You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by Carlos Quiroz <ca...@nokia.com> on 2008/05/14 13:55:13 UTC
Authentication problem in AMQ 5.1
Hi
I have been using AMQ 5.0 for a while and I have created my own
authentication plugin. When I switched to AMQ 5.1 my clients cannot connect
anymore because somehow they are not authorized to create topics or queues.
Apparently now when subscribing to a topic/queue you need to have admin
permission to do that. Is it so?
My activemq.xml looks like:
<broker xmlns="http://activemq.org/config/1.0"
brokerName="broker" dataDirectory="${activemq.base}/data"
populateJMSXUserID="true" advisorySupport="true" useJmx="true">
<plugins>
<bean name="MyLoginModule"
class=""
xmlns="">
<!-- lets configure a destination based authorization mechanism -->
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry queue=">" read="admins"
write="admins" admin="admins" />
<authorizationEntry queue="myqueu"
read="service" write="users" admin="admin" />
....
</map>
</authorizationPlugin>
</plugins>
<destinations>
<queue physicalName="myqueue />
</destinations>
Upon connection I get the exception below but it works if I change the admin
permision of the queue to admin="users"
Any idea about this? Why was this change added to AMQ 5.1? Should the
configuration change?
Regards
Carlos Quiroz
java.lang.SecurityException: User 181.175 is not authorized to create:
queue://myqueue
at
org.apache.activemq.security.AuthorizationBroker.addDestination(AuthorizationBroker.java:65)
at
org.apache.activemq.broker.MutableBrokerFilter.addDestination(MutableBrokerFilter.java:148)
at
org.apache.activemq.broker.region.RegionBroker.send(RegionBroker.java:443)
at
org.apache.activemq.broker.TransactionBroker.send(TransactionBroker.java:224)
at
org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:325)
at
org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:268)
at
org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:260)
at
org.apache.activemq.advisory.AdvisoryBroker.addDestination(AdvisoryBroker.java:153)
at
org.apache.activemq.broker.BrokerFilter.addDestination(BrokerFilter.java:141)
at
org.apache.activemq.broker.BrokerFilter.addDestination(BrokerFilter.java:141)
at
org.apache.activemq.broker.BrokerFilter.addDestination(BrokerFilter.java:141)
at
org.apache.activemq.broker.BrokerFilter.addDestination(BrokerFilter.java:141)
at
org.apache.activemq.security.AuthorizationBroker.addDestination(AuthorizationBroker.java:71)
at
org.apache.activemq.broker.MutableBrokerFilter.addDestination(MutableBrokerFilter.java:148)
at
org.apache.activemq.broker.region.AbstractRegion.lookup(AbstractRegion.java:385)
at
org.apache.activemq.broker.region.AbstractRegion.addConsumer(AbstractRegion.java:219)
at
org.apache.activemq.broker.region.TopicRegion.addConsumer(TopicRegion.java:108)
at
org.apache.activemq.broker.region.RegionBroker.addConsumer(RegionBroker.java:401)
at
org.apache.activemq.broker.BrokerFilter.addConsumer(BrokerFilter.java:85)
at
org.apache.activemq.advisory.AdvisoryBroker.addConsumer(AdvisoryBroker.java:83)
at
org.apache.activemq.broker.BrokerFilter.addConsumer(BrokerFilter.java:85)
at
org.apache.activemq.broker.BrokerFilter.addConsumer(BrokerFilter.java:85)
at
org.apache.activemq.broker.BrokerFilter.addConsumer(BrokerFilter.java:85)
at
org.apache.activemq.broker.BrokerFilter.addConsumer(BrokerFilter.java:85)
at
org.apache.activemq.security.AuthorizationBroker.addConsumer(AuthorizationBroker.java:132)
at
org.apache.activemq.broker.MutableBrokerFilter.addConsumer(MutableBrokerFilter.java:92)
at
org.apache.activemq.broker.TransportConnection.processAddConsumer(TransportConnection.java:529)
at org.apache.activemq.command.ConsumerInfo.visit(ConsumerInfo.java:345)
at
org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:293)
at
org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:181)
at
org.apache.activemq.transport.TransportFilter.onCommand(TransportFilter.java:68)
at
org.apache.activemq.transport.stomp.StompTransportFilter.sendToActiveMQ(StompTransportFilter.java:80)
at
org.apache.activemq.transport.stomp.ProtocolConverter.sendToActiveMQ(ProtocolConverter.java:134)
at
org.apache.activemq.transport.stomp.ProtocolConverter.onStompSubscribe(ProtocolConverter.java:396)
at
org.apache.activemq.transport.stomp.ProtocolConverter.onStompCommad(ProtocolConverter.java:182)
at
org.apache.activemq.transport.stomp.StompTransportFilter.onCommand(StompTransportFilter.java:70)
at
org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:84)
at
org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:196)
at
org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:183)
at java.lang.Thread.run(Thread.java:619)
--
View this message in context: http://www.nabble.com/Authentication-problem-in-AMQ-5.1-tp17229324s2354p17229324.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Authentication problem in AMQ 5.1
Posted by Carlos Quiroz <ca...@nokia.com>.
