netty-ssl | 这个项目主要是 netty 利用 SSL 做身份认证的例子： myCa | Websocket library

I'm using JMS on a Spring boot client to connect to an ActiveMQ Artemis broker over SSL. The client is able to connect regardless of the validity of the certificates in the truststore and even if invalid credentials are used. How do I ensure that the broker is filtering clients out based on the configured parameters?

The acceptors in the broker.xml are defined as show below. The SSL acceptor uses port 61617.

I'm using ActiveMQ Artemis 2.18.0 and version 2.5.5 of the spring-boot-starter-artemis dependency on a Spring Boot client. In my use case clients are required to communicate with each other via topics. The issue is that the string jms.topic. is getting prefixed to every topic defined on the client. For example the topic foo.sendInfo becomes jms.topic.foo.sendInfo.

The broker.xml file is as shown below. The acceptor used by the Spring Boot client is the netty-ssl-acceptor on port 61617.

There is not much information that I've found in terms of configuration with Netty and Webflux using HTTP2.

I have used similiar configurations in the past without using reactor based spring boot modules, typically spring boot web. I have posted my steps below.

The problem is SSL not working correctly with Netty. Do I require more work in terms of setup? Hoping to get some pointers or examples to understand how to confiure this correctly please.

Generated Certificate

• generate cert valid for local dev usage: mkcert localhost 127.0.0.1

• output: certificate localhost+1.pem key localhost+1-key.pem

• generate keystore with openssl: openssl pkcs12 -export -in localhost+1.pem -inkey localhost+1-key.pem -out keystore.p12 -name localdev

Application Files

application.yaml

We're using ActiveMQ Artemis 2.8.1 with MQTT.

We integrated ActiveMQ Artemis with Wildfly. Consider our server connects using client id SAM on 50 topics. On checking Artemis with JConsole we can see that each client subscription results in a queue whose name follows the pattern _. In my case consider topic as com/api/output which means the subscription queue name will be SAM_com/api/output. Likewise there will be 50 other subscription queues using the same naming pattern (i.e. SAM_).

My findings

Based on my research each queue is used to store messages sent to that topic for each client's subscription. For example, when the same topic (e.g 1/2/3) is subscribed to by 3 different clients (e.g A,B,& C) then there will be 3 subscription queues (i.e. A_1/2/3, B_1/2/3, & C_1/2/3). Therefore when a message is sent to the topic 1/2/3 Artemis will put that messages in the subscription queues A_1/2/3,B_1/2/3, C_1/2/3.

Actual problem

Now same client wants to connect to broker with different client id now (e.g. TOM). My Client initiates connection drop and Artemis also recognizes connection drop, then my client connects to broker with new client id (TOM) for the same 50 topics. Now there will be 100 subscription queue total with each topic having 2 (i.e. one for each clientid - SAM & TOM). I find the reason that SAM queues are maintained because while initiating the connection we use cleanSession as false. So all those subscription queues will be durable, hence the queues are maintained even if the client is disconnected.

When a message is sent to the topic it will be put in two queues (SAM & TOM). Our client is connected to broker with client id TOM so the TOM queue has consumer which results in all the TOM queue messages being consumed by the client. However, the SAM queue accumulates messages and eats up all JVM's heapspace until the server dies.

The purpose of durable queues is to maintain the message even when the client disconnects, but is there any way to tell ActiveMQ Artemis to purge the client's queues and messages if client doesn't show up for certain time period or to purge the messages from the client's subscription queue when client drops the connection?

Our broker.xml