activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Hofstaedter <chr...@nmwco.com>
Subject Re: SimpleAuthenticationBroker not preventing rogue producer??
Date Mon, 13 Nov 2006 16:37:10 GMT

Ok, I've been able to get the behavior I want, but I had to modify
AbstractConnection.java to do it.  I dont know if my modifications are
appropriate, so could someone take a look and let me know whether this is a
desirable change or not?

Specifically, I added an additional catch block after line 202 of
AbstractConnection and before the catch(Throwable).  The new code is:
catch ( SecurityException e1)
   {
   ConnectionError ce = new ConnectionError();
   ce.setException(e1);
   dispatchSync(ce);
   try
      {
      this.stop();
      }
   catch (Exception e2)
      {
      serviceLog.error("Unable to stop the connection after the Security
Exception:  " + e2);
      }

Notice the dispatchSync versus dispatchAsync - I did this to ensure that the
client was informed off the security violation before the connection is
stopped.

Again, this "fix" was to ensure that producers with bad security credentials
could not submit messages despite the login failure.  In my example, the
producer is running in one JVM loaded via JNI invokation with an embedded
broker and a DemandForwardingBridge that is connecting to the remote broker
via "tcp://128.0.0.1:61616".  The consumer and the BrokerService are running
on the same machine but in another JVM also loaded via JNI invokation but
communicating with each other via "vm://localhost".


Chris Hofstaedter wrote:
> 
> Hopefully someone can help me here.  
> 
> I'm trying to set up a SimpleAuthenticationBroker programatically rather
> than through the xml.  I've tried with 4.0.1 and 4.1.  The symptom is
> that, although the broker is set as an intercepter and it detects a bad
> password and emits a SecurityException, the producer is still allowed to
> produce messages.  I can see the producer get the bad login indication
> through the following log message:
> WARN  org.apache.activemq.network.DemandForwardingBridge - Unexpected
> remote command: ConnectionError {commandId = 2, responseRequired = false,
> connectionId = null, exception = java.lang.SecurityException: User name or
> password is invalid.}
> 
> But then, the next thing I know, my consumers, that have successfully
> logged in, start receiving messages from this very same producer.
> 
> In case it's my code, here's how I'm setting up the broker:
>          final Map<String, String> userPasswords = new HashMap<String,
> String>();
>          userPasswords.put("username", "password");
>          m_broker = new BrokerService() 
>             {
>             protected Broker addInterceptors(Broker broker) throws
> Exception 
>                {
>                broker = super.addInterceptors(broker);
>                broker = new SimpleAuthenticationBroker(broker,
> userPasswords, new HashMap());
>                return broker;
>                }
>             };
>          m_broker.setUseLoggingForShutdownErrors(false);
>          m_broker.setUseShutdownHook(false);
>          m_broker.setUseJmx(true);
>          m_broker.setBrokerName("localhost");
>          ManagementContext mgmtCtx = m_broker.getManagementContext();
>          mgmtCtx.setJmxDomainName(this.getClass().getName());
>          mgmtCtx.setConnectorPort(1099);
>          m_broker.setManagementContext(mgmtCtx);
>          if (persistent == false)
>             m_broker.setPersistenceAdapter(new
> MemoryPersistenceAdapter());
>          m_broker.addConnector(new URI("tcp://127.0.0.1:61616"));
>          m_broker.start();
> 
> 
> Any ideas?
> 

-- 
View this message in context: http://www.nabble.com/SimpleAuthenticationBroker-not-preventing-rogue-producer---tf2622706.html#a7320366
Sent from the ActiveMQ - User mailing list archive at Nabble.com.


Mime
View raw message