Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: None
Affects Version/s: AMQ 7.8.0.GA
Component/s: broker-core
Labels:
None

Blocked:
False
Ready:
False
Estimated Difficulty:
Low
GSS Priority:
QE Test Coverage:
-
Release Note Text:
Undefined
Target Release:

AMQ 7.8.2.GA
Upstream Jira:
https://issues.apache.org/jira/browse/ARTEMIS-3237
Git Pull Request:
https://github.com/rh-messaging/activemq-artemis/pull/496
Market:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

In SecurityStoreImpl.check() method, the call to ActiveMQSecurityManager5.authenticate (via getSubjectForAuthorization) fails due to a connection reset error. Here's part of the stack trace:

2021-03-29 14:58:42,229 ERROR [org.apache.activemq.artemis.core.server] AMQ224084: Failed to open context: javax.naming.CommunicationException: simple bind failed: svc-ldap-auth.aws.mycompany.com:636 [Root exception is java.net.SocketException: Connection reset]
        at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219) [rt.jar:1.8.0_231]
        ...
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) [rt.jar:1.8.0_231]
        ...
        at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.8.0_231]
        ...
        at javax.security.auth.Subject.doAs(Subject.java:422) [rt.jar:1.8.0_231]
        ......
        at org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule.openContext(LDAPLoginModule.java:693) [artemis-server-2.16.0.redhat-00007.jar:2.16.0.redhat-00007]
        at java.lang.reflect.Method.invoke(Method.java:498) [rt.jar:1.8.0_231]
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [rt.jar:1.8.0_231]
        at javax.security.auth.login.LoginContext.login(LoginContext.java:587) [rt.jar:1.8.0_231]
        ...
        at org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.getAuthenticatedSubject(ActiveMQJAASSecurityManager.java:138) [artemis-server-2.16.0.redhat-00007.jar:2.16.0.redhat-00007]
        at org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.authenticate(ActiveMQJAASSecurityManager.java:91) [artemis-server-2.16.0.redhat-00007.jar:2.16.0.redhat-00007]
        at org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.getSubjectForAuthorization(SecurityStoreImpl.java:366) [artemis-server-2.16.0.redhat-00007.jar:2.16.0.redhat-00007]
        at org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.check(SecurityStoreImpl.java:282) [artemis-server-2.16.0.redhat-00007.jar:2.16.0.redhat-00007]
        at org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.securityCheck(ServerSessionImpl.java:499) [artemis-server-2.16.0.redhat-00007.jar:2.16.0.redhat-00007]
        ...
Caused by: java.net.SocketException: Connection reset
        at java.net.SocketInputStream.read(SocketInputStream.java:210) [rt.jar:1.8.0_231]

The SocketException is not unsual; however, processing continues in SecurityStoreImpl.check():

         ...
         final Boolean validated;
         if (securityManager instanceof ActiveMQSecurityManager5) {
            Subject subject = getSubjectForAuthorization(session, ((ActiveMQSecurityManager5) securityManager));
            validated = ((ActiveMQSecurityManager5) securityManager).authorize(subject, roles, checkType, fqqn != null ? fqqn.toString() : bareAddress.toString());
         } else if (securityManager instanceof ActiveMQSecurityManager4) {
       ...

1) ActiveMQSecurityManager5.authenticate returns null because of the SocketException
2) validated remains false because of a null subject
3) This leads to the ActiveMQMessageBundle.userNoPermissions message :

if (!validated) {
 ...
 Exception ex;
 if (bareQueue == null) {
 ex = ActiveMQMessageBundle.BUNDLE.userNoPermissions(session.getUsername(), checkType, bareAddress);
 } else {
 ex = ActiveMQMessageBundle.BUNDLE.userNoPermissionsQueue(session.getUsername(), checkType, bareQueue, bareAddress);
 }
 AuditLogger.securityFailure(ex);
 throw ex;
 }

Here's the log message:

2021-03-29 14:58:42,231 WARN  [org.apache.activemq.artemis.core.protocol.openwire.amq.AMQSession] AMQ229032: User: user1 does not have permission='SEND' on address RMS.REPLY: ActiveMQSecurityException[errorType=SECURITY_EXCEPTION message=AMQ229032: User: user1 does not have permission='SEND' on address RMS.REPLY]
        at org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.check(SecurityStoreImpl.java:309) [artemis-server-2.16.0.redhat-00007.jar:2.16.0.redhat-00007]
        at org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.securityCheck(ServerSessionImpl.java:499) [artemis-server-2.16.0.redhat-00007.jar:2.16.0.redhat-00007]
        at org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.doSend(ServerSessionImpl.java:2137) [artemis-server-2.16.0.redhat-00007.jar:2.16.0.redhat-00007]

The user "user1" was able to successfully send messages to the queue before and after the SocketException. The ActiveMQMessageBundle.userNoPermissions message was misleading and it caused a lot confusion when troubleshooting for the real root cause.

clones

ENTMQBR-4872 SecurityStoreImpl.java erroneously logs a ActiveMQMessageBundle.userNoPermissions message

Closed

Assignee:: Justin Bertram

Reporter:: Domenico Francesco Bruscino

Tester:: Roman Vais (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2021/05/25 1:45 PM

Updated:: 2021/06/24 8:38 PM

Resolved:: 2021/06/24 8:38 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates