You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by Kai B <ka...@kewill.com> on 2015/12/15 16:34:10 UTC
Secure broker and web console: Cannot send to queue
I have added the simpleAuthenticationPlugin to my broker (ActiveMQ 5.13.0 on
linux) and configured a few users and groups. This works fine so far and
users can only access those queues they are authorized for.
I have also configured the 'system' user that has full rights on all queues:
<plugins>
<simpleAuthenticationPlugin anonymousAccessAllowed="true">
<users>
<authenticationUser username="system"
password="mypassword" groups="admins"/>
</users>
</simpleAuthenticationPlugin>
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry queue=">" read="admins"
write="admins" admin="admins"/>
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
</plugins>
I have also configured this username/password in the credentials.properties
file:
activemq.username=system
activemq.password=mypassword
I have not really changed the configuration of the embedded Jetty - it is
still configured to use the basic admin/admin user configured in
jetty-realm.properties.
I can log-in to the Web console (using admin/admin) and browse queues
without problems. Sending a message to a queue doesn't work however. It
looks like the web console is using the credentials of the Jetty-User
instead of the credentials from the credentials.properties file (referenced
from webapps/admin/WEB-INF/webconsole-embedded.xml):
2015-12-15 16:43:47,309 | WARN | Failed to add Connection
ID:multi-com-dev.csf.local-52937-1450194172730-10:1 due to
java.lang.SecurityException: User name [admin] or password is invalid. |
org.apache.activ
emq.broker.TransportConnection | ActiveMQ VMTransport: vm://localhost#11-1
2015-12-15 16:43:47,311 | WARN | Security Error occurred on connection to:
vm://localhost#10, User name [admin] or password is invalid. |
org.apache.activemq.broker.TransportConnection.Service | ActiveMQ VM
Transport: vm://localhost#11-1
2015-12-15 16:43:47,321 | WARN | |
org.eclipse.jetty.servlet.ServletHandler | qtp2044695538-17
org.springframework.web.util.NestedServletException: Request processing
failed; nested exception is javax.jms.JMSSecurityException: User name
[admin] or password is invalid.
at
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:979)[spring-webmvc-4.1.8.RELEASE.jar:4.1.8.RELEASE]
at
org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:869)[spring-webmvc-4.1.8.RELEASE.jar:4.1.8.RELEASE]
at
javax.servlet.http.HttpServlet.service(HttpServlet.java:648)[tomcat-servlet-api-8.0.24.jar:]
at
org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:843)[spring-webmvc-4.1.8.RELEASE.jar:4.1.8.RELEASE]
at
javax.servlet.http.HttpServlet.service(HttpServlet.java:729)[tomcat-servlet-api-8.0.24.jar:]
at
org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:808)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
at
org.apache.activemq.web.AuditFilter.doFilter(AuditFilter.java:59)[activemq-web-5.13.0.jar:5.13.0]
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
at
org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)[spring-web-4.1.8.RELEASE.jar:4.1.8.RELEASE]
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)[spring-web-4.1.8.RELEASE.jar:4.1.8.RELEASE]
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
at
org.apache.activemq.web.filter.ApplicationContextFilter.doFilter(ApplicationContextFilter.java:102)[file:/opt/apache-activemq-5.13.0/webapps/admin/WEB-INF/classes/:]
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
at
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
at
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:542)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
at
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
at
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
at
org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
at
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
at
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
at
org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
at
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:542)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
at
org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
at
org.eclipse.jetty.server.Server.handle(Server.java:499)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
at
org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
at
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
at
org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
at
org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
at java.lang.Thread.run(Thread.java:744)[:1.7.0_45]
What am I missing?
Thanks,
Kai
--
View this message in context: http://activemq.2283324.n4.nabble.com/Secure-broker-and-web-console-Cannot-send-to-queue-tp4704992.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Secure broker and web console: Cannot send to queue
Posted by alixey <mr...@gmail.com>.
I have same problem on 5.13.3!
I just added to simpleAuthenticationPlugin credentials from jetty. So, i
had:
<plugins>
<simpleAuthenticationPlugin>
<users>
<authenticationUser username="keeper" password="pass"
groups="publishers,consumers"/>
<authenticationUser username="system" password="web_pass"
groups="publishers,admins"/>
<authenticationUser username="admin" password="adminpass"
groups="publishers,admins"/>
</users>
</simpleAuthenticationPlugin>
</plugins>
After that, sends to queue fine!
--
View this message in context: http://activemq.2283324.n4.nabble.com/Secure-broker-and-web-console-Cannot-send-to-queue-tp4704992p4712803.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Secure broker and web console: Cannot send to queue
Posted by Kai B <ka...@kewill.com>.
I just tried it on my local machine and I get the same behaviour with
ActiveMQ 5.12.1:
WARN | Failed to add Connection ID:localhost-55849-1450257982869-9:1 due to
java.lang.SecurityException: User name [admin] or password is invalid.
WARN | Security Error occurred on connection to: vm://localhost#6, User
name [admin] or password is invalid.
WARN |
org.springframework.web.util.NestedServletException: Request processing
failed; nested exception is javax.jms.JMSSecurityException: User name
[admin]
or password is invalid.
at
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:965)[spring-webmvc-3.2.11.RELEASE.jar:3.2.11.RELEASE]
...
The strange thing is that browsing of queues etc works fine - even though
there is no user with name 'admin' defined in ActiveMQ. Anonymous access is
enabled but I can even browse those queues the anonymous user shouldn't have
access to. Therefore I assume that read access from the web console uses the
'system' user as configured.
I am also able to create new queues from the web console which again
indicates that the 'system' user is used in this case. Only sending a
message to a queue doesn't work.
Any ideas?
For completeness, here my full authorization map:
<authorizationMap>
<authorizationEntries>
<authorizationEntry queue=">" read="admins"
write="admins" admin="admins"/>
<authorizationEntry queue="USER_A.>"
read="group_a" write="group_a" admin="admins"/>
<authorizationEntry queue="USER_B.>"
read="group_b" write="group_b" admin="group_b"/>
<authorizationEntry queue="GENERAL.>"
read="group_a,anonymous" write="group_a,anonymous"
admin="group_a,anonymous"/>
<authorizationEntry topic="ActiveMQ.Advisory.>"
read="group_a,group_b,anonymous" write="group_a,group_b,anonymous"
admin="group_a,group_b,anonymous"/>
</authorizationEntries>
</authorizationMap>
Kai
christopher.l.shannon wrote
> Did this used to work in an older version of ActiveMQ, such as 5.12.1? If
> so, you can open up a JIRA and I will take a look.
>
> It's possible there is a regression here because a lot of changes were
> made
> when the upgrade was done from Jetty 8 to Jetty 9.2 since there are API
> incompatibilities between the two versions.
>
> On Tue, Dec 15, 2015 at 10:34 AM, Kai B <
> kai.broszat@
> > wrote:
>
>> I have added the simpleAuthenticationPlugin to my broker (ActiveMQ 5.13.0
>> on
>> linux) and configured a few users and groups. This works fine so far and
>> users can only access those queues they are authorized for.
>>
>> I have also configured the 'system' user that has full rights on all
>> queues:
>>
>>
> <plugins>
>>
> <simpleAuthenticationPlugin anonymousAccessAllowed="true">
>>
> <users>
>>
> <authenticationUser username="system"
>>
> password="mypassword" groups="admins"/>
>>
> </users>
>>
> </simpleAuthenticationPlugin>
>>
> <authorizationPlugin>
>>
> <map>
>>
> <authorizationMap>
>>
> <authorizationEntries>
>>
> <authorizationEntry queue=">
> " read="admins"
>> write="admins" admin="admins"/>
>>
> </authorizationEntries>
>>
> </authorizationMap>
>>
> </map>
>>
> </authorizationPlugin>
>>
> </plugins>
>>
>>
>> I have also configured this username/password in the
>> credentials.properties
>> file:
>>
>> activemq.username=system
>> activemq.password=mypassword
>>
>> I have not really changed the configuration of the embedded Jetty - it is
>> still configured to use the basic admin/admin user configured in
>> jetty-realm.properties.
>>
>> I can log-in to the Web console (using admin/admin) and browse queues
>> without problems. Sending a message to a queue doesn't work however. It
>> looks like the web console is using the credentials of the Jetty-User
>> instead of the credentials from the credentials.properties file
>> (referenced
>> from webapps/admin/WEB-INF/webconsole-embedded.xml):
>>
>> 2015-12-15 16:43:47,309 | WARN | Failed to add Connection
>> ID:multi-com-dev.csf.local-52937-1450194172730-10:1 due to
>> java.lang.SecurityException: User name [admin] or password is invalid. |
>> org.apache.activ
>> emq.broker.TransportConnection | ActiveMQ VMTransport:
>> vm://localhost#11-1
>> 2015-12-15 16:43:47,311 | WARN | Security Error occurred on connection
>> to:
>> vm://localhost#10, User name [admin] or password is invalid. |
>> org.apache.activemq.broker.TransportConnection.Service | ActiveMQ VM
>> Transport: vm://localhost#11-1
>> 2015-12-15 16:43:47,321 | WARN | |
>> org.eclipse.jetty.servlet.ServletHandler | qtp2044695538-17
>> org.springframework.web.util.NestedServletException: Request processing
>> failed; nested exception is javax.jms.JMSSecurityException: User name
>> [admin] or password is invalid.
>> at
>>
>> org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:979)[spring-webmvc-4.1.8.RELEASE.jar:4.1.8.RELEASE]
>> at
>>
>> org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:869)[spring-webmvc-4.1.8.RELEASE.jar:4.1.8.RELEASE]
>> at
>>
> ...
>
>> What am I missing?
>>
>> Thanks,
>> Kai
--
View this message in context: http://activemq.2283324.n4.nabble.com/Secure-broker-and-web-console-Cannot-send-to-queue-tp4704992p4705035.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Secure broker and web console: Cannot send to queue
Posted by Christopher Shannon <ch...@gmail.com>.
Did this used to work in an older version of ActiveMQ, such as 5.12.1? If
so, you can open up a JIRA and I will take a look.
It's possible there is a regression here because a lot of changes were made
when the upgrade was done from Jetty 8 to Jetty 9.2 since there are API
incompatibilities between the two versions.
On Tue, Dec 15, 2015 at 10:34 AM, Kai B <ka...@kewill.com> wrote:
> I have added the simpleAuthenticationPlugin to my broker (ActiveMQ 5.13.0
> on
> linux) and configured a few users and groups. This works fine so far and
> users can only access those queues they are authorized for.
>
> I have also configured the 'system' user that has full rights on all
> queues:
>
> <plugins>
> <simpleAuthenticationPlugin anonymousAccessAllowed="true">
> <users>
> <authenticationUser username="system"
> password="mypassword" groups="admins"/>
> </users>
> </simpleAuthenticationPlugin>
> <authorizationPlugin>
> <map>
> <authorizationMap>
> <authorizationEntries>
> <authorizationEntry queue=">" read="admins"
> write="admins" admin="admins"/>
> </authorizationEntries>
> </authorizationMap>
> </map>
> </authorizationPlugin>
> </plugins>
>
>
> I have also configured this username/password in the credentials.properties
> file:
>
> activemq.username=system
> activemq.password=mypassword
>
> I have not really changed the configuration of the embedded Jetty - it is
> still configured to use the basic admin/admin user configured in
> jetty-realm.properties.
>
> I can log-in to the Web console (using admin/admin) and browse queues
> without problems. Sending a message to a queue doesn't work however. It
> looks like the web console is using the credentials of the Jetty-User
> instead of the credentials from the credentials.properties file (referenced
> from webapps/admin/WEB-INF/webconsole-embedded.xml):
>
> 2015-12-15 16:43:47,309 | WARN | Failed to add Connection
> ID:multi-com-dev.csf.local-52937-1450194172730-10:1 due to
> java.lang.SecurityException: User name [admin] or password is invalid. |
> org.apache.activ
> emq.broker.TransportConnection | ActiveMQ VMTransport: vm://localhost#11-1
> 2015-12-15 16:43:47,311 | WARN | Security Error occurred on connection to:
> vm://localhost#10, User name [admin] or password is invalid. |
> org.apache.activemq.broker.TransportConnection.Service | ActiveMQ VM
> Transport: vm://localhost#11-1
> 2015-12-15 16:43:47,321 | WARN | |
> org.eclipse.jetty.servlet.ServletHandler | qtp2044695538-17
> org.springframework.web.util.NestedServletException: Request processing
> failed; nested exception is javax.jms.JMSSecurityException: User name
> [admin] or password is invalid.
> at
>
> org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:979)[spring-webmvc-4.1.8.RELEASE.jar:4.1.8.RELEASE]
> at
>
> org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:869)[spring-webmvc-4.1.8.RELEASE.jar:4.1.8.RELEASE]
> at
>
> javax.servlet.http.HttpServlet.service(HttpServlet.java:648)[tomcat-servlet-api-8.0.24.jar:]
> at
>
> org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:843)[spring-webmvc-4.1.8.RELEASE.jar:4.1.8.RELEASE]
> at
>
> javax.servlet.http.HttpServlet.service(HttpServlet.java:729)[tomcat-servlet-api-8.0.24.jar:]
> at
>
> org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:808)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
> at
>
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
> at
>
> org.apache.activemq.web.AuditFilter.doFilter(AuditFilter.java:59)[activemq-web-5.13.0.jar:5.13.0]
> at
>
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
> at
>
> org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)[spring-web-4.1.8.RELEASE.jar:4.1.8.RELEASE]
> at
>
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)[spring-web-4.1.8.RELEASE.jar:4.1.8.RELEASE]
> at
>
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
> at
>
> org.apache.activemq.web.filter.ApplicationContextFilter.doFilter(ApplicationContextFilter.java:102)[file:/opt/apache-activemq-5.13.0/webapps/admin/WEB-INF/classes/:]
> at
>
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
> at
>
> org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
> at
>
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
> at
>
> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:542)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
> at
>
> org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
> at
>
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
> at
>
> org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
> at
>
> org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
> at
>
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
> at
>
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
> at
>
> org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
> at
>
> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:542)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
> at
>
> org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
> at
>
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
> at
>
> org.eclipse.jetty.server.Server.handle(Server.java:499)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
> at
>
> org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
> at
>
> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
> at
>
> org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
> at
>
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
> at
>
> org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730]
> at java.lang.Thread.run(Thread.java:744)[:1.7.0_45]
>
>
> What am I missing?
>
> Thanks,
> Kai
>
>
>
>
> --
> View this message in context:
> http://activemq.2283324.n4.nabble.com/Secure-broker-and-web-console-Cannot-send-to-queue-tp4704992.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>