Hi
Thanks for your answer. I think that would be the solution but still baffles
me why you need to give admin rights to your users even for prebuilt
queues/topics
I wrote also an authentication plugin that uses JPA to get user account
information from the DB. It works very nicely but also your idea of making
it a JMX bean sounds quite sensible
Regards
Carlos Quiroz
ttmdev wrote:
>
> I think what is happening is that you haven't given everyone all access
> rights to the advisory topics. I get a similar stack trace when I don't do
> that. Add an ACL with the following "ActiveMQ.Advisory.>" and that should
> do the trick.
>
> If you're interested, check out this AMQ security plugin.
>
> http://www.ttmsolutions.com/amqsec.php4
>
> You can re-configure it on the fly, uses obfuscated passwords, and has a
> JMX MBean.
>
> Joe
>
>
>
> Carlos Quiroz wrote:
>>
>> Hi and thanks for your response
>>
>> Maybe I should add that the queue is in the startup set
>> <destinations>
>> <queue physicalName="myqueue" />
>> </destinations>
>>
>> and that in the logs appears as it has been created
>> This worked fine in AMQ 5.0
>>
>> Carlos
>>
>>
>> Dejan Bosanac wrote:
>>>
>>> Hi Carlos,
>>>
>>> it looks like you don't have "myqueue" created, so ActiveMQ tries to do
>>> that
>>> with supplied credentials. Try creating the queue manually if you don't
>>> want
>>> to use "admin" priviledges.
>>>
>>> Regards
>>> --
>>> Dejan Bosanac
>>> www.scriptinginjava.net
>>>
>>> On Wed, May 14, 2008 at 1:55 PM, Carlos Quiroz <
>>> carlos.quiroz-castro@nokia.com> wrote:
>>>
>>>>
>>>> Hi
>>>>
>>>> I have been using AMQ 5.0 for a while and I have created my own
>>>> authentication plugin. When I switched to AMQ 5.1 my clients cannot
>>>> connect
>>>> anymore because somehow they are not authorized to create topics or
>>>> queues.
>>>> Apparently now when subscribing to a topic/queue you need to have admin
>>>> permission to do that. Is it so?
>>>>
>>>> My activemq.xml looks like:
>>>>
>>>> <broker xmlns="http://activemq.org/config/1.0"
>>>> brokerName="broker"
>>>> dataDirectory="${activemq.base}/data"
>>>> populateJMSXUserID="true" advisorySupport="true"
>>>> useJmx="true">
>>>>
>>>> <plugins>
>>>> <bean name="MyLoginModule"
>>>> class=""
>>>> xmlns="">
>>>>
>>>> <!-- lets configure a destination based
>>>> authorization mechanism -->
>>>> <authorizationPlugin>
>>>> <map>
>>>> <authorizationMap>
>>>> <authorizationEntries>
>>>>
>>>> <authorizationEntry
>>>> queue=">" read="admins"
>>>>
>>>> write="admins" admin="admins" />
>>>>
>>>> <authorizationEntry
>>>> queue="myqueu"
>>>>
>>>> read="service" write="users" admin="admin" />
>>>> ....
>>>> </map>
>>>> </authorizationPlugin>
>>>> </plugins>
>>>>
>>>>
>>>>
>>>> <destinations>
>>>> <queue physicalName="myqueue />
>>>> </destinations>
>>>>
>>>> Upon connection I get the exception below but it works if I change the
>>>> admin
>>>> permision of the queue to admin="users"
>>>>
>>>> Any idea about this? Why was this change added to AMQ 5.1? Should the
>>>> configuration change?
