[
https://issues.apache.org/jira/browse/ARTEMIS-5724?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18062208#comment-18062208
]
Paul Shields commented on ARTEMIS-5724:
---------------------------------------
HI [~ogust] , While ARTEMIS-5163 is similar it does not resolve our issue in
that the action fails authorization. We are using a JWT in the connect message
to authenticate and authorize with the broker through a custom
JASSSecurityManager plugin. The problem is that our client connections to the
broker are long lived and if a client loses connection to the broker past the
JWT expiration date the custom securityManager that we have written cannot
obtain a new JWT to deliver the Last Will and Testament. But should it need to,
if it was authenticated and authorize to create the Last Will and Testament at
connection?
> MQTT Last Will not sent because denied authorization
> ----------------------------------------------------
>
> Key: ARTEMIS-5724
> URL: https://issues.apache.org/jira/browse/ARTEMIS-5724
> Project: Artemis
> Issue Type: New Feature
> Affects Versions: 2.42.0
> Reporter: Paul Shields
> Priority: Major
>
> We are using the Last Lill and Testament (LWT) feature of MQTT but are also
> using JWTs for authentication. We are using a custom JASSSecurityManager
> plugin for this. The usage of JWT and LWT are competing features, since JWT
> expires and LWT is intended to alert for unplanned disconnect of long-running
> connections. We are seeing LWT messages not being sent because the LWT SEND
> message is being sent after the expiration time of the JWT and Artemis issues
> an ERROR.
> 2025-10-14 15:07:21,076 WARN [org.apache.activemq.artemis.core.server]
> AMQ222216: Security problem while authenticating: AMQ229031: Unable to
> validate user from 127.0.0.6:36441. Username: x3000c0s11b0n0; SSL certificate
> subject DN: unavailable
> 2025-10-14 15:07:21,077 ERROR
> [org.apache.activemq.artemis.core.protocol.mqtt] AMQ834007: Authorization
> failure sending will message: AMQ229031: Unable to validate user from
> 127.0.0.6:36441. Username: x3000c0s11b0n0; SSL certificate subject DN:
> unavailable
> It seems that Artemis is performing the authorization for the LWT when the
> LWT is being sent and not when the client makes the connection to the broker
> and the LWT is configured/set for the client.
> A possible solution is that a feature could be added to Artemis so that LWT
> are authorized on connect to avoid this kind of problem. This behavior would
> be off by default so as not to impact existing users.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
