Re: Authentication problem in AMQ 5.1

Carlos Quiroz Fri, 16 May 2008 04:03:31 -0700

Hi

Thanks for your answer. I think that would be the solution but still baffles
me why you need to give admin rights to your users even for prebuilt
queues/topics


I wrote also an authentication plugin that uses JPA to get user account
information from the DB. It works very nicely but also your idea of making
it a JMX bean sounds quite sensible

Regards
Carlos Quiroz


ttmdev wrote:
> 
> I think what is happening is that you haven't given everyone all access
> rights to the advisory topics. I get a similar stack trace when I don't do
> that. Add an ACL with the following "ActiveMQ.Advisory.>" and that should
> do the trick. 
> 
> If you're interested, check out this AMQ security plugin. 
> 
> http://www.ttmsolutions.com/amqsec.php4
> 
> You can re-configure it on the fly, uses obfuscated passwords, and has a
> JMX MBean.  
> 
> Joe  
> 
> 
> 
> Carlos Quiroz wrote:
>> 
>> Hi and thanks for your response 
>> 
>> Maybe I should add that the queue is in the startup set 
>>                 <destinations>
>>                         <queue physicalName="myqueue" />
>>                 </destinations>
>> 
>> and that in the logs appears as it has been created
>> This worked fine in AMQ 5.0
>> 
>> Carlos
>> 
>> 
>> Dejan Bosanac wrote:
>>> 
>>> Hi Carlos,
>>> 
>>> it looks like you don't have "myqueue" created, so ActiveMQ tries to do
>>> that
>>> with supplied credentials. Try creating the queue manually if you don't
>>> want
>>> to use "admin" priviledges.
>>> 
>>> Regards
>>> -- 
>>> Dejan Bosanac
>>> www.scriptinginjava.net
>>> 
>>> On Wed, May 14, 2008 at 1:55 PM, Carlos Quiroz <
>>> [EMAIL PROTECTED]> wrote:
>>> 
>>>>
>>>> Hi
>>>>
>>>> I have been using AMQ 5.0 for a while and I have created my own
>>>> authentication plugin. When I switched to AMQ 5.1 my clients cannot
>>>> connect
>>>> anymore because somehow they are not authorized to create topics or
>>>> queues.
>>>> Apparently now when subscribing to a topic/queue you need to have admin
>>>> permission to do that. Is it so?
>>>>
>>>> My activemq.xml looks like:
>>>>
>>>>        <broker xmlns="http://activemq.org/config/1.0";
>>>>                brokerName="broker"
>>>> dataDirectory="${activemq.base}/data"
>>>>                populateJMSXUserID="true" advisorySupport="true"
>>>> useJmx="true">
>>>>
>>>>                <plugins>
>>>>                        <bean name="MyLoginModule"
>>>>                                class=""
>>>>                                xmlns="">
>>>>
>>>>                        <!--  lets configure a destination based
>>>> authorization mechanism -->
>>>>                        <authorizationPlugin>
>>>>                                <map>
>>>>                                        <authorizationMap>
>>>>                                                <authorizationEntries>
>>>>                                                       
>>>> <authorizationEntry
>>>> queue=">" read="admins"
>>>>
>>>>  write="admins" admin="admins" />
>>>>                                                       
>>>> <authorizationEntry
>>>> queue="myqueu"
>>>>
>>>>  read="service" write="users" admin="admin" />
>>>> ....
>>>>                                </map>
>>>>                        </authorizationPlugin>
>>>>                </plugins>
>>>>
>>>>
>>>>
>>>>                <destinations>
>>>>                        <queue physicalName="myqueue />
>>>>                </destinations>
>>>>
>>>> Upon connection I get the exception below but it works if I change the
>>>> admin
>>>> permision of the queue to admin="users"
>>>>
>>>> Any idea about this? Why was this change added to AMQ 5.1? Should the
>>>> configuration change?
>>>>
>>>> Regards
>>>> Carlos Quiroz
>>>>
>>>>
>>>> java.lang.SecurityException: User 181.175 is not authorized to create:
>>>> queue://myqueue
>>>>        at
>>>>
>>>> org.apache.activemq.security.AuthorizationBroker.addDestination(AuthorizationBroker.java:65)
>>>>        at
>>>>
>>>> org.apache.activemq.broker.MutableBrokerFilter.addDestination(MutableBrokerFilter.java:148)
>>>>        at
>>>> org.apache.activemq.broker.region.RegionBroker.send(RegionBroker.java:443)
>>>>        at
>>>>
