Hi Pavel,
Thanks so much for the reply!
So I'm thinking that this has always been the case with Java (despite
the Jira referring to 0.18)? I'm thinking this is why I always ended up
using guest:guest@ URLs when I started out, but it was a long time ago :-)
You mention in the Jira comments at one point about:
"New version of patch. It again sets username to "anonymous" and
password to "" (only when the credentials are missing)"
As I mentioned in my ramble below I actually tried *explicitly* doing:
amqp://anonymous:""@clientid/test?brokerlist='tcp://localhost:5672'
in one of my tests, but that resulted in:
connectionfactory.ConnectionFactory=amqp://anonymous:""@clientid/test?brokerlist='tcp://localhost:5672',
destination.publishedAddress=amq.match}
main 2013-01-25 11:48:53,809 WARN
[apache.qpid.jndi.PropertiesFileInitialContextFactory] Unable to
createFactories:Illegal character in authority between indicies 7 and 1
amqp://anonymous:""@clientid/test?brokerlist='tcp://localhost:5672'
^
createJMSSession() connectionFactory lookup failed, retrying
So I'm guessing that what you are talking about is "under the hood" and
bypasses that particular test?? I personally think that this bug notice
should be extended to cover implicit *and* explicit settings of
anonymous - what d'you reckon?
The reason that I'm particularly interested in this issue now is that
Bruno Matos noticed an issue with my recent Qpid GUI (well really in the
back-end REST Server). He was running with a broker set to the default
--auth yes and got the exception:
INFO org.apache.qpid.client.AMQConnection - Not a hard-error connection
not closing: org.apache.qpid.AMQException: ch=1 id=7
ExecutionException(errorCode=UNAUTHORIZED_ACCESS, commandId=14,
classCode=0, commandCode=0, fieldIndex=0,
description=unauthorized-access: authorised user id : anonymous@QPID but
user id in message declared as guest
(qpid/broker/SemanticState.cpp:484), errorInfo={}) [error code 403:
access refused]
So my reckoning was that issue was down to my ConnectionHelper class
constructing a ConnectionURL of the form
"amqp://guest:guest@clientid........" when no user/passwd is specified
(which would be the case for a default URL created if no "-a" option had
been specified).
I was planning on looking into that (defaulting it to anonymous rather
than guest), hence my investigations, but it's looking like the
underlying issue is deeper than my code. I guess that even when your
patch makes it into the code base I'm going to have to be careful 'cause
any patch will only work for up-to-date versions on the client runtime.
Do you have any thoughts for a way 'round this or is Bruno (and others)
just going to have to add guest as well as anonymous (or use proper
usernames/passwds) if they run with --auth yes
Cheers (thanks for restoring my sanity :-))
Sorry Bruno - not sure there's much I can do to sort that particular
issue that you'd seen unless Pavel has any good ideas here (though as I
said previously you should be able to specify your own default
connection using the -a option in QpidRestAPI so that the GUI will use
that as the default - rather than having to add a new connection on the GUI)
Frase
On 25/01/13 10:41, Pavel Moravec wrote:
Hi Fraser,
there is a bug in Java client disallowing no credentials option, see
https://issues.apache.org/jira/browse/QPID-3396.
Kind regards,
Pavel
----- Original Message -----
From: "Fraser Adams" <[email protected]>
To: [email protected]
Sent: Friday, January 25, 2013 11:07:29 AM
Subject: Could somebody *please* explain Java Connection URLs...:-)
It's a little embarrassing 'cause I've kind of been using these for a
couple of years, but as they are ever so slightly obtuse :-> I've
generally been lazy/pragmatic and did copy'n'paste of things that
have
worked.
Because of the various URL differences (the ones used by the python
tools, the qpid::messaging amqp URL and the Java ConnectionURL I also
wrote a ConnectionHelper class to allow me to specify URLs in any
format). This class basically creates a Java ConnectionURL with
sensible
values filled in when I specify one of the shorter (AKA more
convenient!!) formats.
I'm generally OK on the brokerList sub URLs and the options I put in
there seem to be fine.....
However I've just been bitten. 'Cause I've been a bit lazy and mostly
tested and tinkered with qpidd --auth no or actually used a proper
user/password I ended up having defaults of guest:guest in
ConnectionHelper. This hasn't hitherto been an issue for me but
standing
up a vanilla qpidd with auth yes the unsecured authentication
username
is anonymous *not* guest.....
