[jira] [Created] (ARTEMIS-3656) Client session limit is evaluated incorrectly for ssl connections

Mon, 24 Jan 2022 08:51:32 -0800 

Alexander created ARTEMIS-3656:
----------------------------------

             Summary: Client session limit is evaluated incorrectly for ssl 
connections
                 Key: ARTEMIS-3656
                 URL: https://issues.apache.org/jira/browse/ARTEMIS-3656
             Project: ActiveMQ Artemis
          Issue Type: Bug
    Affects Versions: 2.17.0
            Reporter: Alexander


Client session limit is evaluated incorrectly for ssl connections.

For authentication, the 
rg.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule
 module is used (clients do not specify a user and password to create 
connections).

In this case, the user can enter any other user, and the connection count check 
will be performed for the specified user (so validatedUser must be used).

The problem is in the 
org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl#getSessionCountForUser
 method - the check is not based on the validatedUser, but on the user (which 
users do not enter), as a result we get a NullPointerException In the code 
below.
{{}}
{{private}} {{int}} {{getSessionCountForUser(String username) {}}
{{   }}{{int}} {{sessionCount = }}{{{}0{}}}{{{};{}}}
{{   }}{{for}} {{(Entry<String, ServerSession> sessionEntry : 
sessions.entrySet()) {}}
{{      }}{{if}} 
{{(sessionEntry.getValue().{*}getUsername(){*}.equals(username)) { }}{{// 
change to sessionEntry.getValue().getValidatedUser()....}}
{{         }}{{sessionCount++;}}
{{      }}{{}}}
{{   }}{{}}}
{{   }}{{return}} {{sessionCount;}}
{{}}}
 

Files in etc folder:

1) login.config

....

CertLogin {
    
org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule
 requisite
        debug=false
        reload=true
        org.apache.activemq.jaas.textfiledn.user="cert-users.properties"
        org.apache.activemq.jaas.textfiledn.role="cert-roles.properties";
};

....

2) broker.xml:

....    

<resource-limit-settings>
      <resource-limit-setting match="user1">
        <max-connections>5</max-connections>
      </resource-limit-setting>
    </resource-limit-settings>

    <acceptors>
      <acceptor 
name="artemis">tcp://0.0.0.0:60001?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;amqpMinLargeMessageSize=102400;protocols=CORE,AMQP,STOMP,HORNETQ,MQTT,OPENWIRE;useEpoll=true;amqpCredits=1000;amqpLowCredits=300;amqpDuplicateDetection=true;sslEnabled=true;keyStorePath=/app/artemis/ssl/artemis_server_gw.jks;trustStorePath=/app/artemis/ssl/artemis_server_gw.jks;keyStorePassword=secret;trustStorePassword=secret;enabledCipherSuites=TLS_RSA_WITH_AES_128_CBC_SHA256;enabledProtocols=TLSv1.2;needClientAuth=true</acceptor>
    </acceptors>

....



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to