>>>>
>>>> Regards
>>>> Carlos Quiroz
>>>>
>>>>
>>>> java.lang.SecurityException: User 181.175 is not authorized to create:
>>>> queue://myqueue
>>>> at
>>>>
>>>> org.apache.activemq.security.AuthorizationBroker.addDestination(AuthorizationBroker.java:65)
>>>> at
>>>>
>>>> org.apache.activemq.broker.MutableBrokerFilter.addDestination(MutableBrokerFilter.java:148)
>>>> at
>>>> org.apache.activemq.broker.region.RegionBroker.send(RegionBroker.java:443)
>>>> at
>>>>
>>>> org.apache.activemq.broker.TransactionBroker.send(TransactionBroker.java:224)
>>>> at
>>>>
>>>> org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:325)
>>>> at
>>>>
>>>> org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:268)
>>>> at
>>>>
>>>> org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:260)
>>>> at
>>>>
>>>> org.apache.activemq.advisory.AdvisoryBroker.addDestination(AdvisoryBroker.java:153)
>>>> at
>>>>
>>>> org.apache.activemq.broker.BrokerFilter.addDestination(BrokerFilter.java:141)
>>>> at
>>>>
>>>> org.apache.activemq.broker.BrokerFilter.addDestination(BrokerFilter.java:141)
>>>> at
>>>>
>>>> org.apache.activemq.broker.BrokerFilter.addDestination(BrokerFilter.java:141)
>>>> at
>>>>
>>>> org.apache.activemq.broker.BrokerFilter.addDestination(BrokerFilter.java:141)
>>>> at
>>>>
>>>> org.apache.activemq.security.AuthorizationBroker.addDestination(AuthorizationBroker.java:71)
>>>> at
>>>>
>>>> org.apache.activemq.broker.MutableBrokerFilter.addDestination(MutableBrokerFilter.java:148)
>>>> at
>>>>
>>>> org.apache.activemq.broker.region.AbstractRegion.lookup(AbstractRegion.java:385)
>>>> at
>>>>
>>>> org.apache.activemq.broker.region.AbstractRegion.addConsumer(AbstractRegion.java:219)
>>>> at
>>>>
>>>> org.apache.activemq.broker.region.TopicRegion.addConsumer(TopicRegion.java:108)
>>>> at
>>>>
>>>> org.apache.activemq.broker.region.RegionBroker.addConsumer(RegionBroker.java:401)
>>>> at
>>>> org.apache.activemq.broker.BrokerFilter.addConsumer(BrokerFilter.java:85)
>>>> at
>>>>
>>>> org.apache.activemq.advisory.AdvisoryBroker.addConsumer(AdvisoryBroker.java:83)
>>>> at
>>>> org.apache.activemq.broker.BrokerFilter.addConsumer(BrokerFilter.java:85)
>>>> at
>>>> org.apache.activemq.broker.BrokerFilter.addConsumer(BrokerFilter.java:85)
>>>> at
>>>> org.apache.activemq.broker.BrokerFilter.addConsumer(BrokerFilter.java:85)
>>>> at
>>>> org.apache.activemq.broker.BrokerFilter.addConsumer(BrokerFilter.java:85)
>>>> at
>>>>
>>>> org.apache.activemq.security.AuthorizationBroker.addConsumer(AuthorizationBroker.java:132)
>>>> at
>>>>
>>>> org.apache.activemq.broker.MutableBrokerFilter.addConsumer(MutableBrokerFilter.java:92)
>>>> at
>>>>
>>>> org.apache.activemq.broker.TransportConnection.processAddConsumer(TransportConnection.java:529)
>>>> at
>>>> org.apache.activemq.command.ConsumerInfo.visit(ConsumerInfo.java:345)
>>>> at
>>>>
>>>> org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:293)
>>>> at
>>>>
>>>> org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:181)
>>>> at
>>>>
>>>> org.apache.activemq.transport.TransportFilter.onCommand(TransportFilter.java:68)
>>>> at
>>>>
>>>> org.apache.activemq.transport.stomp.StompTransportFilter.sendToActiveMQ(StompTransportFilter.java:80)
>>>> at
>>>>
>>>> org.apache.activemq.transport.stomp.ProtocolConverter.sendToActiveMQ(ProtocolConverter.java:134)
>>>> at
>>>>
>>>> org.apache.activemq.transport.stomp.ProtocolConverter.onStompSubscribe(ProtocolConverter.java:396)
>>>> at
>>>>
>>>> org.apache.activemq.transport.stomp.ProtocolConverter.onStompCommad(ProtocolConverter.java:182)
>>>> at
>>>>
>>>> org.apache.activemq.transport.stomp.StompTransportFilter.onCommand(StompTransportFilter.java:70)
>>>> at
>>>>
>>>> org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:84)
>>>> at
>>>>
>>>> org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:196)
>>>> at
>>>> org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:183)
>>>> at java.lang.Thread.run(Thread.java:619)
>>>> --
>>>> View this message in context:
>>>> http://www.nabble.com/Authentication-problem-in-AMQ-5.1-tp17229324s2354p17229324.html
>>>> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>>>>
>>>>
>>>
>>>
>>> -----
>>> Dejan Bosanac
>>> www.scriptinginjava.net
>>>
>>
>>
>
>
--
View this message in context: http://www.nabble.com/Authentication-problem-in-AMQ-5.1-tp17229324s2354p17272265.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Authentication problem in AMQ 5.1
Posted by ttmdev <jo...@ttmsolutions.com>.
