Clearing userId field on JMS message

[Amy Wu <Am...@adaptiveapps.com>]

Hi,

I am using Qpid JMS to send messages to a C++ broker which will then be received by a C++ client.  My JMS client connects to the broker using a different authenticated user than the C++ client.  The issue I am running into is that when the JMS client sends a message, it sets the user_id property on the message so that when the C++ client receives the message, it errors out with something like:

"unauthorized-access: authorised user id : user1@QPID but user id in message declared as user2 (/builddir/build/BUILD/qpid-0.28-rc2/cpp/src/qpid/broker/SemanticState.cpp:497"

Without having to force both my clients to authenticate using the same username, is there any way to work around this issue?

The easiest solution seems to be to have my JMS client set the user_id property of the message to be empty string, but I can't seem to find a way to do this.  I see in org.apache.qpid.client.BasicMessageProducer_0_10.sendMessage there is the following line:
messageProps.setUserId(userIDBytes);

And tracing back, it looks like the userIDBytes is basically grabbed from the producer's connection username.

But is there any way to prevent the setting of the user id from happening?  I know that when I send a message from the C++ client, the userId property of the message is empty by default.  Why is the JMS side different?

Or an alternative is, is there a way to ignore the user_id field when receiving messages?

Thanks

RE: Clearing userId field on JMS message

[Amy Wu <Am...@adaptiveapps.com>]

Yes, this was the problem!  I didn't realize that my C++ client received the message just fine and was having issues putting it back into the broker.  Updating it to clear out user id fixed the issue.

Thanks so much!

________________________________________
From: Gordon Sim [gsim@redhat.com]
Sent: Thursday, June 19, 2014 1:18 PM
To: users@qpid.apache.org
Subject: Re: Clearing userId field on JMS message

On 06/18/2014 11:40 PM, Amy Wu wrote:
> I am using Qpid JMS to send messages to a C++ broker which will then be received by a C++ client.  My JMS client connects to the broker using a different authenticated user than the C++ client.  The issue I am running into is that when the JMS client sends a message, it sets the user_id property on the message so that when the C++ client receives the message, it errors out with something like:
>
> "unauthorized-access: authorised user id : user1@QPID but user id in message declared as user2 (/builddir/build/BUILD/qpid-0.28-rc2/cpp/src/qpid/broker/SemanticState.cpp:497"

That error occurs in the broker when a message is sent by a client. SO I
suspect what may be happening is that your c++ client is receiving the
message from JMS, then sending the same message back (including the
userid of the JMS client that originally sent it).

If I'm right, all you need to do is clear the message in the c++ client,
before resending it (using Message::setUserId()).

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org

Re: Clearing userId field on JMS message

[Gordon Sim <gs...@redhat.com>]

On 06/18/2014 11:40 PM, Amy Wu wrote:
> I am using Qpid JMS to send messages to a C++ broker which will then be received by a C++ client.  My JMS client connects to the broker using a different authenticated user than the C++ client.  The issue I am running into is that when the JMS client sends a message, it sets the user_id property on the message so that when the C++ client receives the message, it errors out with something like:
>
> "unauthorized-access: authorised user id : user1@QPID but user id in message declared as user2 (/builddir/build/BUILD/qpid-0.28-rc2/cpp/src/qpid/broker/SemanticState.cpp:497"

That error occurs in the broker when a message is sent by a client. SO I 
suspect what may be happening is that your c++ client is receiving the 
message from JMS, then sending the same message back (including the 
userid of the JMS client that originally sent it).

If I'm right, all you need to do is clear the message in the c++ client, 
before resending it (using Message::setUserId()).

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org

RE: Clearing userId field on JMS message

[Amy Wu <Am...@adaptiveapps.com>]

Yes, I'm using a valid user because the JMS client is able to send messages to other C++ clients authenticated using the same user.  it just can't send to the one using a different user.  I tried removing EXTERNAL from my list of sasl mechs and only using PLAIN, and I was still seeing the same error.

I'm using qpid 0.28
My acl contains:
acl allow all all

My JMS client broker url looks something like this:
amqp://user1:user1@aclientid/?brokerlist='tcp://myhost:10000?ssl='true'&key_store='/tmp/qpidd_ssl/java_client/key-store.jks'&key_store_password='stuff'&trust_store='/tmp/qpidd_ssl/java_client/trust-store.jks'&trust_store_password='morestuff'&sasl_mechs='PLAIN''&tcp_nodelay='true'&reconnect='true'&reconnect-limit='3'&reconnect-interval='10'&heartbeat='5'

