Bug 728509

Summary: Specifying username/password in JMS clients should not be mandatory
Product: Red Hat Enterprise MRG Reporter: Pavel Moravec <pmoravec>
Component: qpid-javaAssignee: Rajith Attapattu <rattapat+nobody>
Status: CLOSED ERRATA QA Contact: Justin Ross <jross>
Severity: low Docs Contact:
Priority: medium    
Version: 2.0CC: iboverma, jross, lzhaldyb, mcressma, mtoth, tross
Target Milestone: 3.0Keywords: EasyFix, Patch, TestCaseProvided
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: qpid-java-0.22-1.el5, qpid-java-0.22-2.el6 Doc Type: Bug Fix
Doc Text:
It was discovered that the URLParser threw an exception if the username and password was missing from a connection URL. Due to this behavior, it was mandatory to specify a username and password, even if the SASL mechanism chosen did not require it. The URL parser no longer throws an exception if the username or password is missing. Instead it checks if the chosen SASL mechanism (selected during connection negotiation) requires it and then throws an exception at that point.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-24 15:03:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Junit test case
none
patch proposal
none
patch proposal
none
patch proposal
none
Zip file containing test program source and test execution script. none

Description Pavel Moravec 2011-08-05 11:57:41 UTC 
Description of problem:
Section 3.2.2 of the MRG 2.0/programming in Apache Qpid guide says that the username/password in the JNDI connection URL is optional:

amqp://[<user>:<pass>@][<clientid>]<virtualhost>[?<option>='<value>'[&<option>='<value>']]

However skipping the [<user>:<pass>@] part in an URL leads to exception raised.


Version-Release number of selected component (if applicable):
any (tested on MRG-M 2.0)

How reproducible:
100%


Steps to Reproduce:
1. Set auth=no in /etc/qpidd.conf
2. Run connectionURLWithoutUserInfo in attached JUnit test

  
Actual results:
Exception raised:

User information not found on url between indicies 7 and 1 amqp://clientid/test?brokerlist='tcp://localhost:5672' ^ at org.apache.qpid.url.URLHelper.parseError(URLHelper.java:143) at org.apache.qpid.url.URLHelper.parseError(URLHelper.java:138) at org.apache.qpid.client.url.URLParser.parseURL(URLParser.java:111) at org.apache.qpid.client.url.URLParser.<init>(URLParser.java:42) at org.apache.qpid.client.AMQConnectionURL.<init>(AMQConnectionURL.java:63) at com.gs.mrg.eval.PLAIN_AuthenticationExample.connectionURLWithoutUserInfo(PLAIN_AuthenticationExample.java:109) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:44) at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:15) at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:41) at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:20) at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:28) at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:274) at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70) at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:48) at org.junit.runners.ParentRunner$3.run(ParentRunner.java:242) at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:58) at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:240) at org.junit.runners.ParentRunner.access$000(ParentRunner.java:48) at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:233) at org.junit.runners.ParentRunner.run(ParentRunner.java:303) at org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:49) at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:467) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:683) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:390) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:197)


Expected results:
No exception raised, the broker should authenticate the connection request.


Additional info:
-
Comment 1 Pavel Moravec 2011-08-05 12:00:51 UTC 
JIRA 3396 created (https://issues.apache.org/jira/browse/QPID-3396).
Comment 2 Pavel Moravec 2012-08-13 13:19:10 UTC 
Created attachment 604007 [details]
Junit test case
Comment 3 Pavel Moravec 2012-08-13 14:02:52 UTC 
Created attachment 604019 [details]
patch proposal

Simple patch proposal.

When parsing connectionURL detects no credentials, don't raise exception but set username and password to some dummy-like values.

As C++ qpid broker deals with anonymous users as "anonymous@QPID" (QPID is realm), username set to "anonymous".
Comment 4 Pavel Moravec 2012-08-13 15:53:44 UTC 
Created attachment 604035 [details]
patch proposal

New version of patch. It again sets username to "anonymous" and password to "" (only when the credentials are missing), but further:

    * if sasl_mechs is present and not ANONYMOUS, it raises an exception
    * if sasl_mechs is not present, it logs warning that sasl_mechs is being set to ANONYMOUS (as we assume that no credentials means ANONYMOUS mechanism so we have to restrict the client to it)
Comment 5 Pavel Moravec 2012-08-17 11:58:31 UTC 
Created attachment 605194 [details]
patch proposal

See https://issues.apache.org/jira/browse/QPID-3396?focusedCommentId=13436665&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13436665 for details.
Comment 6 Rajith Attapattu 2013-03-07 15:58:22 UTC 
Added a fix upstream.
http://svn.apache.org/r1453558
http://svn.apache.org/r1453559
Comment 8 Pavel Moravec 2013-07-29 06:21:34 UTC 
How to test with JUnit:

1) install JUnit - either from RPM or download from junit.org or sourceforge.net or so.


2) set CLASSPATH properly, like:
export CLASSPATH=/usr/local/src/junit4.10/junit-4.10.jar:$(find "/usr/share/java/" -name '*.jar' | tr '\n' ":")

Replace the *junit* part by the filename with absolute path to junit JAR (and optionally replace /usr/share/java by path to your JDK).


3) Compile it as usual:
javac -cp  "$CLASSPATH\." -sourcepath .  CredentialsOptional.java


4) Run the test:
java -cp  "$CLASSPATH\." org.junit.runner.JUnitCore CredentialsOptional
Comment 9 Irina Boverman 2013-07-29 20:09:25 UTC 
Created attachment 780122 [details]
Zip file containing test program source and test execution script.
Comment 12 Rajith Attapattu 2013-09-26 20:38:35 UTC 
The fix is in the common code used by both the new and the old client.
Therefore this fix is applicable to the new client as well.
Comment 15 errata-xmlrpc 2014-09-24 15:03:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2014-1296.html