I think what is happening is that you haven't given everyone all access
rights to the advisory topics. I get a similar stack trace when I don't do
that. Add an ACL with the following "ActiveMQ.Advisory.>" and that should do
the trick.
If you're interested, check out this AMQ security plugin.
http://www.ttmsolutions.com/amqsec.php4
You can re-configure it on the fly, uses obfuscated passwords, and has a JMX
MBean.
Joe
Carlos Quiroz wrote:
>
> Hi and thanks for your response
>
> Maybe I should add that the queue is in the startup set
> <destinations>
> <queue physicalName="myqueue" />
> </destinations>
>
> and that in the logs appears as it has been created
> This worked fine in AMQ 5.0
>
> Carlos
>
>
> Dejan Bosanac wrote:
>>
>> Hi Carlos,
>>
>> it looks like you don't have "myqueue" created, so ActiveMQ tries to do
>> that
>> with supplied credentials. Try creating the queue manually if you don't
>> want
>> to use "admin" priviledges.
>>
>> Regards
>> --
>> Dejan Bosanac
>> www.scriptinginjava.net
>>
>> On Wed, May 14, 2008 at 1:55 PM, Carlos Quiroz <
>> carlos.quiroz-castro@nokia.com> wrote:
>>
>>>
>>> Hi
>>>
>>> I have been using AMQ 5.0 for a while and I have created my own
>>> authentication plugin. When I switched to AMQ 5.1 my clients cannot
>>> connect
>>> anymore because somehow they are not authorized to create topics or
>>> queues.
>>> Apparently now when subscribing to a topic/queue you need to have admin
>>> permission to do that. Is it so?
>>>
>>> My activemq.xml looks like:
>>>
>>> <broker xmlns="http://activemq.org/config/1.0"
>>> brokerName="broker" dataDirectory="${activemq.base}/data"
>>> populateJMSXUserID="true" advisorySupport="true"
>>> useJmx="true">
>>>
>>> <plugins>
>>> <bean name="MyLoginModule"
>>> class=""
>>> xmlns="">
>>>
>>> <!-- lets configure a destination based
>>> authorization mechanism -->
>>> <authorizationPlugin>
>>> <map>
>>> <authorizationMap>
>>> <authorizationEntries>
>>>
>>> <authorizationEntry
>>> queue=">" read="admins"
>>>
>>> write="admins" admin="admins" />
>>>
>>> <authorizationEntry
>>> queue="myqueu"
>>>
>>> read="service" write="users" admin="admin" />
>>> ....
>>> </map>
>>> </authorizationPlugin>
>>> </plugins>
>>>
>>>
>>>
>>> <destinations>
>>> <queue physicalName="myqueue />
>>> </destinations>
>>>
>>> Upon connection I get the exception below but it works if I change the
>>> admin
>>> permision of the queue to admin="users"
>>>
>>> Any idea about this? Why was this change added to AMQ 5.1? Should the
>>> configuration change?
