Re: Artemis: Restricting access based on protocol
Hi Stan, the PR https://github.com/apache/activemq-artemis/pull/3058 is merged so it will be included in the 2.12.0 release. Regards, Domenico -- Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
Re: Artemis: Restricting access based on protocol
Hi Justin and Stan, I found another bug, testing the the MqttConnectMessage rejection: https://issues.apache.org/jira/browse/ARTEMIS-2686 I created a PR to fix this bug: https://github.com/apache/activemq-artemis/pull/3058 Regards, Domenico -- Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
Re: Artemis: Restricting access based on protocol
The problem is ARTEMIS-2607 which will be resolved in the 2.12.0 release. Justin [1] https://issues.apache.org/jira/browse/ARTEMIS-2607 On Wed, Apr 1, 2020 at 7:40 AM Stan Petrula wrote: > Hi Domenico, > > thank you for the suggestion, but unfortunately it does not work. I am > using > slightly modified interceptor code: > > public class MQTTLoginFilterInterceptor implements MQTTInterceptor { >@Override >public boolean intercept(final MqttMessage mqttMessage, > RemotingConnection connection) { >System.out.println("MQTT intercept called"); > > if (mqttMessage instanceof MqttConnectMessage){ > MqttConnectMessage connectMessage = > (MqttConnectMessage)mqttMessage; > > if (connectMessage.payload().userName() != null > && connectMessage.payload().userName().compareTo("admin") > == > 0){ > System.out.println("reject admin login"); > return false; > } > else{ > System.out.println("allow user login"); > } > } > > return true; >} > } > > Log output on admin login: > MQTT intercept called > reject admin login > MQTT intercept called > > Logs shows that we can catch admin login, but returning false from > interceptor, after getting MqttConnectMessage, does not have any effect. > With this interceptor I can login as admin, subscribe and do any action > allowed. Do you have any idea? > > > > > -- > Sent from: > http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html > >
Re: Artemis: Restricting access based on protocol
Hi Domenico, thank you for the suggestion, but unfortunately it does not work. I am using slightly modified interceptor code: public class MQTTLoginFilterInterceptor implements MQTTInterceptor { @Override public boolean intercept(final MqttMessage mqttMessage, RemotingConnection connection) { System.out.println("MQTT intercept called"); if (mqttMessage instanceof MqttConnectMessage){ MqttConnectMessage connectMessage = (MqttConnectMessage)mqttMessage; if (connectMessage.payload().userName() != null && connectMessage.payload().userName().compareTo("admin") == 0){ System.out.println("reject admin login"); return false; } else{ System.out.println("allow user login"); } } return true; } } Log output on admin login: MQTT intercept called reject admin login MQTT intercept called Logs shows that we can catch admin login, but returning false from interceptor, after getting MqttConnectMessage, does not have any effect. With this interceptor I can login as admin, subscribe and do any action allowed. Do you have any idea? -- Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
Re: Artemis: Restricting access based on protocol
Hi Stan, Artemis supports interceptors[1] to intercept packets entering and exiting the server. This allows custom code to be executed, e.g. for auditing packets, filtering or other reasons. So you could use an MQTTInterceptor[2] to reject connection messages with admin username. An example of MQTTInterceptor to clarify what I mean: public class MQTTAdminRejectingInterceptor implements MQTTInterceptor { @Override public boolean intercept(final MqttMessage packet, RemotingConnection connection) { if (packet instanceof MqttConnectMessage && ((MqttConnectMessage)packet).payload().userName().compareTo("admin") == 0) { return false; } else { return true; } } } [1] https://activemq.apache.org/components/artemis/documentation/latest/intercepting-operations.html [2] https://activemq.apache.org/components/artemis/documentation/latest/examples.html#interceptor-mqtt Regards, Domenico -- Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html