java.lang.Exception: Insufficient roles/credentials for operation

I'm using ActiveMQ Artemis 2.16.0 and the management console is based on Hawtio. I've successfully integrated it with Keycloak (OpenID Connect) using this instructions. Now I've upgraded to ActiveMQ Artemis 2.17.0 and it stop working. Hawtio version seems the same:

[io.hawt.jmx.JmxTreeWatcher] Welcome to Hawtio 2.11.0

Since ActiveMQ Artemis is quite easy to upgrade I can easily switch from one version to another. I did it and the logs seems to output the same:

[org.apache.activemq.artemis.core.server] AMQ221001: Apache ActiveMQ Artemis Message Broker version 2.17.0 [node1.some.domain, nodeID=bcf5b788-c0fd-11ea-9c54-0050568bf82b]
[org.apache.activemq.artemis.core.server] AMQ221053: Disallowing use of vulnerable protocol 'SSLv2Hello' on acceptor 'artemis'. See http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html for more details.
[io.hawt.web.plugin.HawtioPlugin] Registering plugin hawtio:type=plugin,name=activemq-branding
[org.apache.activemq.hawtio.branding.PluginContextListener] Initialized activemq-branding plugin
[io.hawt.web.plugin.HawtioPlugin] Registering plugin hawtio:type=plugin,name=artemis-plugin
[org.apache.activemq.hawtio.plugin.PluginContextListener] Initialized artemis-plugin plugin
[io.hawt.HawtioContextListener] Initialising hawtio services
[io.hawt.system.ConfigManager] Failed to look up environment context: null
[io.hawt.system.ConfigManager] Configuration will be discovered via system properties
[io.hawt.jmx.JmxTreeWatcher] Welcome to Hawtio 2.11.0
[io.hawt.system.ConfigManager] Property realm is set to value hawtio
[io.hawt.system.ConfigManager] Property role is set to value null
[io.hawt.system.ConfigManager] Property roles is set to value amq,artemis_admin,artemis_manager,artemis_viewer
[io.hawt.system.ConfigManager] Property rolePrincipalClasses is set to value org.keycloak.adapters.jaas.RolePrincipal
[io.hawt.system.ConfigManager] Property authenticationEnabled is set to value true
[io.hawt.system.ConfigManager] Property noCredentials401 is set to value false
[io.hawt.system.ConfigManager] Property keycloakEnabled is set to value true
[io.hawt.system.ConfigManager] Property authenticationContainerDiscoveryClasses is set to value io.hawt.web.tomcat.TomcatAuthenticationContainerDiscovery
[io.hawt.web.tomcat.TomcatAuthenticationContainerDiscovery] Realm explicit configured hawtio. Apache Tomcat userdata authentication integration not in use.
[io.hawt.web.auth.AuthenticationConfiguration] Starting hawtio authentication filter, JAAS realm: "hawtio" authorized role(s): "amq,artemis_admin,artemis_manager,artemis_viewer" role principal classes: "org.keycloak.adapters.jaas.RolePrincipal"
[io.hawt.system.ConfigManager] Property keycloakClientConfig is set to value file:/opt/artemis-broker/etc/keycloak-client-hawtio.json
[io.hawt.web.filters.ContentSecurityPolicyFilter] Found Keycloak URL: https://auth.some.domain/auth
[io.hawt.system.ConfigManager] Property http.strictTransportSecurity is set to value null
[io.hawt.web.filters.PublicKeyPinningFilter] HTTP Strict Transport Security is disabled
[io.hawt.system.ConfigManager] Property http.publicKeyPins is set to value null
[io.hawt.web.filters.PublicKeyPinningFilter] Public Key Pinning is disabled
[io.hawt.system.ConfigManager] Property sessionTimeout is set to value 1800
[io.hawt.system.ConfigManager] Property disableProxy is set to value false
[io.hawt.system.ConfigManager] Property proxyAllowlist is set to value localhost,
[io.hawt.system.ConfigManager] Property localAddressProbing is set to value true
[io.hawt.system.ProxyAllowlist] Probing local addresses ...
[io.hawt.system.ProxyAllowlist] Initial proxy allowlist: [localhost, 127.0.0.1, 10.3.84.148, node01.some.domain]
[io.hawt.web.servlets.JolokiaConfiguredAgentServlet] Jolokia overridden property: [key=policyLocation, value=file:/opt/artemis-broker/etc/jolokia-access.xml]
[org.apache.activemq.artemis] AMQ241001: HTTP Server started at https://0.0.0.0:8443
[org.apache.activemq.artemis] AMQ241002: Artemis Jolokia REST API available at https://0.0.0.0:8443/console/jolokia
[org.apache.activemq.artemis] AMQ241004: Artemis Console available at https://0.0.0.0:8443/console
[io.hawt.web.auth.SessionExpiryFilter] Accessing [/console/jolokia/], hawtio path is [jolokia]
[io.hawt.web.auth.AuthenticationFilter] Handling request for path /jolokia
[io.hawt.web.auth.AuthenticationFilter] Doing authentication and authorization for path /jolokia
[io.hawt.system.Authenticator] doAuthenticate[realm=hawtio, role=amq,artemis_admin,artemis_manager,artemis_viewer, rolePrincipalClasses=org.keycloak.adapters.jaas.RolePrincipal, configuration=null, username=myuser, password=******]