>>>
>>> Regards
>>> Carlos Quiroz
>>>
>>>
>>> java.lang.SecurityException: User 181.175 is not authorized to create:
>>> queue://myqueue
>>> at
>>>
>>> org.apache.activemq.security.AuthorizationBroker.addDestination(AuthorizationBroker.java:65)
>>> at
>>>
>>> org.apache.activemq.broker.MutableBrokerFilter.addDestination(MutableBrokerFilter.java:148)
>>> at
>>> org.apache.activemq.broker.region.RegionBroker.send(RegionBroker.java:443)
>>> at
>>>
>>> org.apache.activemq.broker.TransactionBroker.send(TransactionBroker.java:224)
>>> at
>>>
>>> org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:325)
>>> at
>>>
>>> org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:268)
>>> at
>>>
>>> org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:260)
>>> at
>>>
>>> org.apache.activemq.advisory.AdvisoryBroker.addDestination(AdvisoryBroker.java:153)
>>> at
>>>
>>> org.apache.activemq.broker.BrokerFilter.addDestination(BrokerFilter.java:141)
>>> at
>>>
>>> org.apache.activemq.broker.BrokerFilter.addDestination(BrokerFilter.java:141)
>>> at
>>>
>>> org.apache.activemq.broker.BrokerFilter.addDestination(BrokerFilter.java:141)
>>> at
>>>
>>> org.apache.activemq.broker.BrokerFilter.addDestination(BrokerFilter.java:141)
>>> at
>>>
>>> org.apache.activemq.security.AuthorizationBroker.addDestination(AuthorizationBroker.java:71)
>>> at
>>>
>>> org.apache.activemq.broker.MutableBrokerFilter.addDestination(MutableBrokerFilter.java:148)
>>> at
>>>
>>> org.apache.activemq.broker.region.AbstractRegion.lookup(AbstractRegion.java:385)
>>> at
>>>
>>> org.apache.activemq.broker.region.AbstractRegion.addConsumer(AbstractRegion.java:219)
>>> at
>>>
>>> org.apache.activemq.broker.region.TopicRegion.addConsumer(TopicRegion.java:108)
>>> at
>>>
>>> org.apache.activemq.broker.region.RegionBroker.addConsumer(RegionBroker.java:401)
>>> at
>>> org.apache.activemq.broker.BrokerFilter.addConsumer(BrokerFilter.java:85)
>>> at
>>>
>>> org.apache.activemq.advisory.AdvisoryBroker.addConsumer(AdvisoryBroker.java:83)
>>> at
>>> org.apache.activemq.broker.BrokerFilter.addConsumer(BrokerFilter.java:85)
>>> at
>>> org.apache.activemq.broker.BrokerFilter.addConsumer(BrokerFilter.java:85)
>>> at
>>> org.apache.activemq.broker.BrokerFilter.addConsumer(BrokerFilter.java:85)
>>> at
>>> org.apache.activemq.broker.BrokerFilter.addConsumer(BrokerFilter.java:85)
>>> at
>>>
>>> org.apache.activemq.security.AuthorizationBroker.addConsumer(AuthorizationBroker.java:132)
>>> at
>>>
>>> org.apache.activemq.broker.MutableBrokerFilter.addConsumer(MutableBrokerFilter.java:92)
>>> at
>>>
>>> org.apache.activemq.broker.TransportConnection.processAddConsumer(TransportConnection.java:529)
>>> at
>>> org.apache.activemq.command.ConsumerInfo.visit(ConsumerInfo.java:345)
>>> at
>>>
>>> org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:293)
>>> at
>>>
>>> org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:181)
>>> at
>>>
>>> org.apache.activemq.transport.TransportFilter.onCommand(TransportFilter.java:68)
>>> at
>>>
>>> org.apache.activemq.transport.stomp.StompTransportFilter.sendToActiveMQ(StompTransportFilter.java:80)
>>> at
>>>
>>> org.apache.activemq.transport.stomp.ProtocolConverter.sendToActiveMQ(ProtocolConverter.java:134)
>>> at
>>>
>>> org.apache.activemq.transport.stomp.ProtocolConverter.onStompSubscribe(ProtocolConverter.java:396)
>>> at
>>>
>>> org.apache.activemq.transport.stomp.ProtocolConverter.onStompCommad(ProtocolConverter.java:182)
>>> at
>>>
>>> org.apache.activemq.transport.stomp.StompTransportFilter.onCommand(StompTransportFilter.java:70)
>>> at
>>>
>>> org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:84)
>>> at
>>>
>>> org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:196)
>>> at
>>> org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:183)
>>> at java.lang.Thread.run(Thread.java:619)
>>> --
>>> View this message in context:
>>> http://www.nabble.com/Authentication-problem-in-AMQ-5.1-tp17229324s2354p17229324.html
>>> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>>>
>>>
>>
>>
>> -----
>> Dejan Bosanac
>> www.scriptinginjava.net
>>
>
>
--
View this message in context: http://www.nabble.com/Authentication-problem-in-AMQ-5.1-tp17229324s2354p17252734.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Authentication problem in AMQ 5.1
Posted by Carlos Quiroz <ca...@nokia.com>.