The documentation
http://qpid.apache.org/books/0.20/Programming-In-Apache-Qpid/html/QpidJNDI.html#id2553965
says:
amqp://[<user>:<pass>@][<clientid>]<virtualhost>[?<option>='<value>'[&<option>='<value>']]
But I'm not convinced that's accurate. I've been hacking around with
a
few ConnectionURLs in a JNDI file and
# simple URL with user = guest
#connectionfactory.ConnectionFactory =
amqp://guest:guest@clientid/test?brokerlist='tcp://localhost:5672'
# Omitting the clientid bit seems to work OK
#connectionfactory.ConnectionFactory =
amqp://guest:guest@/test?brokerlist='tcp://localhost:5672'
# Omitting the virtualhost bit seems to work too, but the slash is
important e.g. /test and / work test does not??
#connectionfactory.ConnectionFactory =
amqp://guest:guest@/?brokerlist='tcp://localhost:5672'
But I *cannot* get/figure out how to do anonymous from a Java Client
to
a C++ broker.
According to the BNF form in the documentation
connectionfactory.ConnectionFactory =
amqp://clientid/test?brokerlist='tcp://localhost:5672'
*should* work as [<user>:<pass>@] ought to be optional, but that just
gives "connectionFactory lookup failed, retrying" with both --auth no
and --auth yes
Same for
connectionfactory.ConnectionFactory =
amqp://@clientid/test?brokerlist='tcp://localhost:5672'
If I do
connectionfactory.ConnectionFactory =
amqp://:@clientid/test?brokerlist='tcp://localhost:5672'
That actually connects to a broker with --auth no, but barfs with an
error "warning Failed to retrieve sasl username" on a broker with
--auth yes
connectionfactory.ConnectionFactory =
amqp://anonymous:@clientid/test?brokerlist='tcp://localhost:5672'
Actually connects to a broker with --auth no, but barfs with no error
on
a broker with --auth yes and a "connectionFactory lookup failed,
retrying"
When I add info logging I get
main 2013-01-25 09:51:26,539 INFO [apache.qpid.client.AMQConnection]
Connection:amqp://anonymous:********@clientid/test?brokerlist='tcp://localhost:5672'
main 2013-01-25 09:51:26,973 INFO
[qpid.client.protocol.AMQProtocolSession] Using ProtocolVersion for
Session:0-10
main 2013-01-25 09:51:26,995 INFO
[qpid.client.handler.ClientMethodDispatcherImpl] New Method
Dispatcher:AMQProtocolSession[null]
main 2013-01-25 09:51:27,016 INFO [apache.qpid.client.AMQConnection]
Connecting with ProtocolHandler Version:0-10
main 2013-01-25 09:51:27,167 INFO [apache.qpid.client.AMQConnection]
Unable to connect to broker at tcp://localhost:5672
org.apache.qpid.AMQException: *Cannot connect to broker:
connection-forced: Authentication failed [error code 320: context in
use*]
at
org.apache.qpid.client.AMQConnectionDelegate_0_10.makeBrokerConnection(AMQConnectionDelegate_0_10.java:203)
at
org.apache.qpid.client.AMQConnection.makeBrokerConnection(AMQConnection.java:609)
at org.apache.qpid.client.A...............
Logging at DEBUG doesn't give any more useful info.
I've tried
connectionfactory.ConnectionFactory =
amqp://anonymous:anonymous@clientid/test?brokerlist='tcp://localhost:5672'
connectionfactory.ConnectionFactory =
amqp://anonymous:""@clientid/test?brokerlist='tcp://localhost:5672'
connectionfactory.ConnectionFactory =
amqp://anonymous:''@clientid/test?brokerlist='tcp://localhost:5672'
connectionfactory.ConnectionFactory = amqp://anonymous:
@clientid/test?brokerlist='tcp://localhost:5672'
and they *all* barf out :-(
So could someone please tell me what the magic incantation is on a
Java
ConnectionURL for connecting with anonymous from a Java Client to a
C++
broker.
just to confirm too that I've tried qpid-config with no parameters to
the same broker with auth on and off and that works fine so it looks
like anonymous "authentication" is actually working, just not with
Java.
I'm still using 0.12 if that makes any difference (hope to hit 0.20
soon
but wanted to look at this first)
Any ideas??
Cheers,
Frase
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
