[
https://issues.apache.org/jira/browse/ARTEMIS-2886?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17279712#comment-17279712
]
Luís Alves commented on ARTEMIS-2886:
-------------------------------------
{quote}Where is the loop here, does a client in a loop doing send get a
security exception as a response, but the connection stays valid?text{quote}
exactly. Client keep get not authorized when if fact he is not even
"authenticated". Trace:
{noformat}
javax.jms.JMSSecurityException: AMQ229032: User: does not have
permission='SEND' on address business-events.eu.jms-java-app-demo.ms.v1.a
at
org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:540)
at
org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:434)
at
org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQSessionContext.simpleCommit(ActiveMQSessionContext.java:452)
at
org.apache.activemq.artemis.core.client.impl.ClientSessionImpl.commit(ClientSessionImpl.java:964)
at
org.apache.activemq.artemis.core.client.impl.ClientSessionImpl.commit(ClientSessionImpl.java:937)
at
org.apache.activemq.artemis.jms.client.ActiveMQSession.commit(ActiveMQSession.java:289)
at
org.messaginghub.pooled.jms.JmsPoolSession.commit(JmsPoolSession.java:266)
...
{noformat}
You really described well the whole problem and as you mention it can happen on
LDAP as well.
I would propose something like this:
{code:java}
final Boolean validated;
if (securityManager instanceof ActiveMQSecurityManager5) {
Subject subject = getSubjectForAuthorization(session,
((ActiveMQSecurityManager5) securityManager));
if(isNull(subject)){
//thrash the connection as user is not authenticated anymore.
}
validated = ((ActiveMQSecurityManager5)
securityManager).authorize(subject, roles, checkType, fqqn != null ?
fqqn.toString() : bareAddress.toString());
}
{code}
Not sure how to properly trash the connection. I'm currently trying to find out
if sending some JMSRuntimeException will do the trick, as I can send it myself
from the authenticate method. Although, it would be nice that this is done on
SecurityStoreImpl class.
Regarding the test case, I don't have one, sorry. Also, don't have enough
knowledge to setup on quickly.
> Optimize security auth
> ----------------------
>
> Key: ARTEMIS-2886
> URL: https://issues.apache.org/jira/browse/ARTEMIS-2886
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Reporter: Justin Bertram
> Assignee: Justin Bertram
> Priority: Major
> Fix For: 2.16.0
>
> Time Spent: 6h 10m
> Remaining Estimate: 0h
>
> Both authentication and authorization will hit the underlying security
> repository (e.g. files, LDAP, etc.). For example, creating a JMS connection
> and a consumer will result in 2 hits with the *same* authentication request.
> This can cause unwanted (and unnecessary) resource utilization, especially in
> the case of networked configuration like LDAP.
> There is a rudimentary cache for authorization, but it is cleared *totally*
> every 10 seconds by default (controlled via the
> {{security-invalidation-interval setting}}), and it must be populated
> initially which still results in duplicate auth requests.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