Hi and thanks for your response
Maybe I should add that the queue is in the startup set
<destinations>
<queue physicalName="myqueue" />
</destinations>
and that in the logs appears as it has been created
This worked fine in AMQ 5.0
Carlos
Dejan Bosanac wrote:
>
> Hi Carlos,
>
> it looks like you don't have "myqueue" created, so ActiveMQ tries to do
> that
> with supplied credentials. Try creating the queue manually if you don't
> want
> to use "admin" priviledges.
>
> Regards
> --
> Dejan Bosanac
> www.scriptinginjava.net
>
> On Wed, May 14, 2008 at 1:55 PM, Carlos Quiroz <
> carlos.quiroz-castro@nokia.com> wrote:
>
>>
>> Hi
>>
>> I have been using AMQ 5.0 for a while and I have created my own
>> authentication plugin. When I switched to AMQ 5.1 my clients cannot
>> connect
>> anymore because somehow they are not authorized to create topics or
>> queues.
>> Apparently now when subscribing to a topic/queue you need to have admin
>> permission to do that. Is it so?
>>
>> My activemq.xml looks like:
>>
>> <broker xmlns="http://activemq.org/config/1.0"
>> brokerName="broker" dataDirectory="${activemq.base}/data"
>> populateJMSXUserID="true" advisorySupport="true"
>> useJmx="true">
>>
>> <plugins>
>> <bean name="MyLoginModule"
>> class=""
>> xmlns="">
>>
>> <!-- lets configure a destination based
>> authorization mechanism -->
>> <authorizationPlugin>
>> <map>
>> <authorizationMap>
>> <authorizationEntries>
>>
>> <authorizationEntry
>> queue=">" read="admins"
>>
>> write="admins" admin="admins" />
>>
>> <authorizationEntry
>> queue="myqueu"
>>
>> read="service" write="users" admin="admin" />
>> ....
>> </map>
>> </authorizationPlugin>
>> </plugins>
>>
>>
>>
>> <destinations>
>> <queue physicalName="myqueue />
>> </destinations>
>>
>> Upon connection I get the exception below but it works if I change the
>> admin
>> permision of the queue to admin="users"
>>
>> Any idea about this? Why was this change added to AMQ 5.1? Should the
>> configuration change?
>>
>> Regards
>> Carlos Quiroz
>>
>>
>> java.lang.SecurityException: User 181.175 is not authorized to create:
>> queue://myqueue
>> at
>>
>> org.apache.activemq.security.AuthorizationBroker.addDestination(AuthorizationBroker.java:65)
>> at
>>
>> org.apache.activemq.broker.MutableBrokerFilter.addDestination(MutableBrokerFilter.java:148)
>> at
>> org.apache.activemq.broker.region.RegionBroker.send(RegionBroker.java:443)
>> at
>>
>> org.apache.activemq.broker.TransactionBroker.send(TransactionBroker.java:224)
>> at
>>
>> org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:325)
>> at
>>
>> org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:268)
>> at
>>
>> org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:260)
>> at
>>
>> org.apache.activemq.advisory.AdvisoryBroker.addDestination(AdvisoryBroker.java:153)
>> at
>>
>> org.apache.activemq.broker.BrokerFilter.addDestination(BrokerFilter.java:141)
>> at
>>
>> org.apache.activemq.broker.BrokerFilter.addDestination(BrokerFilter.java:141)
>> at
>>
>> org.apache.activemq.broker.BrokerFilter.addDestination(BrokerFilter.java:141)
>> at
>>
>> org.apache.activemq.broker.BrokerFilter.addDestination(BrokerFilter.java:141)
>> at
>>
>> org.apache.activemq.security.AuthorizationBroker.addDestination(AuthorizationBroker.java:71)
>> at
>>
>> org.apache.activemq.broker.MutableBrokerFilter.addDestination(MutableBrokerFilter.java:148)
>> at
>>
>> org.apache.activemq.broker.region.AbstractRegion.lookup(AbstractRegion.java:385)
>> at
>>
>> org.apache.activemq.broker.region.AbstractRegion.addConsumer(AbstractRegion.java:219)
>> at
>>
>> org.apache.activemq.broker.region.TopicRegion.addConsumer(TopicRegion.java:108)
>> at
>>
>> org.apache.activemq.broker.region.RegionBroker.addConsumer(RegionBroker.java:401)
