RE: EXTERNAL: Re: Username/password authentication example from C++ docs doesn't work?

Mon, 05 May 2025 15:36:00 -0700 

Hi Timothy,

Yes, I'm using sasl_allow_insecure_mechs. Here's the full "on_container_start" 
method I'm using:

    void on_container_start(proton::container &c) override {
        proton::connection_options co;
        co.user(user);
        co.password(password);
        co.sasl_enabled(true);
        co.sasl_allow_insecure_mechs(true);
        co.sasl_allowed_mechs("PLAIN");
        sender = c.open_sender(url, co);
    }

Seems like this ought to work?

Peter

-----Original Message-----
From: Timothy Bish <tabish...@gmail.com> 
Sent: Monday, May 5, 2025 6:29 PM
To: users@qpid.apache.org
Subject: EXTERNAL: Re: EXTERNAL: Re: Username/password authentication example 
from C++ docs doesn't work?

Sorry I typo'd the frame tracing option.  Quite right PN_TRACE_FRM

I think there is also a connection option in the C++ client that might be 
needed.

From the connection_options API
    connection_options & sasl_allow_insecure_mechs (bool)
       Force the enabling of SASL mechanisms that disclose cleartext passwords 
over the connection.

I'm not very familiar with the C++ client but that sounds like it'd be needed 
for PLAIN to work.