>>>> org.apache.activemq.broker.TransactionBroker.send(TransactionBroker.java:224)
>>>>        at
>>>>
>>>> org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:325)
>>>>        at
>>>>
>>>> org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:268)
>>>>        at
>>>>
>>>> org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:260)
>>>>        at
>>>>
>>>> org.apache.activemq.advisory.AdvisoryBroker.addDestination(AdvisoryBroker.java:153)
>>>>        at
>>>>
>>>> org.apache.activemq.broker.BrokerFilter.addDestination(BrokerFilter.java:141)
>>>>        at
>>>>
>>>> org.apache.activemq.broker.BrokerFilter.addDestination(BrokerFilter.java:141)
>>>>        at
>>>>
>>>> org.apache.activemq.broker.BrokerFilter.addDestination(BrokerFilter.java:141)
>>>>        at
>>>>
>>>> org.apache.activemq.broker.BrokerFilter.addDestination(BrokerFilter.java:141)
>>>>        at
>>>>
>>>> org.apache.activemq.security.AuthorizationBroker.addDestination(AuthorizationBroker.java:71)
>>>>        at
>>>>
>>>> org.apache.activemq.broker.MutableBrokerFilter.addDestination(MutableBrokerFilter.java:148)
>>>>        at
>>>>
>>>> org.apache.activemq.broker.region.AbstractRegion.lookup(AbstractRegion.java:385)
>>>>        at
>>>>
>>>> org.apache.activemq.broker.region.AbstractRegion.addConsumer(AbstractRegion.java:219)
>>>>        at
>>>>
>>>> org.apache.activemq.broker.region.TopicRegion.addConsumer(TopicRegion.java:108)
>>>>        at
>>>>
>>>> org.apache.activemq.broker.region.RegionBroker.addConsumer(RegionBroker.java:401)
>>>>        at
>>>> org.apache.activemq.broker.BrokerFilter.addConsumer(BrokerFilter.java:85)
>>>>        at
>>>>
>>>> org.apache.activemq.advisory.AdvisoryBroker.addConsumer(AdvisoryBroker.java:83)
>>>>        at
>>>> org.apache.activemq.broker.BrokerFilter.addConsumer(BrokerFilter.java:85)
>>>>        at
>>>> org.apache.activemq.broker.BrokerFilter.addConsumer(BrokerFilter.java:85)
>>>>        at
>>>> org.apache.activemq.broker.BrokerFilter.addConsumer(BrokerFilter.java:85)
>>>>        at
>>>> org.apache.activemq.broker.BrokerFilter.addConsumer(BrokerFilter.java:85)
>>>>        at
>>>>
>>>> org.apache.activemq.security.AuthorizationBroker.addConsumer(AuthorizationBroker.java:132)
>>>>        at
>>>>
>>>> org.apache.activemq.broker.MutableBrokerFilter.addConsumer(MutableBrokerFilter.java:92)
>>>>        at
>>>>
>>>> org.apache.activemq.broker.TransportConnection.processAddConsumer(TransportConnection.java:529)
>>>>        at
>>>> org.apache.activemq.command.ConsumerInfo.visit(ConsumerInfo.java:345)
>>>>        at
>>>>
>>>> org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:293)
>>>>        at
>>>>
>>>> org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:181)
>>>>        at
>>>>
>>>> org.apache.activemq.transport.TransportFilter.onCommand(TransportFilter.java:68)
>>>>        at
>>>>
>>>> org.apache.activemq.transport.stomp.StompTransportFilter.sendToActiveMQ(StompTransportFilter.java:80)
>>>>        at
>>>>
>>>> org.apache.activemq.transport.stomp.ProtocolConverter.sendToActiveMQ(ProtocolConverter.java:134)
>>>>        at
>>>>
>>>> org.apache.activemq.transport.stomp.ProtocolConverter.onStompSubscribe(ProtocolConverter.java:396)
>>>>        at
>>>>
>>>> org.apache.activemq.transport.stomp.ProtocolConverter.onStompCommad(ProtocolConverter.java:182)
>>>>        at
>>>>
>>>> org.apache.activemq.transport.stomp.StompTransportFilter.onCommand(StompTransportFilter.java:70)
>>>>        at
>>>>
>>>> org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:84)
>>>>        at
>>>>
>>>> org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:196)
>>>>        at
>>>> org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:183)
>>>>        at java.lang.Thread.run(Thread.java:619)
>>>> --
>>>> View this message in context:
>>>> http://www.nabble.com/Authentication-problem-in-AMQ-5.1-tp17229324s2354p17229324.html
>>>> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>>>>
>>>>
>>> 
>>> 
>>> -----
>>> Dejan Bosanac
>>> www.scriptinginjava.net
>>> 
>> 
>> 
> 
> 

-- 
View this message in context: 
http://www.nabble.com/Authentication-problem-in-AMQ-5.1-tp17229324s2354p17272265.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Re: Authentication problem in AMQ 5.1

Reply via email to