You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@activemq.apache.org by Aaron Hoffer <aa...@hoffer.org> on 2022/04/03 03:14:16 UTC

ServerSession username vs validateduser

Artemis 2.20.0
We use Hawtio to view the state of Artemis, and to troubleshoot problems in
the field. We recently switched to 2-way TLS for authentication. A side
effect of the change was that the "User" field for sessions and other
objects became an empty string when viewed in Hawtio

The issue is that ServerSessionImpl uses the attribute "username" for user
identification, via the method getUsername().However, in our case the
correct client name is stored as the "validatedUser" in the
ServerSessionImpl. The "validateUser" name is populated from the client's
TLS certificate by our LoginModule.

Why is "username" (which I think is the AMQP client-id, but I'm not 100%
sure) used to identify the server session? Could "validatedUser" be used
instead of "username"?

Aaron Hoffer
Octo Consulting

Re: ServerSession username vs validateduser

Posted by Aaron Hoffer <aa...@hoffer.org>.

The ticket and PR are up.
https://issues.apache.org/jira/browse/ARTEMIS-3765
https://github.com/apache/activemq-artemis/pull/4019


On Tue, Apr 5, 2022 at 9:41 AM Justin Bertram <jb...@apache.org> wrote:

> Awesome! I had planned on implementing this at some point, but I hadn't had
> the chance yet. It should be pretty straightforward. Certainly let us know
> if you have any questions.
>
> In my opinion "Validated User" would make the most sense as it is the
> verbiage which the documentation and configuration uses, and it more
> clearly describes what the data represents versus the more generic
> "Principal."
>
>
> Justin
>
> On Tue, Apr 5, 2022 at 11:30 AM Aaron Hoffer <aa...@hoffer.org> wrote:
>
> > I'm prototyping a change to Artemis Hawtio Plugin to allow "Validated
> User"
> > (or maybe "Principal") to be shown as a column for some of the views.
> > When it's time I'll open an issue or PR, and move the discussion over to
> > the dev forum.
> >
> > On Mon, Apr 4, 2022 at 11:07 AM Aaron Hoffer <aa...@hoffer.org> wrote:
> >
> > > To answer your question about how we look at the session in Hawtio, I
> > >> have uploaded a screen shot.
> > >
> > > https://paste.pics/646318b759e885ae638f9141d22ec448
> > >
> > >>
> >
>

Re: ServerSession username vs validateduser

Posted by Justin Bertram <jb...@apache.org>.

Awesome! I had planned on implementing this at some point, but I hadn't had
the chance yet. It should be pretty straightforward. Certainly let us know
if you have any questions.

In my opinion "Validated User" would make the most sense as it is the
verbiage which the documentation and configuration uses, and it more
clearly describes what the data represents versus the more generic
"Principal."


Justin

On Tue, Apr 5, 2022 at 11:30 AM Aaron Hoffer <aa...@hoffer.org> wrote:

> I'm prototyping a change to Artemis Hawtio Plugin to allow "Validated User"
> (or maybe "Principal") to be shown as a column for some of the views.
> When it's time I'll open an issue or PR, and move the discussion over to
> the dev forum.
>
> On Mon, Apr 4, 2022 at 11:07 AM Aaron Hoffer <aa...@hoffer.org> wrote:
>
> > To answer your question about how we look at the session in Hawtio, I
> >> have uploaded a screen shot.
> >
> > https://paste.pics/646318b759e885ae638f9141d22ec448
> >
> >>
>

Re: ServerSession username vs validateduser

Posted by Aaron Hoffer <aa...@hoffer.org>.

I'm prototyping a change to Artemis Hawtio Plugin to allow "Validated User"
(or maybe "Principal") to be shown as a column for some of the views.
When it's time I'll open an issue or PR, and move the discussion over to
the dev forum.

On Mon, Apr 4, 2022 at 11:07 AM Aaron Hoffer <aa...@hoffer.org> wrote:

> To answer your question about how we look at the session in Hawtio, I
>> have uploaded a screen shot.
>
> https://paste.pics/646318b759e885ae638f9141d22ec448
>
>>

Re: ServerSession username vs validateduser

Posted by Aaron Hoffer <aa...@hoffer.org>.

>
> To answer your question about how we look at the session in Hawtio, I
> have uploaded a screen shot.

https://paste.pics/646318b759e885ae638f9141d22ec448

>

Re: ServerSession username vs validateduser

Posted by Justin Bertram <jb...@apache.org>.

How exactly are you looking at the sessions in Hawtio?

I think it would potentially make sense to *add* the validateUser, but I'm
not sure if replacing the existing username data would be wise as there may
be folks out there who rely on the existing behavior.


Justin

On Sat, Apr 2, 2022 at 10:15 PM Aaron Hoffer <aa...@hoffer.org> wrote:

> Artemis 2.20.0
> We use Hawtio to view the state of Artemis, and to troubleshoot problems in
> the field. We recently switched to 2-way TLS for authentication. A side
> effect of the change was that the "User" field for sessions and other
> objects became an empty string when viewed in Hawtio
>
> The issue is that ServerSessionImpl uses the attribute "username" for user
> identification, via the method getUsername().However, in our case the
> correct client name is stored as the "validatedUser" in the
> ServerSessionImpl. The "validateUser" name is populated from the client's
> TLS certificate by our LoginModule.
>
> Why is "username" (which I think is the AMQP client-id, but I'm not 100%
> sure) used to identify the server session? Could "validatedUser" be used
> instead of "username"?
>
> Aaron Hoffer
> Octo Consulting
>