>> at
>> org.apache.activemq.broker.BrokerFilter.addConsumer(BrokerFilter.java:85)
>> at
>>
>> org.apache.activemq.advisory.AdvisoryBroker.addConsumer(AdvisoryBroker.java:83)
>> at
>> org.apache.activemq.broker.BrokerFilter.addConsumer(BrokerFilter.java:85)
>> at
>> org.apache.activemq.broker.BrokerFilter.addConsumer(BrokerFilter.java:85)
>> at
>> org.apache.activemq.broker.BrokerFilter.addConsumer(BrokerFilter.java:85)
>> at
>> org.apache.activemq.broker.BrokerFilter.addConsumer(BrokerFilter.java:85)
>> at
>>
>> org.apache.activemq.security.AuthorizationBroker.addConsumer(AuthorizationBroker.java:132)
>> at
>>
>> org.apache.activemq.broker.MutableBrokerFilter.addConsumer(MutableBrokerFilter.java:92)
>> at
>>
>> org.apache.activemq.broker.TransportConnection.processAddConsumer(TransportConnection.java:529)
>> at
>> org.apache.activemq.command.ConsumerInfo.visit(ConsumerInfo.java:345)
>> at
>>
>> org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:293)
>> at
>>
>> org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:181)
>> at
>>
>> org.apache.activemq.transport.TransportFilter.onCommand(TransportFilter.java:68)
>> at
>>
>> org.apache.activemq.transport.stomp.StompTransportFilter.sendToActiveMQ(StompTransportFilter.java:80)
>> at
>>
>> org.apache.activemq.transport.stomp.ProtocolConverter.sendToActiveMQ(ProtocolConverter.java:134)
>> at
>>
>> org.apache.activemq.transport.stomp.ProtocolConverter.onStompSubscribe(ProtocolConverter.java:396)
>> at
>>
>> org.apache.activemq.transport.stomp.ProtocolConverter.onStompCommad(ProtocolConverter.java:182)
>> at
>>
>> org.apache.activemq.transport.stomp.StompTransportFilter.onCommand(StompTransportFilter.java:70)
>> at
>>
>> org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:84)
>> at
>>
>> org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:196)
>> at
>> org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:183)
>> at java.lang.Thread.run(Thread.java:619)
>> --
>> View this message in context:
>> http://www.nabble.com/Authentication-problem-in-AMQ-5.1-tp17229324s2354p17229324.html
>> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>>
>>
>
>
> -----
> Dejan Bosanac
> www.scriptinginjava.net
>
--
View this message in context: http://www.nabble.com/Authentication-problem-in-AMQ-5.1-tp17229324s2354p17246332.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Authentication problem in AMQ 5.1
Posted by Dejan Bosanac <de...@nighttale.net>.
Hi Carlos,
it looks like you don't have "myqueue" created, so ActiveMQ tries to do that
with supplied credentials. Try creating the queue manually if you don't want
to use "admin" priviledges.
Regards
--
Dejan Bosanac
www.scriptinginjava.net
On Wed, May 14, 2008 at 1:55 PM, Carlos Quiroz <
carlos.quiroz-castro@nokia.com> wrote:
>
> Hi
>
> I have been using AMQ 5.0 for a while and I have created my own
> authentication plugin. When I switched to AMQ 5.1 my clients cannot
> connect
> anymore because somehow they are not authorized to create topics or
> queues.
> Apparently now when subscribing to a topic/queue you need to have admin
> permission to do that. Is it so?
>
> My activemq.xml looks like:
>
> <broker xmlns="http://activemq.org/config/1.0"
> brokerName="broker" dataDirectory="${activemq.base}/data"
> populateJMSXUserID="true" advisorySupport="true"
> useJmx="true">
>
> <plugins>
> <bean name="MyLoginModule"
> class=""
> xmlns="">
>
> <!-- lets configure a destination based
> authorization mechanism -->
> <authorizationPlugin>
> <map>
> <authorizationMap>
> <authorizationEntries>
> <authorizationEntry
> queue=">" read="admins"
>
> write="admins" admin="admins" />
> <authorizationEntry
> queue="myqueu"
>
> read="service" write="users" admin="admin" />
> ....
