You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by Isuru <is...@gmail.com> on 2014/02/26 17:08:09 UTC
ActiveMQ authorization error with OpenLDAP
Hi All
I am new to working with ActiveMQ and I have a requirement to connect
ActiveMQ (version 5.9.0) with OpenLDAP for authentication and authorization.
I have started doing this and currently stuck with an issue for few days.
Given below is the error I see when running my Java Client.
javax.jms.JMSSecurityException: *User amqadmin is not authorized to write
to: queue://TEST.FOO*
at
org.apache.activemq.util.JMSExceptionSupport.create(JMSExceptionSupport.java:52)
at
org.apache.activemq.ActiveMQConnection.syncSendPacket(ActiveMQConnection.java:1405)
at
org.apache.activemq.ActiveMQSession.syncSendPacket(ActiveMQSession.java:1925)
at
org.apache.activemq.ActiveMQMessageProducer.<init>(ActiveMQMessageProducer.java:125)
at
org.apache.activemq.ActiveMQSession.createProducer(ActiveMQSession.java:969)
at
org.gvr.keystore.client.BrokerUserMgtClient.brokerProducer(BrokerUserMgtClient.java:102)
at
org.gvr.keystore.client.BrokerUserMgtClient.main(BrokerUserMgtClient.java:24)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
Caused by: java.lang.SecurityException: User amqadmin is not authorized to
write to: queue://TEST.FOO
at
org.apache.activemq.security.AuthorizationBroker.addProducer(AuthorizationBroker.java:179)
at
org.apache.activemq.broker.MutableBrokerFilter.addProducer(MutableBrokerFilter.java:107)
at
org.apache.activemq.broker.TransportConnection.processAddProducer(TransportConnection.java:534)
at org.apache.activemq.command.ProducerInfo.visit(ProducerInfo.java:105)
at
org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:292)
at
org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:149)
at
org.apache.activemq.transport.MutexTransport.onCommand(MutexTransport.java:50)
at
org.apache.activemq.transport.WireFormatNegotiator.onCommand(WireFormatNegotiator.java:113)
at
org.apache.activemq.transport.AbstractInactivityMonitor.onCommand(AbstractInactivityMonitor.java:270)
at
org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83)
at
org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:214)
at
org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:196)
at java.lang.Thread.run(Thread.java:662)
At the beginning I got this issue for ActiveMQ Advisory topics but then I
turned them off.
Without Authorization I noticed that the Authentication part does work
properly when I removed the authorization config from the activemq.xml.
Given below are my configurations for Authentication and Authorization.
Authentication config at [ACTIVEMQ_HOME]/conf/login.config
-------------------------------------------------------------------------------------------
LdapConfiguration {
org.apache.activemq.jaas.LDAPLoginModule required
debug=true
initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
connectionURL="ldap://localhost:389"
connectionUsername="cn=admin,dc=wso2,dc=com"
connectionPassword=**********
connectionProtocol=s
authentication=simple
userBase="ou=Users,dc=wso2,dc=com"
userRoleName=dummy
userSearchMatching="(uid={0})"
userSearchSubtree=false
roleBase="ou=Groups,dc=wso2,dc=com"
roleName=cn
roleSearchMatching="(member=uid={1})"
roleSearchSubtree=true;
};
Authorization config at [ACTIVEMQ_HOME]/conf/activemq.xml
----------------------------------------------------------------------------------------------
<plugins>
<jaasAuthenticationPlugin configuration="LdapConfiguration" />
<authorizationPlugin>
<map>
<cachedLDAPAuthorizationMap
connectionURL="ldap://localhost:389"
connectionUsername="cn=admin,dc=wso2,dc=com"
connectionPassword="*********"
queueSearchBase="ou=Queue,ou=Destination,ou=ActiveMQ,ou=systems,dc=wso2,dc=com"
topicSearchBase="ou=Topic,ou=Destination,ou=ActiveMQ,ou=systems,dc=wso2,dc=com"
tempSearchBase="ou=Temp,ou=Destination,ou=ActiveMQ,ou=systems,dc=wso2,dc=com"
refreshInterval="60000"
legacyGroupMapping="false"
userObjectClass="identityPerson"/>
</map>
</authorizationPlugin>
</plugins>
And I even tried with the given below configuration as well, but was still
getting the same issue.
