ERROR - HiveMQ Enterprise Security Extension: Unhandled exception in Rest API authentication java.lang.IllegalStateException: No authorization-key set
Problem
HiveMQ Enterprise Security Extension is used for the HiveMQ Broker REST API authentication and authorization
jwt-authentication-manager
with JWT Realm is usedThe REST API authentication doesn’t set any authorization-key and hence the authorization fails with the message No authorization-key set:
ERROR - HiveMQ Enterprise Security Extension: Unhandled exception in Rest API authentication java.lang.IllegalStateException: No authorization-key set at com.hivemq.extensions.security.runtime.authenticator.RestApiAuthenticator.lambda$onRequest$0(RestApiAuthenticator.java:122) at java.base/java.util.concurrent.CompletableFuture$UniCompose.tryFire(Unknown Source) at java.base/java.util.concurrent.CompletableFuture$Completion.run(Unknown Source) at com.hivemq.extensions.services.executor.WrappedRunnable.run(WrappedRunnable.java:39) at com.codahale.metrics.InstrumentedScheduledExecutorService$InstrumentedRunnable.run(InstrumentedScheduledExecutorService.java:241) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) at java.base/java.util.concurrent.FutureTask.run(Unknown Source) at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.base/java.lang.Thread.run(Unknown Source)
Solution
In the REST API pipeline, the authorization-key is retrieved from the sub
claim of the JWT. If the JWT does not contain the sub
claim, then the authorization-key is not set.
Using http://jwt.io check and verify that your JWT really does not include any
sub
claimIf you have control over the JWT provider, simply add the
sub
claim to the JWTIf you have no control over the JWT provider, force set the authorization key to a random value within the ESE configuration
/opt/hivemq/extensions/hivemq-enterprise-security-extension/conf/config.xml:<jwt-authentication-manager> ... </jwt-authentication-manager> <authorization-preprocessors> <set-string-preprocessor> <variable>authorization-key</variable> <value>something</value> </set-string-preprocessor> <logging-preprocessor> <message> This is my authorization-key: ${authorization-key} This is my authorization-role-key: ${authorization-role-key} </message> <level>info</level> <name>com.example.logger</name> </logging-preprocessor> </authorization-preprocessors> <file-authorization-manager> ... </file-authorization-manager>
Set String Preprocessor: This preprocessor sets a specific string variable for authorization purposes.
<set-string-preprocessor>
<variable>authorization-key</variable>
<value>something</value>
</set-string-preprocessor>
variable
: The name of the variable to set.value
: The value to assign to the variable.