: tcp://128.141.156.34:59500 failed:
> java.io.IOException: User name [null] or password is invalid.
> > {noformat}
>
> --
> This message is automatically generated by JIRA.
> If you think it was sent incorrectly, please contact your JIRA
> administrators
> For more information on JIRA, see: http://www.atlassian.com/software/jira
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message