You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Justin Bertram (Jira)" <ji...@apache.org> on 2022/01/24 17:00:00 UTC

[jira] [Commented] (ARTEMIS-3656) Client session limit is evaluated incorrectly for ssl connections

    [ https://issues.apache.org/jira/browse/ARTEMIS-3656?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17481249#comment-17481249 ] 

Justin Bertram commented on ARTEMIS-3656:
-----------------------------------------

Thanks for the bug report! Do you plan to send a PR or are you just reporting it?

> Client session limit is evaluated incorrectly for ssl connections
> -----------------------------------------------------------------
>
>                 Key: ARTEMIS-3656
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-3656
>             Project: ActiveMQ Artemis
>          Issue Type: Bug
>    Affects Versions: 2.17.0
>            Reporter: Alexander
>            Priority: Major
>
> Client session limit is evaluated incorrectly for SSL connections.
> For authentication, the {{org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule}} module is used (clients do not specify a user and password to create connections).
> In this case, the user can enter any other user, and the connection count check will be performed for the specified user (so {{validatedUser}} must be used).
> The problem is in the {{org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl#getSessionCountForUser}} method. The check is not based on {{validatedUser}} but on {{user}} (which users do not enter). As a result we get a {{NullPointerException}} in the code below.
> {code:java}
> private int getSessionCountForUser(String username) {
>    int sessionCount = 0;
>    for (Entry<String, ServerSession> sessionEntry : sessions.entrySet()) {
>       if (sessionEntry.getValue().getUsername().equals(username)) { // change to sessionEntry.getValue().getValidatedUser()....
>          sessionCount++;
>       }
>    }
>    return sessionCount;
> }{code}
>  
> Files in {{etc}} folder:
> 1) {{login.config}}:
> {noformat}
> CertLogin {
>     org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule requisite
>         debug=false
>         reload=true
>         org.apache.activemq.jaas.textfiledn.user="cert-users.properties"
>         org.apache.activemq.jaas.textfiledn.role="cert-roles.properties";
> };{noformat}
> 2) {{broker.xml}}:
> {code:xml}
>     <resource-limit-settings>
>       <resource-limit-setting match="user1">
>         <max-connections>5</max-connections>
>       </resource-limit-setting>
>     </resource-limit-settings>
>     <acceptors>
>       <acceptor name="artemis">tcp://0.0.0.0:60001?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;amqpMinLargeMessageSize=102400;protocols=CORE,AMQP,STOMP,HORNETQ,MQTT,OPENWIRE;useEpoll=true;amqpCredits=1000;amqpLowCredits=300;amqpDuplicateDetection=true;sslEnabled=true;keyStorePath=/app/artemis/ssl/artemis_server_gw.jks;trustStorePath=/app/artemis/ssl/artemis_server_gw.jks;keyStorePassword=secret;trustStorePassword=secret;enabledCipherSuites=TLS_RSA_WITH_AES_128_CBC_SHA256;enabledProtocols=TLSv1.2;needClientAuth=true</acceptor>
>     </acceptors>{code}



--
This message was sent by Atlassian Jira
(v8.20.1#820001)