> </map>
> </authorizationPlugin>
> </plugins>
>
>
>
> <destinations>
> <queue physicalName="myqueue />
> </destinations>
>
> Upon connection I get the exception below but it works if I change the
> admin
> permision of the queue to admin="users"
>
> Any idea about this? Why was this change added to AMQ 5.1? Should the
> configuration change?
>
> Regards
> Carlos Quiroz
>
>
> java.lang.SecurityException: User 181.175 is not authorized to create:
> queue://myqueue
> at
>
> org.apache.activemq.security.AuthorizationBroker.addDestination(AuthorizationBroker.java:65)
> at
>
> org.apache.activemq.broker.MutableBrokerFilter.addDestination(MutableBrokerFilter.java:148)
> at
> org.apache.activemq.broker.region.RegionBroker.send(RegionBroker.java:443)
> at
>
> org.apache.activemq.broker.TransactionBroker.send(TransactionBroker.java:224)
> at
>
> org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:325)
> at
>
> org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:268)
> at
>
> org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:260)
> at
>
> org.apache.activemq.advisory.AdvisoryBroker.addDestination(AdvisoryBroker.java:153)
> at
>
> org.apache.activemq.broker.BrokerFilter.addDestination(BrokerFilter.java:141)
> at
>
> org.apache.activemq.broker.BrokerFilter.addDestination(BrokerFilter.java:141)
> at
>
> org.apache.activemq.broker.BrokerFilter.addDestination(BrokerFilter.java:141)
> at
>
> org.apache.activemq.broker.BrokerFilter.addDestination(BrokerFilter.java:141)
> at
>
> org.apache.activemq.security.AuthorizationBroker.addDestination(AuthorizationBroker.java:71)
> at
>
> org.apache.activemq.broker.MutableBrokerFilter.addDestination(MutableBrokerFilter.java:148)
> at
>
> org.apache.activemq.broker.region.AbstractRegion.lookup(AbstractRegion.java:385)
> at
>
> org.apache.activemq.broker.region.AbstractRegion.addConsumer(AbstractRegion.java:219)
> at
>
> org.apache.activemq.broker.region.TopicRegion.addConsumer(TopicRegion.java:108)
> at
>
> org.apache.activemq.broker.region.RegionBroker.addConsumer(RegionBroker.java:401)
> at
> org.apache.activemq.broker.BrokerFilter.addConsumer(BrokerFilter.java:85)
> at
>
> org.apache.activemq.advisory.AdvisoryBroker.addConsumer(AdvisoryBroker.java:83)
> at
> org.apache.activemq.broker.BrokerFilter.addConsumer(BrokerFilter.java:85)
> at
> org.apache.activemq.broker.BrokerFilter.addConsumer(BrokerFilter.java:85)
> at
> org.apache.activemq.broker.BrokerFilter.addConsumer(BrokerFilter.java:85)
> at
> org.apache.activemq.broker.BrokerFilter.addConsumer(BrokerFilter.java:85)
> at
>
> org.apache.activemq.security.AuthorizationBroker.addConsumer(AuthorizationBroker.java:132)
> at
>
> org.apache.activemq.broker.MutableBrokerFilter.addConsumer(MutableBrokerFilter.java:92)
> at
>
> org.apache.activemq.broker.TransportConnection.processAddConsumer(TransportConnection.java:529)
> at
> org.apache.activemq.command.ConsumerInfo.visit(ConsumerInfo.java:345)
> at
>
> org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:293)
> at
>
> org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:181)
> at
>
> org.apache.activemq.transport.TransportFilter.onCommand(TransportFilter.java:68)
> at
>
> org.apache.activemq.transport.stomp.StompTransportFilter.sendToActiveMQ(StompTransportFilter.java:80)
> at
>
> org.apache.activemq.transport.stomp.ProtocolConverter.sendToActiveMQ(ProtocolConverter.java:134)
> at
>
> org.apache.activemq.transport.stomp.ProtocolConverter.onStompSubscribe(ProtocolConverter.java:396)
> at
>
> org.apache.activemq.transport.stomp.ProtocolConverter.onStompCommad(ProtocolConverter.java:182)
> at
>
> org.apache.activemq.transport.stomp.StompTransportFilter.onCommand(StompTransportFilter.java:70)
> at
>
> org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:84)
> at
>
> org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:196)
> at
> org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:183)
> at java.lang.Thread.run(Thread.java:619)
> --
> View this message in context:
> http://www.nabble.com/Authentication-problem-in-AMQ-5.1-tp17229324s2354p17229324.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>
>