[jira] [Updated] (ARTEMIS-3656) Client session limit is evaluated incorrectly for ssl connections

Mon, 24 Jan 2022 08:58:14 -0800 


     [ 
https://issues.apache.org/jira/browse/ARTEMIS-3656?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Justin Bertram updated ARTEMIS-3656:
------------------------------------
    Description: 
Client session limit is evaluated incorrectly for SSL connections.

For authentication, the 
{{org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule}}
 module is used (clients do not specify a user and password to create 
connections).

In this case, the user can enter any other user, and the connection count check 
will be performed for the specified user (so {{validatedUser}} must be used).

The problem is in the 
{{org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl#getSessionCountForUser}}
 method. The check is not based on {{validatedUser}} but on {{user}} (which 
users do not enter). As a result we get a {{NullPointerException}} in the code 
below.
{code:java}
private int getSessionCountForUser(String username) {
   int sessionCount = 0;
   for (Entry<String, ServerSession> sessionEntry : sessions.entrySet()) {
      if (sessionEntry.getValue().getUsername().equals(username)) { // change 
to sessionEntry.getValue().getValidatedUser()....
         sessionCount++;
      }
   }
   return sessionCount;
}{code}
 

Files in {{etc}} folder:

1) {{login.config}}:

{noformat}
CertLogin {
    
org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule
 requisite
        debug=false
        reload=true
        org.apache.activemq.jaas.textfiledn.user="cert-users.properties"
        org.apache.activemq.jaas.textfiledn.role="cert-roles.properties";
};{noformat}


2) {{broker.xml}}:

{code:xml}
    <resource-limit-settings>
      <resource-limit-setting match="user1">
        <max-connections>5</max-connections>
      </resource-limit-setting>
    </resource-limit-settings>

    <acceptors>
      <acceptor 
name="artemis">tcp://0.0.0.0:60001?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;amqpMinLargeMessageSize=102400;protocols=CORE,AMQP,STOMP,HORNETQ,MQTT,OPENWIRE;useEpoll=true;amqpCredits=1000;amqpLowCredits=300;amqpDuplicateDetection=true;sslEnabled=true;keyStorePath=/app/artemis/ssl/artemis_server_gw.jks;trustStorePath=/app/artemis/ssl/artemis_server_gw.jks;keyStorePassword=secret;trustStorePassword=secret;enabledCipherSuites=TLS_RSA_WITH_AES_128_CBC_SHA256;enabledProtocols=TLSv1.2;needClientAuth=true</acceptor>
    </acceptors>{code}

  was:
Client session limit is evaluated incorrectly for ssl connections.

For authentication, the 
rg.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule
 module is used (clients do not specify a user and password to create 
connections).

In this case, the user can enter any other user, and the connection count check 
will be performed for the specified user (so validatedUser must be used).

The problem is in the 
org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl#getSessionCountForUser
 method - the check is not based on the validatedUser, but on the user (which 
users do not enter), as a result we get a NullPointerException In the code 
below.
{{}}
{{private}} {{int}} {{getSessionCountForUser(String username) {}}
{{   }}{{int}} {{sessionCount = }}{{{}0{}}}{{{};{}}}
{{   }}{{for}} {{(Entry<String, ServerSession> sessionEntry : 
sessions.entrySet()) {}}
{{      }}{{if}} 
{{(sessionEntry.getValue().{*}getUsername(){*}.equals(username)) { }}{{// 
change to sessionEntry.getValue().getValidatedUser()....}}
{{         }}{{sessionCount++;}}
{{      }}{{}}}
{{   }}{{}}}
{{   }}{{return}} {{sessionCount;}}
{{}}}
 

Files in etc folder:

1) login.config

....

CertLogin {
    
org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule
 requisite
        debug=false
        reload=true
        org.apache.activemq.jaas.textfiledn.user="cert-users.properties"
        org.apache.activemq.jaas.textfiledn.role="cert-roles.properties";
};

....

2) broker.xml:

....    

<resource-limit-settings>
      <resource-limit-setting match="user1">
        <max-connections>5</max-connections>
      </resource-limit-setting>
    </resource-limit-settings>

    <acceptors>
      <acceptor 
name="artemis">tcp://0.0.0.0:60001?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;amqpMinLargeMessageSize=102400;protocols=CORE,AMQP,STOMP,HORNETQ,MQTT,OPENWIRE;useEpoll=true;amqpCredits=1000;amqpLowCredits=300;amqpDuplicateDetection=true;sslEnabled=true;keyStorePath=/app/artemis/ssl/artemis_server_gw.jks;trustStorePath=/app/artemis/ssl/artemis_server_gw.jks;keyStorePassword=secret;trustStorePassword=secret;enabledCipherSuites=TLS_RSA_WITH_AES_128_CBC_SHA256;enabledProtocols=TLSv1.2;needClientAuth=true</acceptor>
    </acceptors>

....


> Client session limit is evaluated incorrectly for ssl connections
> -----------------------------------------------------------------
>
>                 Key: ARTEMIS-3656
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-3656
>             Project: ActiveMQ Artemis
>          Issue Type: Bug
>    Affects Versions: 2.17.0
>            Reporter: Alexander
>            Priority: Major
>
> Client session limit is evaluated incorrectly for SSL connections.
> For authentication, the 
> {{org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule}}
>  module is used (clients do not specify a user and password to create 
> connections).
> In this case, the user can enter any other user, and the connection count 
> check will be performed for the specified user (so {{validatedUser}} must be 
> used).
> The problem is in the 
> {{org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl#getSessionCountForUser}}
>  method. The check is not based on {{validatedUser}} but on {{user}} (which 
> users do not enter). As a result we get a {{NullPointerException}} in the 
> code below.
> {code:java}
> private int getSessionCountForUser(String username) {
>    int sessionCount = 0;
>    for (Entry<String, ServerSession> sessionEntry : sessions.entrySet()) {
>       if (sessionEntry.getValue().getUsername().equals(username)) { // change 
> to sessionEntry.getValue().getValidatedUser()....
>          sessionCount++;
>       }
>    }
>    return sessionCount;
> }{code}
>  
> Files in {{etc}} folder:
> 1) {{login.config}}:
> {noformat}
> CertLogin {
>     
> org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule
>  requisite
>         debug=false
>         reload=true
>         org.apache.activemq.jaas.textfiledn.user="cert-users.properties"
>         org.apache.activemq.jaas.textfiledn.role="cert-roles.properties";
> };{noformat}
> 2) {{broker.xml}}:
> {code:xml}
>     <resource-limit-settings>
>       <resource-limit-setting match="user1">
>         <max-connections>5</max-connections>
>       </resource-limit-setting>
>     </resource-limit-settings>
>     <acceptors>
>       <acceptor 
> name="artemis">tcp://0.0.0.0:60001?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;amqpMinLargeMessageSize=102400;protocols=CORE,AMQP,STOMP,HORNETQ,MQTT,OPENWIRE;useEpoll=true;amqpCredits=1000;amqpLowCredits=300;amqpDuplicateDetection=true;sslEnabled=true;keyStorePath=/app/artemis/ssl/artemis_server_gw.jks;trustStorePath=/app/artemis/ssl/artemis_server_gw.jks;keyStorePassword=secret;trustStorePassword=secret;enabledCipherSuites=TLS_RSA_WITH_AES_128_CBC_SHA256;enabledProtocols=TLSv1.2;needClientAuth=true</acceptor>
>     </acceptors>{code}



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to