Hi All
I am new to working with ActiveMQ and I have a requirement to connect
ActiveMQ (version 5.9.0) with OpenLDAP for authentication and authorization.
I have started doing this and currently stuck with an issue for few days.
Given below is the error I see when running my Java Client.
javax.jms.JMSSecurityException: *User amqadmin is not authorized to write
to: queue://TEST.FOO*
at
org.apache.activemq.util.JMSExceptionSupport.create(JMSExceptionSupport.java:52)
at
org.apache.activemq.ActiveMQConnection.syncSendPacket(ActiveMQConnection.java:1405)
at
org.apache.activemq.ActiveMQSession.syncSendPacket(ActiveMQSession.java:1925)
at
org.apache.activemq.ActiveMQMessageProducer.<init>(ActiveMQMessageProducer.java:125)
at
org.apache.activemq.ActiveMQSession.createProducer(ActiveMQSession.java:969)
at
org.gvr.keystore.client.BrokerUserMgtClient.brokerProducer(BrokerUserMgtClient.java:102)
at
org.gvr.keystore.client.BrokerUserMgtClient.main(BrokerUserMgtClient.java:24)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
Caused by: java.lang.SecurityException: User amqadmin is not authorized to
write to: queue://TEST.FOO
at
org.apache.activemq.security.AuthorizationBroker.addProducer(AuthorizationBroker.java:179)
at
org.apache.activemq.broker.MutableBrokerFilter.addProducer(MutableBrokerFilter.java:107)
at
org.apache.activemq.broker.TransportConnection.processAddProducer(TransportConnection.java:534)
at org.apache.activemq.command.ProducerInfo.visit(ProducerInfo.java:105)
at
org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:292)
at
org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:149)
at
org.apache.activemq.transport.MutexTransport.onCommand(MutexTransport.java:50)
at
org.apache.activemq.transport.WireFormatNegotiator.onCommand(WireFormatNegotiator.java:113)
at
org.apache.activemq.transport.AbstractInactivityMonitor.onCommand(AbstractInactivityMonitor.java:270)
at
org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83)
at
org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:214)
at
org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:196)
at java.lang.Thread.run(Thread.java:662)
At the beginning I got this issue for ActiveMQ Advisory topics but then I
turned them off.
Without Authorization I noticed that the Authentication part does work
properly when I removed the authorization config from the activemq.xml.
Given below are my configurations for Authentication and Authorization.
Authentication config at [ACTIVEMQ_HOME]/conf/login.config
-------------------------------------------------------------------------------------------
LdapConfiguration {
org.apache.activemq.jaas.LDAPLoginModule required
debug=true
initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
connectionURL="ldap://localhost:389";
connectionUsername="cn=admin,dc=wso2,dc=com"
connectionPassword=**********
connectionProtocol=s
authentication=simple
userBase="ou=Users,dc=wso2,dc=com"
userRoleName=dummy
userSearchMatching="(uid={0})"
userSearchSubtree=false
roleBase="ou=Groups,dc=wso2,dc=com"
roleName=cn
roleSearchMatching="(member=uid={1})"
roleSearchSubtree=true;
};
Authorization config at [ACTIVEMQ_HOME]/conf/activemq.xml
----------------------------------------------------------------------------------------------
<plugins>
<jaasAuthenticationPlugin configuration="LdapConfiguration" />
<authorizationPlugin>
<map>
<cachedLDAPAuthorizationMap
connectionURL="ldap://localhost:389";
connectionUsername="cn=admin,dc=wso2,dc=com"
connectionPassword="*********"
queueSearchBase="ou=Queue,ou=Destination,ou=ActiveMQ,ou=systems,dc=wso2,dc=com"
topicSearchBase="ou=Topic,ou=Destination,ou=ActiveMQ,ou=systems,dc=wso2,dc=com"
tempSearchBase="ou=Temp,ou=Destination,ou=ActiveMQ,ou=systems,dc=wso2,dc=com"
refreshInterval="60000"
legacyGroupMapping="false"
userObjectClass="identityPerson"/>
</map>
</authorizationPlugin>
</plugins>
And I even tried with the given below configuration as well, but was still
getting the same issue.
<authorizationPlugin>
<map>
<bean id="lDAPAuthorizationMap"
class="org.apache.activemq.security.LDAPAuthorizationMap"
xmlns="http://www.springframework.org/schema/beans";>
<property name="initialContextFactory"
value="com.sun.jndi.ldap.LdapCtxFactory"/>
<property name="connectionURL"
value="ldap://localhost:389"/>
<property name="authentication" value="simple"/>
<property name="connectionUsername"
value="cn=admin,dc=wso2,dc=com"/>
<property name="connectionPassword"
value="***********"/>
<property name="connectionProtocol" value=""/>
<property name="topicSearchMatchingFormat"
value="cn={0},ou=Topic,ou=Destination,dc=wso2,dc=com"/>
<property name="topicSearchSubtreeBool"
value="true"/>
<property name="queueSearchMatchingFormat"
value="cn={0},ou=Queue,ou=Destination,dc=wso2,dc=com"/>
<property name="queueSearchSubtreeBool"
value="true"/>
<property name="advisorySearchBase"
value="cn=ActiveMQ.Advisory,ou=Topic,ou=Destination,dc=wso2,dc=com"/>
<property name="tempSearchBase"
value="cn=ActiveMQ.Temp,ou=Topic,ou=Destination,dc=wso2,dc=com"/>
<property name="adminBase" value="(cn=admin)"/>
<property name="adminAttribute" value="member"/>
<property name="readBase" value="(cn=read)"/>
<property name="readAttribute" value="member"/>
<property name="writeBase" value="(cn=write)"/>
<property name="writeAttribute" value="member"/>
</bean>
</map>
</authorizationPlugin>
My LDAP structure looks like below.
Authorization structure
<http://activemq.2283324.n4.nabble.com/file/n4678364/authorization_structure.png>
User / Group structure
<http://activemq.2283324.n4.nabble.com/file/n4678364/ldap_user_group.png>
I followed given below guides when enabling authentication and authorization
for ActiveMQ .
http://fusesource.com/docs/broker/5.5/security/LDAP-AddUserEntries.html
<http://fusesource.com/docs/broker/5.5/security/LDAP-AddUserEntries.html>
http://activemq.apache.org/security <http://activemq.apache.org/security>
The Java client I use to create a queue and produce a message is as below.
private static String connectionString = "tcp://localhost:61616";
private static String queueName = "TEST.FOO";
private static String message=" This is with user authentication ";
ActiveMQConnectionFactory connectionFactory = new
ActiveMQConnectionFactory("amqadmin","amqadmin",connectionString);
connectionFactory.setWatchTopicAdvisories(false);
Connection connection = connectionFactory.createConnection();
connection.start();
Session session = connection.createSession(false,
Session.AUTO_ACKNOWLEDGE);
Destination destination = session.createQueue(queueName);
MessageProducer producer = session.createProducer(destination);
producer.setDeliveryMode(DeliveryMode.NON_PERSISTENT);
String text = message+System.currentTimeMillis();
TextMessage message = session.createTextMessage(text);
producer.send(message);
System.out.println("Message Sent to - "+connectionString);
session.close();
connection.close();
I am unable to think of any reason why this error is occurring, and request
your kind support over this urgent issue.
Best Regards
Isuru
--
View this message in context:
http://activemq.2283324.n4.nabble.com/ActiveMQ-authorization-error-with-OpenLDAP-tp4678364.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
