ActiveMQ
  1. ActiveMQ
  2. AMQ-2516

SecurityException raised when broker tries to move expired message to DLQ

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 5.3.0
    • Fix Version/s: 5.3.1, 5.4.0
    • Component/s: Broker
    • Labels:
      None
    • Environment:

      Windows XP SP2
      Java JRE 1.6

      Issue found on both FUSE Message Broker 5.3.0.3 & 5.3.0.5 (based on Apache ActiveMQ 5.3)

      Description

      I have enabled authentication + authorization in my broker configuration file as follows:

      <jaasAuthenticationPlugin configuration="PropertiesLogin" />

      <authorizationPlugin>
      <map>
      <authorizationMap>
      <authorizationEntries>
      <authorizationEntry queue=">" read="users" write="users" admin="users"/>
      <authorizationEntry topic="ActiveMQ.Advisory.>" read="users" write="users" admin="users"/>
      </authorizationEntries>
      </authorizationMap>
      </map>
      </authorizationPlugin>

      If I send a message with a TTL into the queue (using provided sample configured with the right username and password) and then try to look after the message in the queue after it has expired using the Web Console, I got the following exception:

      "Caught an exception sending to DLQ: Message ID:PC198829-1539-1259168148838-0:1:1:1:1 dropped=false locked=false
      java.lang.SecurityException: User is not authenticated."

      This only occurs when the broker has to deal with the DLQ as I can successfully read/write in any queue.

      It seems that the thread responsible for moving the message into the DLQ doesn't have the right to perform this action (username and password not propagated to its connexion context ? ).

      1. activemq_configuration.zip
        4 kB
        Concombre Masqué
      2. activemq.log
        411 kB
        Concombre Masqué
      3. jmsproducer_sample.zip
        1 kB
        Concombre Masqué

        Activity

        Hide
        Concombre Masqué added a comment -

        Find attached the ActiveMQ configuration, the log showing the security exception and a JMS sample to send a message with TTL into the queue.

        Show
        Concombre Masqué added a comment - Find attached the ActiveMQ configuration, the log showing the security exception and a JMS sample to send a message with TTL into the queue.
        Hide
        Gary Tully added a comment -

        resolved in r884778
        thanks for the good description. send to dlq (when configured) now uses the brokers security context so that it is immune to authentication configuration.

        Show
        Gary Tully added a comment - resolved in r884778 thanks for the good description. send to dlq (when configured) now uses the brokers security context so that it is immune to authentication configuration.
        Hide
        scott selikoff added a comment -

        @ Concombre: Did you find a work-around for ActiveMQ 5.3.0? I'm also using the FUSE broker and am seeing this issue.

        Show
        scott selikoff added a comment - @ Concombre: Did you find a work-around for ActiveMQ 5.3.0? I'm also using the FUSE broker and am seeing this issue.
        Hide
        Concombre Masqué added a comment - - edited

        @Scott: No, no workaround sorry. This issue is not a blocking one for the project I am working on so we just deal with it ignoring the errors. But we plan to upgrade to a new FUSE Message Broker release with fix for this issue as soon as possible (when available).

        Show
        Concombre Masqué added a comment - - edited @Scott: No, no workaround sorry. This issue is not a blocking one for the project I am working on so we just deal with it ignoring the errors. But we plan to upgrade to a new FUSE Message Broker release with fix for this issue as soon as possible (when available).
        Hide
        scott selikoff added a comment -

        @Concombre: Since this is a one line fix, the easiest solution we found was to download the fuse source and rebuild it with maven. It takes a bit of time for maven to automatically download all the required libraries the first time it runs, but after its done you get a full build with the solution in place.

        Show
        scott selikoff added a comment - @Concombre: Since this is a one line fix, the easiest solution we found was to download the fuse source and rebuild it with maven. It takes a bit of time for maven to automatically download all the required libraries the first time it runs, but after its done you get a full build with the solution in place.

          People

          • Assignee:
            Gary Tully
            Reporter:
            Concombre Masqué
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development