Mike Dolding created DISPATCH-2362:
--------------------------------------
Summary: Client EXTERNAL authentication fails when websockets
enabled with Proton-j2 client
Key: DISPATCH-2362
URL: https://issues.apache.org/jira/browse/DISPATCH-2362
Project: Qpid Dispatch
Issue Type: Bug
Affects Versions: 1.19.0
Environment: * Qpid Dispatch 1.19.0
* Proton-j2 client (1.0.0-M22)
Reporter: Mike Dolding
I have deployed Qpid Dispatch 1.19.0 and have successfully configured an SSL
profile where my Proton-j2 client (1.0.0-M22) is authenticated using the
EXTERNAL SASL mechanism so that the Common Name in the client certificate must
match the userId of the AMQP message and be users in the vhost group. So I have
a listener like this:
{code:java}
listener {
port: 5671
role: normal
authenticatePeer: true
saslMechanisms: EXTERNAL
sslProfile: mesh-clients
requireSsl: true
} {code}
and sslProfile like this:
{code:java}
sslProfile {
name: mesh-clients
certFile: /vault/secrets/oi-amqp-mesh-certs-external.crt
privateKeyFile: /vault/secrets/oi-amqp-mesh-certs-external.key
caCertFile: /vault/secrets/client.crt
uidFormat: n
} {code}
and vhost of the form:
{code:java}
vhost {
hostname: myhost.com
maxConnections: 10000
maxMessageSize: 500000
maxConnectionsPerUser: 100
maxConnectionsPerHost: 100
groups: {
"$myGroup": {
"users": "MyCommonName",
"remoteHosts": "*",
"sources": "",
"targets": "MyQueue",
"allowAnonymousSender": "true",
"allowDynamicSource": "true"
}
}
} {code}
So far everything works fine.
However I now wish to expose the service through a proxy using websockets. To
this end I have amended the config to add a second identical listener but with
http: true, knowing that the websockets parameter will then default to true.
{code:java}
listener {
port: 8080
role: normal
http: true
authenticatePeer: true
saslMechanisms: EXTERNAL
sslProfile: mesh-clients
requireSsl: true
} {code}
In the Proton-2j client I similarly enable websockets:
{code:java}
options.transportOptions().useWebSockets(true); {code}
When I try to send messages over websockets on port 8080 the Proton client say
that Qpid Dispatch did not offer any SASL Mechanisms:
{code:java}
Caused by: javax.security.sasl.SaslException:
Could not find a suitable SASL Mechanism. No supported mechanism, or none
usable with the available credentials. Server offered: []* at
org.apache.qpid.protonj2.engine.sasl.client.SaslAuthenticator.handleSaslMechanisms(SaslAuthenticator.java:97)
{code}
The Qpid Dispatch logs shows that it has upgraded from HTTP to AMQPWS but the
connection was then aborted:
{code:java}
2024-12-02 15:07:46.141919 +0000 SERVER (debug) [187] upgraded HTTP connection
from 127.0.0.1 to AMQPWS
2024-12-02 15:07:46.142165 +0000 SERVER (trace) [C187] Configuring SSL on :8080
2024-12-02 15:07:46.154025 +0000 SERVER (info) [C187] Accepted connection to
:8080 from 127.0.0.1
2024-12-02 15:07:46.361440 +0000 SERVER (info) [C187] Connection from
127.0.0.1 (to :8080) failed: amqp:connection:framing-error connection
aborted{code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
