activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From neek <n...@nickfenwick.com>
Subject 5.5 to 5.6 upgrade, stomp client suddenly gets "User name [ xyz] or password is invalid."
Date Sun, 22 Jul 2012 15:51:36 GMT
I've had a Java server with ActiveMQ 5.5.0 running for a long time, with PHP
clients connecting via stomp.  ActiveMQ configures via broker.xml with basic
security config based on http://activemq.apache.org/security.html .. the
stomp client posts simple messages to consumers listening in the Java
server.

Dropping 5.6.0 into my Java server immediately makes the stomp client unable
to post messages.  It seems 5.6 doesn't accept my broker.xml security
configuration in the way 5.5 did.  That is, I replace the classpath entries
for 5.5.0 with those for 5.6.0, restart my java server, and get the
following on the Java server when the stomp client sends a message:

     [java] Jul 22, 2012 10:23:23 PM
org.apache.activemq.broker.TransportConnection processAddConnection
     [java] WARNING: Failed to add Connection
ID:uberneek-53309-1342970565701-8:2, reason: java.lang.SecurityException:
User name [ xyz] or password is invalid.
     [java] Jul 22, 2012 10:23:23 PM
org.apache.activemq.transport.stomp.ProtocolConverter handleException
     [java] WARNING: Exception occurred processing: 
     [java] CONNECT
     [java] passcode:*****
     [java] login: xyz
     [java] 
     [java] : java.lang.SecurityException: User name [ xyz] or password is
invalid.
     [java] Jul 22, 2012 10:23:23 PM
org.apache.activemq.broker.TransportConnection serviceTransportException
     [java] WARNING: Transport Connection to: tcp://127.0.0.1:37963 failed:
java.io.IOException: User name [ xyz] or password is invalid.
     [java] Jul 22, 2012 10:23:23 PM
org.apache.activemq.transport.stomp.ProtocolConverter handleException
     [java] WARNING: Exception occurred processing: 
     [java] DISCONNECT
     [java] 
     [java] : org.apache.activemq.transport.stomp.ProtocolException: Not
connected.
     [java] Jul 22, 2012 10:23:25 PM
org.apache.activemq.broker.TransportConnection$3 run
     [java] INFO: Stopping tcp://127.0.0.1:37963 because Failed with
SecurityException: User name [ xyz] or password is invalid.

I've replaced my username with 'xyz' for this log snippet.

The same error is passed back to the stomp client and logged by my exception
handler to error_log, and comes out like this (the first line is my own
debug message):

[22-Jul-2012 15:16:20 UTC] Making connection to tcp://127.0.0.1:61613...
[22-Jul-2012 15:16:30 UTC] StompException sending message: User name [ xyz]
or password is invalid. details: java.lang.SecurityException: User name [
zencart] or password is invalid.
        at
org.apache.activemq.security.SimpleAuthenticationBroker.addConnection(SimpleAuthenticationBroker.java:81)
        at
org.apache.activemq.broker.BrokerFilter.addConnection(BrokerFilter.java:85)
        at
org.apache.activemq.broker.MutableBrokerFilter.addConnection(MutableBrokerFilter.java:91)
        at
org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:715)
        at
org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection.java:79)
        at
org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:139)
        at
org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:292)
        at
org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:150)
        at
org.apache.activemq.transport.MutexTransport.onCommand(MutexTransport.java:45)
        at
org.apache.activemq.transport.AbstractInactivityMonitor.onCommand(AbstractInactivityMonitor.java:229)
        at
org.apache.activemq.transport.stomp.StompTransportFilter.sendToActiveMQ(StompTransportFilter.java:87)
        at
org.apache.activemq.transport.stomp.ProtocolConverter.sendToActiveMQ(ProtocolConverter.java:126)
        at
org.apache.activemq.transport.stomp.ProtocolConverter.onStompConnect(ProtocolConverter.java:607)
        at
org.apache.activemq.transport.stomp.ProtocolConverter.onStompCommand(ProtocolConverter.java:181)
        at
org.apache.activemq.transport.stomp.StompTransportFilter.onCommand(StompTransportFilter.java:76)
        at
org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83)
        at
org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:222)
        at
org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:204)
        at java.lang.Thread.run(Thread.java:722)

I used wireshark to dump the traffic during the conversation, and the
request from the client is naturally identical in both cases since it's
unchanged, but the 5.5 ActiveMQ replies with "CONNECTED" while 5.6 replies
with "ERROR" and goes on with:

"""""
ERROR
content-type:text/plain
message:User name [ zencart] or password is invalid.

java.lang.SecurityException: User name [ zencart] or password is invalid.
[cut java stacktrace, as seen above]
"""""

I'll post my broker.xml for completeness.  Is there anything in the 5.6 code
that would make this security configuration become invalid?

I've read https://issues.apache.org/jira/browse/AMQ-3749 "Composite
destinations break simple authorisation through role aggregation" but I
don't think I'm making that mistake.  I've also double checked that the
'users' group that the 'xyz' user belongs to is in the ActiveMQ.Advisory
topic.. I'm not quite sure what effect that has but I've seen it recommended
in a post here.


<beans xmlns="http://www.springframework.org/schema/beans"
  xmlns:amq="http://activemq.apache.org/schema/core"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
  http://activemq.apache.org/schema/core
http://activemq.apache.org/schema/core/activemq-core.xsd">
	<bean
class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
	<broker xmlns="http://activemq.apache.org/schema/core"
		brokerName="mybroker" useJmx="true" persistent="true">
		<plugins>
			
			
			<simpleAuthenticationPlugin anonymousAccessAllowed="false">
				<users>
					<authenticationUser username="system" password="manager"
groups="users,admins"/>
					
					<authenticationUser username="trusted" password="internal"
groups="users"/>
					
					<authenticationUser username="xyz" password="premierrange"
groups="guests"/>
					
				</users>
			</simpleAuthenticationPlugin>
			
			<authorizationPlugin>
				<map>
					<authorizationMap>
						<authorizationEntries>
							<authorizationEntry queue=">" read="admins" write="admins"
admin="admins" />
							<authorizationEntry queue="internal.>" read="users" write="users"
admin="users" />
							<authorizationEntry queue="integration.>" read="guests,users"
write="guests,users" admin="guests,users" />
							
							<authorizationEntry topic="ActiveMQ.Advisory.>" read="guests,users"
write="guests,users" admin="guests,users"/>

						</authorizationEntries>
					</authorizationMap>
				</map>
			</authorizationPlugin>
		</plugins>

		
		<transportConnectors>
			<transportConnector name="tcp" uri="tcp://localhost:61616"/>
			<transportConnector name="stomp" uri="stomp://localhost:61613"/>
		</transportConnectors>
			
	</broker>
</beans>

I'm hoping someone can point out something silly I'm doing without me
writing lots of test code to try to narrow it down.

Nick



--
View this message in context: http://activemq.2283324.n4.nabble.com/5-5-to-5-6-upgrade-stomp-client-suddenly-gets-User-name-xyz-or-password-is-invalid-tp4654229.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Mime
View raw message