Bug 728509 - Specifying username/password in JMS clients should not be mandatory
Summary: Specifying username/password in JMS clients should not be mandatory
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: qpid-java
Version: 2.0
Hardware: All
OS: All
medium
low
Target Milestone: 3.0
: ---
Assignee: Rajith Attapattu
QA Contact: Justin Ross
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-05 11:57 UTC by Pavel Moravec
Modified: 2018-12-06 14:39 UTC (History)
6 users (show)

Fixed In Version: qpid-java-0.22-1.el5, qpid-java-0.22-2.el6
Doc Type: Bug Fix
Doc Text:
It was discovered that the URLParser threw an exception if the username and password was missing from a connection URL. Due to this behavior, it was mandatory to specify a username and password, even if the SASL mechanism chosen did not require it. The URL parser no longer throws an exception if the username or password is missing. Instead it checks if the chosen SASL mechanism (selected during connection negotiation) requires it and then throws an exception at that point.
Clone Of:
Environment:
Last Closed: 2014-09-24 15:03:10 UTC


Attachments (Terms of Use)
Junit test case (1.50 KB, application/octet-stream)
2012-08-13 13:19 UTC, Pavel Moravec
no flags Details
patch proposal (768 bytes, patch)
2012-08-13 14:02 UTC, Pavel Moravec
no flags Details | Diff
patch proposal (2.50 KB, patch)
2012-08-13 15:53 UTC, Pavel Moravec
no flags Details | Diff
patch proposal (3.48 KB, patch)
2012-08-17 11:58 UTC, Pavel Moravec
no flags Details | Diff
Zip file containing test program source and test execution script. (2.36 KB, application/x-gzip)
2013-07-29 20:09 UTC, Irina Boverman
no flags Details


Links
System ID Priority Status Summary Last Updated
Apache JIRA QPID-3396 None None None 2012-08-13 14:03:32 UTC
Red Hat Product Errata RHEA-2014:1296 normal SHIPPED_LIVE Red Hat Enterprise MRG Messaging 3.0 Release 2014-09-24 19:00:06 UTC

Description Pavel Moravec 2011-08-05 11:57:41 UTC
Description of problem:
Section 3.2.2 of the MRG 2.0/programming in Apache Qpid guide says that the username/password in the JNDI connection URL is optional:

amqp://[<user>:<pass>@][<clientid>]<virtualhost>[?<option>='<value>'[&<option>='<value>']]

However skipping the [<user>:<pass>@] part in an URL leads to exception raised.


Version-Release number of selected component (if applicable):
any (tested on MRG-M 2.0)

How reproducible:
100%


Steps to Reproduce:
1. Set auth=no in /etc/qpidd.conf
2. Run connectionURLWithoutUserInfo in attached JUnit test

  
Actual results:
Exception raised:

User information not found on url between indicies 7 and 1 amqp://clientid/test?brokerlist='tcp://localhost:5672' ^ at org.apache.qpid.url.URLHelper.parseError(URLHelper.java:143) at org.apache.qpid.url.URLHelper.parseError(URLHelper.java:138) at org.apache.qpid.client.url.URLParser.parseURL(URLParser.java:111) at org.apache.qpid.client.url.URLParser.<init>(URLParser.java:42) at org.apache.qpid.client.AMQConnectionURL.<init>(AMQConnectionURL.java:63) at com.gs.mrg.eval.PLAIN_AuthenticationExample.connectionURLWithoutUserInfo(PLAIN_AuthenticationExample.java:109) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:44) at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:15) at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:41) at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:20) at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:28) at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:274) at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70) at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:48) at org.junit.runners.ParentRunner$3.run(ParentRunner.java:242) at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:58) at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:240) at org.junit.runners.ParentRunner.access$000(ParentRunner.java:48) at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:233) at org.junit.runners.ParentRunner.run(ParentRunner.java:303) at org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:49) at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:467) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:683) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:390) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:197)


Expected results:
No exception raised, the broker should authenticate the connection request.


Additional info:
-

Comment 1 Pavel Moravec 2011-08-05 12:00:51 UTC
JIRA 3396 created (https://issues.apache.org/jira/browse/QPID-3396).

Comment 2 Pavel Moravec 2012-08-13 13:19:10 UTC
Created attachment 604007 [details]
Junit test case

Comment 3 Pavel Moravec 2012-08-13 14:02:52 UTC
Created attachment 604019 [details]
patch proposal

Simple patch proposal.

When parsing connectionURL detects no credentials, don't raise exception but set username and password to some dummy-like values.

As C++ qpid broker deals with anonymous users as "anonymous@QPID" (QPID is realm), username set to "anonymous".

Comment 4 Pavel Moravec 2012-08-13 15:53:44 UTC
Created attachment 604035 [details]
patch proposal

New version of patch. It again sets username to "anonymous" and password to "" (only when the credentials are missing), but further:

    * if sasl_mechs is present and not ANONYMOUS, it raises an exception
    * if sasl_mechs is not present, it logs warning that sasl_mechs is being set to ANONYMOUS (as we assume that no credentials means ANONYMOUS mechanism so we have to restrict the client to it)

Comment 6 Rajith Attapattu 2013-03-07 15:58:22 UTC
Added a fix upstream.
http://svn.apache.org/r1453558
http://svn.apache.org/r1453559

Comment 8 Pavel Moravec 2013-07-29 06:21:34 UTC
How to test with JUnit:

1) install JUnit - either from RPM or download from junit.org or sourceforge.net or so.


2) set CLASSPATH properly, like:
export CLASSPATH=/usr/local/src/junit4.10/junit-4.10.jar:$(find "/usr/share/java/" -name '*.jar' | tr '\n' ":")

Replace the *junit* part by the filename with absolute path to junit JAR (and optionally replace /usr/share/java by path to your JDK).


3) Compile it as usual:
javac -cp  "$CLASSPATH\." -sourcepath .  CredentialsOptional.java


4) Run the test:
java -cp  "$CLASSPATH\." org.junit.runner.JUnitCore CredentialsOptional

Comment 9 Irina Boverman 2013-07-29 20:09:25 UTC
Created attachment 780122 [details]
Zip file containing test program source and test execution script.

Comment 12 Rajith Attapattu 2013-09-26 20:38:35 UTC
The fix is in the common code used by both the new and the old client.
Therefore this fix is applicable to the new client as well.

Comment 15 errata-xmlrpc 2014-09-24 15:03:10 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2014-1296.html


Note You need to log in before you can comment on or make changes to this bug.