Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-4985

[LTS] SecurityStoreImpl.java erroneously logs a ActiveMQMessageBundle.userNoPermissions message

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Done
    • AMQ 7.8.0.GA
    • None
    • broker-core
    • None

    Description

      In SecurityStoreImpl.check() method, the call to ActiveMQSecurityManager5.authenticate (via getSubjectForAuthorization) fails due to a connection reset error. Here's part of the stack trace:

      2021-03-29 14:58:42,229 ERROR [org.apache.activemq.artemis.core.server] AMQ224084: Failed to open context: javax.naming.CommunicationException: simple bind failed: svc-ldap-auth.aws.mycompany.com:636 [Root exception is java.net.SocketException: Connection reset]
              at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219) [rt.jar:1.8.0_231]
              ...
              at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) [rt.jar:1.8.0_231]
              ...
              at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.8.0_231]
              ...
              at javax.security.auth.Subject.doAs(Subject.java:422) [rt.jar:1.8.0_231]
              ......
              at org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule.openContext(LDAPLoginModule.java:693) [artemis-server-2.16.0.redhat-00007.jar:2.16.0.redhat-00007]
              at java.lang.reflect.Method.invoke(Method.java:498) [rt.jar:1.8.0_231]
              at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [rt.jar:1.8.0_231]
              at javax.security.auth.login.LoginContext.login(LoginContext.java:587) [rt.jar:1.8.0_231]
              ...
              at org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.getAuthenticatedSubject(ActiveMQJAASSecurityManager.java:138) [artemis-server-2.16.0.redhat-00007.jar:2.16.0.redhat-00007]
              at org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.authenticate(ActiveMQJAASSecurityManager.java:91) [artemis-server-2.16.0.redhat-00007.jar:2.16.0.redhat-00007]
              at org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.getSubjectForAuthorization(SecurityStoreImpl.java:366) [artemis-server-2.16.0.redhat-00007.jar:2.16.0.redhat-00007]
              at org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.check(SecurityStoreImpl.java:282) [artemis-server-2.16.0.redhat-00007.jar:2.16.0.redhat-00007]
              at org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.securityCheck(ServerSessionImpl.java:499) [artemis-server-2.16.0.redhat-00007.jar:2.16.0.redhat-00007]
              ...
      Caused by: java.net.SocketException: Connection reset
              at java.net.SocketInputStream.read(SocketInputStream.java:210) [rt.jar:1.8.0_231] 

      The SocketException is not unsual; however, processing continues in SecurityStoreImpl.check():

               ...
               final Boolean validated;
               if (securityManager instanceof ActiveMQSecurityManager5) {
                  Subject subject = getSubjectForAuthorization(session, ((ActiveMQSecurityManager5) securityManager));
                  validated = ((ActiveMQSecurityManager5) securityManager).authorize(subject, roles, checkType, fqqn != null ? fqqn.toString() : bareAddress.toString());
               } else if (securityManager instanceof ActiveMQSecurityManager4) {
             ...

       

      1) ActiveMQSecurityManager5.authenticate returns null because of the SocketException
      2) validated remains false because of a null subject
      3) This leads to the ActiveMQMessageBundle.userNoPermissions message :

      if (!validated) {
       ...
       Exception ex;
       if (bareQueue == null) {
       ex = ActiveMQMessageBundle.BUNDLE.userNoPermissions(session.getUsername(), checkType, bareAddress);
       } else {
       ex = ActiveMQMessageBundle.BUNDLE.userNoPermissionsQueue(session.getUsername(), checkType, bareQueue, bareAddress);
       }
       AuditLogger.securityFailure(ex);
       throw ex;
       }

      Here's the log message:

      2021-03-29 14:58:42,231 WARN  [org.apache.activemq.artemis.core.protocol.openwire.amq.AMQSession] AMQ229032: User: user1 does not have permission='SEND' on address RMS.REPLY: ActiveMQSecurityException[errorType=SECURITY_EXCEPTION message=AMQ229032: User: user1 does not have permission='SEND' on address RMS.REPLY]
              at org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.check(SecurityStoreImpl.java:309) [artemis-server-2.16.0.redhat-00007.jar:2.16.0.redhat-00007]
              at org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.securityCheck(ServerSessionImpl.java:499) [artemis-server-2.16.0.redhat-00007.jar:2.16.0.redhat-00007]
              at org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.doSend(ServerSessionImpl.java:2137) [artemis-server-2.16.0.redhat-00007.jar:2.16.0.redhat-00007]

      The user "user1" was able to successfully send messages to the queue before and after the SocketException. The ActiveMQMessageBundle.userNoPermissions message was misleading and it caused a lot confusion when troubleshooting for the real root cause.

      Attachments

        Issue Links

          Activity

            People

              rhn-support-jbertram Justin Bertram
              dbruscin Domenico Francesco Bruscino
              Roman Vais Roman Vais
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: