You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Alexander (Jira)" <ji...@apache.org> on 2022/01/24 16:51:00 UTC
[jira] [Created] (ARTEMIS-3656) Client session limit is evaluated incorrectly for ssl connections
Alexander created ARTEMIS-3656:
----------------------------------
Summary: Client session limit is evaluated incorrectly for ssl connections
Key: ARTEMIS-3656
URL: https://issues.apache.org/jira/browse/ARTEMIS-3656
Project: ActiveMQ Artemis
Issue Type: Bug
Affects Versions: 2.17.0
Reporter: Alexander
Client session limit is evaluated incorrectly for ssl connections.
For authentication, the rg.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule module is used (clients do not specify a user and password to create connections).
In this case, the user can enter any other user, and the connection count check will be performed for the specified user (so validatedUser must be used).
The problem is in the org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl#getSessionCountForUser method - the check is not based on the validatedUser, but on the user (which users do not enter), as a result we get a NullPointerException In the code below.
{{}}
{{private}} {{int}} {{getSessionCountForUser(String username) {}}
{{ }}{{int}} {{sessionCount = }}{{{}0{}}}{{{};{}}}
{{ }}{{for}} {{(Entry<String, ServerSession> sessionEntry : sessions.entrySet()) {}}
{{ }}{{if}} {{(sessionEntry.getValue().{*}getUsername(){*}.equals(username)) { }}{{// change to sessionEntry.getValue().getValidatedUser()....}}
{{ }}{{sessionCount++;}}
{{ }}{{}}}
{{ }}{{}}}
{{ }}{{return}} {{sessionCount;}}
{{}}}
Files in etc folder:
1) login.config
....
CertLogin {
org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule requisite
debug=false
reload=true
org.apache.activemq.jaas.textfiledn.user="cert-users.properties"
org.apache.activemq.jaas.textfiledn.role="cert-roles.properties";
};
....
2) broker.xml:
....
<resource-limit-settings>
<resource-limit-setting match="user1">
<max-connections>5</max-connections>
</resource-limit-setting>
</resource-limit-settings>
<acceptors>
<acceptor name="artemis">tcp://0.0.0.0:60001?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;amqpMinLargeMessageSize=102400;protocols=CORE,AMQP,STOMP,HORNETQ,MQTT,OPENWIRE;useEpoll=true;amqpCredits=1000;amqpLowCredits=300;amqpDuplicateDetection=true;sslEnabled=true;keyStorePath=/app/artemis/ssl/artemis_server_gw.jks;trustStorePath=/app/artemis/ssl/artemis_server_gw.jks;keyStorePassword=secret;trustStorePassword=secret;enabledCipherSuites=TLS_RSA_WITH_AES_128_CBC_SHA256;enabledProtocols=TLSv1.2;needClientAuth=true</acceptor>
</acceptors>
....
--
This message was sent by Atlassian Jira
(v8.20.1#820001)