开启HTTP认证后无法订阅主题

问题描述

开启HTTP认证后无法订阅主题

环境信息

  • EMQ X 版本:4.2.7
  • 操作系统及版本:CentOS7
  • 其他

相应的配置文件内容

auth.http.auth_req = http://192.168.200.10:8991/mqtt/auth
## Value: post | get | put
auth.http.auth_req.method = post
## Value: Params
auth.http.auth_req.params = clientid=%c,username=%u,password=%P

##--------------------------------------------------------------------
## Superuser request.
##
## Variables:
##  - %u: username
##  - %c: clientid
##  - %a: ipaddress
##  - %r: protocol
##  - %P: password
##  - %p: sockport of server accepted
##  - %C: common name of client TLS cert
##  - %d: subject of client TLS cert
##
## Value: URL
auth.http.super_req = http://192.168.200.10:8991/mqtt/superuser
## Value: post | get | put
auth.http.super_req.method = post
## Value: Params
auth.http.super_req.params = clientid=%c,username=%u

##--------------------------------------------------------------------
## ACL request.
##
## Variables:
##  - %A: 1 | 2, 1 = sub, 2 = pub
##  - %u: username
##  - %c: clientid
##  - %a: ipaddress
##  - %r: protocol
##  - %m: mountpoint
##  - %t: topic
##
## Value: URL
auth.http.acl_req = http://192.168.200.10:8991/mqtt/acl
## Value: post | get | put
auth.http.acl_req.method = post
## Value: Params
auth.http.acl_req.params = access=%A,username=%u,clientid=%c,ipaddr=%a,topic=%t,mountpoint=%m

##------------------------------------------------------------------------------
## Http Reqeust options

## Time-out time for the http request, 0 is never timeout.
##
## Value: Duration
## -h: hour, e.g. '2h' for 2 hours
## -m: minute, e.g. '5m' for 5 minutes
## -s: second, e.g. '30s' for 30 seconds
##
## Default: 0
## auth.http.request.timeout = 0

## Connection time-out time, used during the initial request
## when the client is connecting to the server
##
## Value: Duration
##
## Default is same with the timeout option
## auth.http.request.connect_timeout = 0

## Re-send http reuqest times
##
## Value: integer
##
## Default: 3
auth.http.request.retry_times = 3

## The interval for re-sending the http request
##
## Value: Duration
##
## Default: 1s
auth.http.request.retry_interval = 1s

## The 'Exponential Backoff' mechanism for re-sending request. The actually
## re-send time interval is `interval * backoff ^ times`
##
## Value: float
##
## Default: 2.0
auth.http.request.retry_backoff = 2.0

认证代码

@RequestMapping("/mqtt")
public class AuthController {
    
    private static final Logger log = LoggerFactory.getLogger(AuthController.class);
    


    //【自定义http认证API】
    @PostMapping("/auth")
    public ResponseEntity auth(@RequestParam("clientid") String clientid,
                               @RequestParam("username") String username,
                               @RequestParam("password") String password){
        
        log.info("emqx http认证组件开始调用任务服务完成认证,clientid={},username={},password={}",clientid,username,password);


  
            return new ResponseEntity(HttpStatus.OK);


    }


 //【自定义ACL鉴权规则】
    @PostMapping("/acl")
    public ResponseEntity acl(@RequestParam("access")int access,
                              @RequestParam("username")String username,
                              @RequestParam("clientid")String clientid,
                              @RequestParam("ipaddr")String ipaddr,
                              @RequestParam("topic")String topic,
                              @RequestParam("mountpoint")String mountpoint){

        log.info("EMQX发起客户端操作授权查询请求,access={},username={},clientid={},ipaddr={},topic={},mountpoint={}",
                access,username,clientid,ipaddr,topic,mountpoint);


            return new ResponseEntity(HttpStatus.OK);
    }

详细日志

2021-04-25 09:02:02.248 [warning] <<"test_device1">>@192.168.200.10:11842 [Channel] Cannot publish message to Up1/device_type1/test_device1 due to Not authorized.
2021-04-25 09:02:02.856 [warning] <<"test_device11">>@192.168.200.10:9448 [Channel] Cannot subscribe testtopic/# due to Not authorized.

相关截图

你开启了 HTTP 的 ACL,可以看下配置文件中的 acl_req,如果你不需要这个功能,请注释掉之后重新加载插件。

谢谢,把ACL内容注释掉确实可以了,但是我虽然配置文件里面开了acl,但是java代码里注释掉了,在3.0.5版本里面同样的配置和java代码,订阅没有问题。换了4.2.7就不可以,这是为什么呢

该http方式能携带证书名和证书主体吗(TLS连接)

你可以看着这个文档,里面有提到 TLS 证书 Common Name 和 Subject Name 对应的占位符。