My C++ client broker url uses something similar except user2

My qpid broker conf:
no-data-dir=yes
log-to-stderr=no
log-enable=debug+
log-to-syslog=yes
mgmt-qmf2=yes
mgmt-qmf1=yes
connection-limit-per-ip=100
port=11000
acl-file=/etc/qpidd10000.acl
sasl-config=/tmp/qpidd_sasl
auth=yes
ssl-port=10000
ssl-cert-db=/tmp/qpidd_ssl/server_db
ssl-cert-password-file=/tmp/qpidd_ssl/server_db/server_db_passwd
ssl-cert-name=localhost
transport=ssl
ssl-require-client-authentication=yes

My qpid sasl conf:
pwcheck_method: auxprop
auxprop_plugin: sasldb
sasldb_path: /tmp/qpidd_sasl/qpidd.sasldb
mech_list: PLAIN
sql_select: dummy select

My sasldb looks like this:
$ sasldblistusers2 -f /tmp/qpidd_sasl/qpidd.sasldb 
user1@QPID: userPassword
user2@QPID: userPassword
user3@QPID: userPassword

Does any of this look incorrect?


________________________________________
From: Jakub Scholz [jakub@scholz.cz]
Sent: Thursday, June 19, 2014 9:10 AM
To: users@qpid.apache.org
Subject: Re: Clearing userId field on JMS message

Hi,

Are you sure you get this error when receiving a message in the C++ client?
I saw this error in the past when sending messages from the JMS client when
the client set the UserID to a wrong user. It was caused by a bug when
creating the username from certificate subject (with EXTERNAL
authentication).

We are using the broker to send messages between different users (both C++
as well as JMS) and it works fine. But of course there might be some bug in
the particular version of the broker you are using.

Regards
Jakub


On Thu, Jun 19, 2014 at 12:40 AM, Amy Wu <Am...@adaptiveapps.com> wrote:

> Hi,
>
> I am using Qpid JMS to send messages to a C++ broker which will then be
> received by a C++ client.  My JMS client connects to the broker using a
> different authenticated user than the C++ client.  The issue I am running
> into is that when the JMS client sends a message, it sets the user_id
> property on the message so that when the C++ client receives the message,
> it errors out with something like:
>
> "unauthorized-access: authorised user id : user1@QPID but user id in
> message declared as user2
> (/builddir/build/BUILD/qpid-0.28-rc2/cpp/src/qpid/broker/SemanticState.cpp:497"
>
> Without having to force both my clients to authenticate using the same
> username, is there any way to work around this issue?
>
> The easiest solution seems to be to have my JMS client set the user_id
> property of the message to be empty string, but I can't seem to find a way
> to do this.  I see in
> org.apache.qpid.client.BasicMessageProducer_0_10.sendMessage there is the
> following line:
> messageProps.setUserId(userIDBytes);
>
> And tracing back, it looks like the userIDBytes is basically grabbed from
> the producer's connection username.
>
> But is there any way to prevent the setting of the user id from happening?
>  I know that when I send a message from the C++ client, the userId property
> of the message is empty by default.  Why is the JMS side different?
>
> Or an alternative is, is there a way to ignore the user_id field when
> receiving messages?
>
> Thanks
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org

Re: Clearing userId field on JMS message

[Jakub Scholz <ja...@scholz.cz>]

Hi,

Are you sure you get this error when receiving a message in the C++ client?
I saw this error in the past when sending messages from the JMS client when
the client set the UserID to a wrong user. It was caused by a bug when
creating the username from certificate subject (with EXTERNAL
authentication).

We are using the broker to send messages between different users (both C++
as well as JMS) and it works fine. But of course there might be some bug in
the particular version of the broker you are using.

Regards
Jakub


On Thu, Jun 19, 2014 at 12:40 AM, Amy Wu <Am...@adaptiveapps.com> wrote:

> Hi,
>
> I am using Qpid JMS to send messages to a C++ broker which will then be
> received by a C++ client.  My JMS client connects to the broker using a
> different authenticated user than the C++ client.  The issue I am running
> into is that when the JMS client sends a message, it sets the user_id
> property on the message so that when the C++ client receives the message,
> it errors out with something like:
>
> "unauthorized-access: authorised user id : user1@QPID but user id in
> message declared as user2
> (/builddir/build/BUILD/qpid-0.28-rc2/cpp/src/qpid/broker/SemanticState.cpp:497"
>
> Without having to force both my clients to authenticate using the same
> username, is there any way to work around this issue?
>
> The easiest solution seems to be to have my JMS client set the user_id
> property of the message to be empty string, but I can't seem to find a way
> to do this.  I see in
> org.apache.qpid.client.BasicMessageProducer_0_10.sendMessage there is the
> following line:
> messageProps.setUserId(userIDBytes);
>
> And tracing back, it looks like the userIDBytes is basically grabbed from
> the producer's connection username.
>
> But is there any way to prevent the setting of the user id from happening?
>  I know that when I send a message from the C++ client, the userId property
> of the message is empty by default.  Why is the JMS side different?
>
> Or an alternative is, is there a way to ignore the user_id field when
> receiving messages?
>
> Thanks
>