<authorizationPlugin>
<map>
<bean id="lDAPAuthorizationMap"
class="org.apache.activemq.security.LDAPAuthorizationMap"
xmlns="http://www.springframework.org/schema/beans">
<property name="initialContextFactory"
value="com.sun.jndi.ldap.LdapCtxFactory"/>
<property name="connectionURL"
value="ldap://localhost:389"/>
<property name="authentication" value="simple"/>
<property name="connectionUsername"
value="cn=admin,dc=wso2,dc=com"/>
<property name="connectionPassword"
value="***********"/>
<property name="connectionProtocol" value=""/>
<property name="topicSearchMatchingFormat"
value="cn={0},ou=Topic,ou=Destination,dc=wso2,dc=com"/>
<property name="topicSearchSubtreeBool"
value="true"/>
<property name="queueSearchMatchingFormat"
value="cn={0},ou=Queue,ou=Destination,dc=wso2,dc=com"/>
<property name="queueSearchSubtreeBool"
value="true"/>
<property name="advisorySearchBase"
value="cn=ActiveMQ.Advisory,ou=Topic,ou=Destination,dc=wso2,dc=com"/>
<property name="tempSearchBase"
value="cn=ActiveMQ.Temp,ou=Topic,ou=Destination,dc=wso2,dc=com"/>
<property name="adminBase" value="(cn=admin)"/>
<property name="adminAttribute" value="member"/>
<property name="readBase" value="(cn=read)"/>
<property name="readAttribute" value="member"/>
<property name="writeBase" value="(cn=write)"/>
<property name="writeAttribute" value="member"/>
</bean>
</map>
</authorizationPlugin>
My LDAP structure looks like below.
Authorization structure
<http://activemq.2283324.n4.nabble.com/file/n4678364/authorization_structure.png>
User / Group structure
<http://activemq.2283324.n4.nabble.com/file/n4678364/ldap_user_group.png>
I followed given below guides when enabling authentication and authorization
for ActiveMQ .
http://fusesource.com/docs/broker/5.5/security/LDAP-AddUserEntries.html
<http://fusesource.com/docs/broker/5.5/security/LDAP-AddUserEntries.html>
http://activemq.apache.org/security <http://activemq.apache.org/security>
The Java client I use to create a queue and produce a message is as below.
private static String connectionString = "tcp://localhost:61616";
private static String queueName = "TEST.FOO";
private static String message=" This is with user authentication ";
ActiveMQConnectionFactory connectionFactory = new
ActiveMQConnectionFactory("amqadmin","amqadmin",connectionString);
connectionFactory.setWatchTopicAdvisories(false);
Connection connection = connectionFactory.createConnection();
connection.start();
Session session = connection.createSession(false,
Session.AUTO_ACKNOWLEDGE);
Destination destination = session.createQueue(queueName);
MessageProducer producer = session.createProducer(destination);
producer.setDeliveryMode(DeliveryMode.NON_PERSISTENT);
String text = message+System.currentTimeMillis();
TextMessage message = session.createTextMessage(text);
producer.send(message);
System.out.println("Message Sent to - "+connectionString);
session.close();
connection.close();
I am unable to think of any reason why this error is occurring, and request
your kind support over this urgent issue.
Best Regards
Isuru
--
View this message in context: http://activemq.2283324.n4.nabble.com/ActiveMQ-authorization-error-with-OpenLDAP-tp4678364.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: ActiveMQ authorization error with OpenLDAP
Posted by Isuru <is...@gmail.com>.
So my finding was correct , and it was an issue of not mapping the user
properly with the Group. The reason was I have given the full DN path when
specifying the user as a member to a Group. Even in all the samples in web
what used is the first part of the DN.
for an instance rather giving
*uid=jdoe,ou=User,ou=ActiveMQ,ou=system,dc=wso2,dc=com* it only need to
provide *uid=jdoe* . After this change my issue went away.
Now the other question is why do we need to specify the member DN that way ?
What should we need to do in order to make this work with the Full DN ? .
Can anyone please shed some light to this.
--
View this message in context: http://activemq.2283324.n4.nabble.com/ActiveMQ-authorization-error-with-OpenLDAP-tp4678364p4678394.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: ActiveMQ authorization error with OpenLDAP
Posted by Isuru <is...@gmail.com>.
Hi All
Any feedback on this would be really appreciated.
I kind of tried to debug the issue and realized inside the
addProducer(ConnectionContext context, ProducerInfo info) method of
org.apache.activemq.security.AuthorizationBroker.java the given below
condition becomes true.
if (allowedACLs != null && !securityContext.isInOneOf(allowedACLs)) {
throw new SecurityException("User " +
securityContext.getUserName() + " is not authorized to write to: " +
info.getDestination());
}
The allowedACLs is not NULL here , but when checking if the securityContext
has these allowed ACLs then it returns a false get the exception. I noticed
that in the securityContext both authorizedReadDests and
authorizedWriteDests (Cpncurrent HashMaps) are empty for the user.
And inside isInOneOf(allowedACLs) method the group of my user is not
properly being retrieved as I could understand.
Appreciate any sort of assistance here , since this really needs to be
completed soon.
Thanks
Isuru
--
View this message in context: http://activemq.2283324.n4.nabble.com/ActiveMQ-authorization-error-with-OpenLDAP-tp4678364p4678382.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.