StanDarJeep opened a new pull request, #2097: URL: https://github.com/apache/activemq/pull/2097
Adds a server-side log hint when an authorization failure may be caused by a queue/topic type mismatch in the broker configuration. When a user is denied access to a destination but would have access to the same destination name under the alternate type (e.g., queue://foo would be allowed but client accesses topic://foo), the broker now logs a warning suggesting the operator verify the destination type specified in the configuration. This is a misconfiguration that can be difficult to diagnose from only the "not authorized" error message. The hint is only written to the broker log; the client-facing error message is unchanged and no extra details are exposed. Example log output when the authorization failure occurs (the first line is the new log): ``` 2026-06-03 16:33:45,507 | WARN | Possible destination type mismatch: user 'test-user' is not authorized to write topic 'test-queue', but a queue authorization entry for 'test-queue' would grant access. Verify the destination type in the broker configuration. | org.apache.activemq.security.AuthorizationBroker | ActiveMQ Transport: tcp:///127.0.0.1:60031@61613 2026-06-03 16:33:45,508 | WARN | Async error occurred: User test-user is not authorized to write to: topic://test-queue | org.apache.activemq.broker.TransportConnection.Service | ActiveMQ Transport: tcp:///127.0.0.1:60031@61613 2026-06-03 16:33:45,508 | WARN | Exception occurred while processing a command: java.lang.SecurityException: User test-user is not authorized to write to: topic://test-queue | org.apache.activemq.transport.stomp.ProtocolConverter | ActiveMQ BrokerService[localhost] Task-1 ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] For further information, visit: https://activemq.apache.org/contact