On Mon, May 5, 2025 at 6:26 PM peter.j.rich...@lmco.com 
<peter.j.rich...@lmco.com> wrote:
>
> Hi Timothy,
>
> I added PN_TRACE_FRM=true (not PN_TRACE_FROM) to the C# client and see this 
> output:
>
> -> SASL:[1488863629:0] AMQP,3,1,0,0
> <- SASL:[1488863629:0] AMQP,3,1,0,0
> <- SASL:[1488863629:0] SaslMechanisms{mechanisms=PLAIN,ANONYMOUS}
> -> SASL:[1488863629:0] SaslInit{mechanismPLAIN, 
> -> initialResponse="%00admin%00admin", hostname=localhost}
> <- SASL:[1488863629:0] Ok
>
> It looks like the C# client successfully uses PLAIN?
>
> I then added PN_TRACE_FRM=true to the C++ client, and now I see this output:
>
> [0x1edc0b0]: SASL:FRAME:  -> SASL
> [0x1edc0b0]: SASL:FRAME:  <- SASL
> [0x1edc0b0]: AMQP:FRAME:0 <- @sasl-mechanisms(64) 
> [sasl-server-mechanisms=@<symbol>[:PLAIN, :ANONYMOUS]]
> [0x1edc0b0]:   IO:FRAME:  -> EOS
> amqp:unauthorized-access: SASL(-4): no mechanism available: No worthy 
> mechs found (Authentication failed [mech=none])
>
> It looks like "PLAIN" is in the "sasl-server-mechanisms", but then it still 
> says "no mechanism available". Does that mean the C++ client still doesn't 
> have PLAIN enabled?
>
> Peter
>
> -----Original Message-----
> From: Timothy Bish <tabish...@gmail.com>
> Sent: Monday, May 5, 2025 6:08 PM
> To: users@qpid.apache.org
> Subject: EXTERNAL: Re: EXTERNAL: Re: Username/password authentication example 
> from C++ docs doesn't work?
>
> When running the Qpid proton-dotnet client you can define the 
> PN_TRACE_FROM=true environment variable to have the AMQP frames printed to 
> the console, my guess would be PLAIN is being used since you set a password 
> and the broker offers that by default.
>
> On Mon, May 5, 2025 at 5:21 PM peter.j.rich...@lmco.com 
> <peter.j.rich...@lmco.com> wrote:
> >
> > Hi Ted,
> >
> > > Try setting the sasl_allowed_mechs in your connection options. Try using 
> > > "PLAIN".
> >
> > I added this line to on_container_start:
> >
> > co.sasl_allowed_mechs("PLAIN");
> >
> > And now I get a different error:
> >
> > amqp:unauthorized-access: SASL(-4): no mechanism available: No 
> > worthy mechs found (Authentication failed [mech=none])
> >
> > Any idea why it's ignoring the PLAIN mechanism? I also tried adding these:
> >
> > co.sasl_enabled(true);
> > co.sasl_allow_insecure_mechs(true);
> >
> > But this made no difference (same error).
> >
> > > Whatever you use must match what is supported on the broker-side.
> >
> > I believe the broker supports PLAIN, since the C# client library 
> > authenticated fine.
> >
> > Peter
> >
> > -----Original Message-----
> > From: Ted Ross <tr...@redhat.com.INVALID>
> > Sent: Monday, May 5, 2025 4:48 PM
> > To: users@qpid.apache.org
> > Subject: EXTERNAL: Re: Username/password authentication example from C++ 
> > docs doesn't work?
> >
> > Try setting the sasl_allowed_mechs in your connection options.  I believe 
> > it is defaulting to ANONYMOUS, which does not use the user/password values. 
> >  Try using "PLAIN".  Whatever you use must match what is supported on the 
> > broker-side.
> >
> > -Ted
> >
> > On Mon, May 5, 2025 at 3:37 PM peter.j.rich...@lmco.com < 
> > peter.j.rich...@lmco.com> wrote:
> >
> > > Hi, I'm using version 0.37.0 of the C++ library
> > > (qpid-proton-cpp-0.37.0) and can't figure out how to authenticate 
> > > with a username/password. My test
> > > setup:
> > >
> > > For the broker, I run ActiveMQ Classic using this command: podman 
> > > run -it --rm --net=host --env ACTIVEMQ_CONNECTION_USER=admin --env 
> > > ACTIVEMQ_CONNECTION_PASSWORD=admin 
> > > docker.io/apache/activemq-classic
> > >
> > > For the C++ client, I run the code from the "simple_send.cpp"
> > > example at
> > > https://qpid.apache.org/releases/qpid-proton-0.37.0/proton/cpp/api
> > > /s im ple_send_8cpp-example.html, which I simplified to hardcode 
> > > the username/password to admin/admin:
> > >
> > > #include <proton/connection.hpp>
> > > #include <proton/connection_options.hpp> #include 
> > > <proton/container.hpp> #include <proton/message.hpp> #include 
> > > <proton/message_id.hpp> #include <proton/messaging_handler.hpp> 
> > > #include <proton/reconnect_options.hpp> #include 
> > > <proton/tracker.hpp> #include <proton/types.hpp>
> > >
> > > #include <iostream>
> > > #include <map>
> > >
> > >
> > > class simple_send : public proton::messaging_handler {
> > >   private:
> > >     std::string url;
> > >     std::string user;
> > >     std::string password;
> > >     bool reconnect;
> > >     proton::sender sender;
> > >     int sent;
> > >     int confirmed;
> > >     int total;
> > >
> > >   public:
> > >     simple_send(const std::string &s, const std::string &u, const 
> > > std::string &p, bool r, int c) :
> > >         url(s), user(u), password(p), reconnect(r), sent(0), 
> > > confirmed(0),
> > > total(c) {}
> > >
> > >     void on_container_start(proton::container &c) override {
> > >         proton::connection_options co;
> > >         if (!user.empty()) co.user(user);
> > >         if (!password.empty()) co.password(password);
> > >         if (reconnect) co.reconnect(proton::reconnect_options());
> > >         sender = c.open_sender(url, co);
> > >     }
> > >
> > >     void on_connection_open(proton::connection& c) override {
> > >         if (c.reconnected()) {
> > >             sent = confirmed;   // Re-send unconfirmed messages after a
> > > reconnect
> > >         }
> > >     }
> > >
> > >     void on_sendable(proton::sender &s) override {
> > >         while (s.credit() && sent < total) {
> > >             proton::message msg;
> > >             std::map<std::string, int> m;
> > >             m["sequence"] = sent + 1;
> > >
> > >             msg.id(sent + 1);
> > >             msg.body(m);
> > >
> > >             s.send(msg);
> > >             sent++;
> > >         }
> > >     }
> > >
> > >     void on_tracker_accept(proton::tracker &t) override {
> > >         confirmed++;
> > >
> > >         if (confirmed == total) {
> > >             std::cout << "all messages confirmed" << std::endl;
> > >             t.connection().close();
> > >         }
> > >     }
> > >
> > >     void on_transport_close(proton::transport &) override {
> > >         sent = confirmed;
> > >     }
> > > };
> > >
> > > int main(int argc, char **argv) {
> > >     std::string address = "127.0.0.1:5672/examples";
> > >     std::string user = "admin";
> > >     std::string password = "admin";
> > >     bool reconnect = false;
> > >     int message_count = 100;
> > >
> > >     try {
> > >         simple_send send(address, user, password, reconnect, 
> > > message_count);
> > >         proton::container(send).run();
> > >
> > >         return 0;
> > >     } catch (const std::exception& e) {
> > >         std::cerr << e.what() << std::endl;
> > >     }
> > >
> > >     return 1;
> > > }
> > >
> > > When run, the C++ client crashes with this error:
> > >
> > > amqp:unauthorized-access: Authentication failed [mech=ANONYMOUS]
> > >
> > > The error message suggests (?) that the username/password I 
> > > specify are not being used, since it says "mech=ANONYMOUS". Can 
> > > anyone see an obvious mistake in my C++ code? Am I not setting the 
> > > username/password correctly?
> > > Is this a known bug in version 0.37.0?
> > >
> > > In contrast, I can successfully authenticate to the broker using 
> > > the C# library example at 
> > > https://docs.redhat.com/en/documentation/red_hat_build_of_apache_qpid_proton_dotnet/1.0/html-single/using_qpid_proton_dotnet/index.
> > > In the C# example, if I specify the username/password as 
> > > admin/admin then message posting succeeds, and when I specify a 
> > > wrong password it fails with an authentication error.
> > >
> > >
>
>
>
> --
> --
> Tim Bish
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org For 
> additional commands, e-mail: users-h...@qpid.apache.org
>


--
--
Tim Bish

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org For additional 
commands, e-mail: users-h...@qpid.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
For additional commands, e-mail: users-h...@qpid.apache.org

Reply via email to