Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Not A Bug
-
1.1.0
-
None
-
None
Description
Authentication fails when connecting to an http enabled listener that has authenticatePeer: true with a router configured with sasl authentication.
The log messages are:
2018-05-18 07:36:27.347973 -0400 SERVER (debug) [2] upgraded HTTP connection from 127.0.0.1 to AMQPWS (/home/eallen/workspace/qpid-dispatch/src/http-libwebsockets.c:402)
2018-05-18 07:36:27.348025 -0400 POLICY (trace) ALLOW Connection '127.0.0.1' based on global connection count. nConnections= 1 (/home/eallen/workspace/qpid-dispatch/src/policy.c:204)
2018-05-18 07:36:27.348041 -0400 SERVER (info) Accepted connection to 0.0.0.0:29315 from 127.0.0.1 (/home/eallen/workspace/qpid-dispatch/src/server.c:656)
2018-05-18 07:36:27.348400 0400 SERVER (trace) [2]: < EOS (/home/eallen/workspace/qpid-dispatch/src/server.c:103)
2018-05-18 07:36:27.348434 -0400 SERVER (info) Connection from 127.0.0.1 (to 0.0.0.0:29315) failed: amqp:connection:policy-error Client skipped authentication - forbidden (/home/eallen/workspace/qpid-dispatch/src/server.c:920)
2018-05-18 07:36:27.348447 -0400 SERVER (trace) [2]: -> EOS (/home/eallen/workspace/qpid-dispatch/src/server.c:103)
2018-05-18 07:36:27.348462 -0400 POLICY (debug) Connection '127.0.0.1' closed with resources n_sessions=0, n_senders=0, n_receivers=0. nConnections= 0. (/home/eallen/workspace/qpid-dispatch/src/policy.c:249)
Note: To test this I did the following:
- run the router's system tests
- cd build/tests/system_test.dir/system_tests_sasl_plain/RouterTestPlainSasl/setUpClass
- edit the X.conf file to include a listener with http: true on a new port and start a router using X.conf
- attempt to connect to the new port using the latest console with test@domain.com / password
- view the X.log file to see the above error output
Authentication succeeds when connecting to that same router using a listener that is not http enabled.
To verify the sasl setup, using that same router, run the following command:
qdstat -b 0.0.0.0:29215 -c --sasl-mechanisms=PLAIN --sasl-username=test@domain.com --sasl-password=password
The output is:
Connections
id host container role dir security authentication tenant
=======================================================================================================================
6247 127.0.0.1:44554 5972a5a1-aa46-4b36-8932-8f090307f66a normal in no-security test@domain.com(PLAIN)
I verified that the rhea.js library used by the console is passing the username/password by running rhea's test "simple_sasl_client.js" under nodejs against the above router's non-http enabled port. The connection succeeds.
Attachments
Issue Links
- depends upon
-
DISPATCH-1003 Enable console support for connecting to listener configured with saslMechanisms other than ANONYMOUS
- Closed
- is depended upon by
-
DISPATCH-1003 Enable console support for connecting to listener configured with saslMechanisms other than ANONYMOUS
- Closed