[org.keycloak.adapters.jaas.BearerTokenLoginModule] Declared options: keycloak-config-file=/export/opt/artemis-broker/etc/keycloak-server-bearer.json, role-principal-class=org.keycloak.adapters.jaas.RolePrincipal
[org.keycloak.adapters.authentication.ClientCredentialsProviderUtils] Using provider 'secret' for authentication of client 'artemis'
[org.keycloak.adapters.authentication.ClientCredentialsProviderUtils] Loaded clientCredentialsProvider secret
[org.keycloak.adapters.authentication.ClientCredentialsProviderUtils] Loaded clientCredentialsProvider jwt
[org.keycloak.adapters.authentication.ClientCredentialsProviderUtils] Loaded clientCredentialsProvider secret-jwt
[org.keycloak.adapters.authentication.ClientCredentialsProviderUtils] Loaded clientCredentialsProvider secret
[org.keycloak.adapters.authentication.ClientCredentialsProviderUtils] Loaded clientCredentialsProvider jwt
[org.keycloak.adapters.authentication.ClientCredentialsProviderUtils] Loaded clientCredentialsProvider secret-jwt
[org.keycloak.adapters.KeycloakDeployment] Resolving URLs from https://auth.some.domain/auth/realms/myrealm/.well-known/openid-configuration
[org.keycloak.adapters.KeycloakDeployment] Loaded URLs from https://auth.some.domain/auth/realms/myrealm/.well-known/openid-configuration
[org.keycloak.adapters.rotation.JWKPublicKeyLocator] Realm public keys successfully retrieved for client artemis. New kids: [kkFaKnnudVd5UxaVISthQL6VgTRIKYCUGanBKIiGGZg, kyipLFJfqsg9TxC94XAXy4VahWRbDRD0F_spMHJzhzk]
[io.hawt.system.Authenticator] Looking for rolePrincipalClass: org.keycloak.adapters.jaas.RolePrincipal
[io.hawt.system.Authenticator] Checking principal, classname: org.keycloak.KeycloakPrincipal toString: 771b46db-5e22-4318-8ef3-0ffd4b10d223
[io.hawt.system.Authenticator] principal class org.keycloak.KeycloakPrincipal doesn't match org.keycloak.adapters.jaas.RolePrincipal, continuing
[io.hawt.system.Authenticator] Checking principal, classname: org.keycloak.adapters.jaas.RolePrincipal toString: amq
[io.hawt.system.Authenticator] Matched role and role principal class
[io.hawt.web.auth.SessionExpiryFilter] Accessing [/console/jolokia/], hawtio path is [jolokia]
[io.hawt.web.auth.AuthenticationFilter] Handling request for path /jolokia
[io.hawt.web.auth.AuthenticationFilter] Doing authentication and authorization for path /jolokia
[io.hawt.system.Authenticator] doAuthenticate[realm=hawtio, role=amq,artemis_admin,artemis_manager,artemis_viewer, rolePrincipalClasses=org.keycloak.adapters.jaas.RolePrincipal, configuration=null, username=myuser, password=******]
[org.keycloak.adapters.jaas.BearerTokenLoginModule] Declared options: keycloak-config-file=/export/opt/artemis-broker/etc/keycloak-server-bearer.json, role-principal-class=org.keycloak.adapters.jaas.RolePrincipal
[io.hawt.system.Authenticator] Looking for rolePrincipalClass: org.keycloak.adapters.jaas.RolePrincipal
[io.hawt.system.Authenticator] Checking principal, classname: org.keycloak.KeycloakPrincipal toString: 771b46db-5e22-4318-8ef3-0ffd4b10d223
[io.hawt.system.Authenticator] principal class org.keycloak.KeycloakPrincipal doesn't match org.keycloak.adapters.jaas.RolePrincipal, continuing
[io.hawt.system.Authenticator] Checking principal, classname: org.keycloak.adapters.jaas.RolePrincipal toString: amq
[io.hawt.system.Authenticator] Matched role and role principal class
[io.hawt.web.auth.SessionExpiryFilter] Accessing [/console/jolokia/], hawtio path is [jolokia]
[io.hawt.web.auth.AuthenticationFilter] Handling request for path /jolokia
[io.hawt.web.auth.AuthenticationFilter] Doing authentication and authorization for path /jolokia
[io.hawt.system.Authenticator] doAuthenticate[realm=hawtio, role=amq,artemis_admin,artemis_manager,artemis_viewer, rolePrincipalClasses=org.keycloak.adapters.jaas.RolePrincipal, configuration=null, username=myuser, password=******]
[org.keycloak.adapters.jaas.BearerTokenLoginModule] Declared options: keycloak-config-file=/export/opt/artemis-broker/etc/keycloak-server-bearer.json, role-principal-class=org.keycloak.adapters.jaas.RolePrincipal
[io.hawt.system.Authenticator] Looking for rolePrincipalClass: org.keycloak.adapters.jaas.RolePrincipal
[io.hawt.system.Authenticator] Checking principal, classname: org.keycloak.KeycloakPrincipal toString: 771b46db-5e22-4318-8ef3-0ffd4b10d223
[io.hawt.system.Authenticator] principal class org.keycloak.KeycloakPrincipal doesn't match org.keycloak.adapters.jaas.RolePrincipal, continuing
[io.hawt.system.Authenticator] Checking principal, classname: org.keycloak.adapters.jaas.RolePrincipal toString: amq
[io.hawt.system.Authenticator] Matched role and role principal class

and I'm using these parameters:

-Dhawtio.authenticationEnabled=true 
-Dhawtio.offline=true -Dhawtio.realm=hawtio 
-Dhawtio.keycloakEnabled=true -Dhawtio.roles=amq,artemis_admin,artemis_manager,artemis_viewer 
-Dhawtio.rolePrincipalClasses=org.keycloak.adapters.jaas.RolePrincipal 
-Dhawtio.keycloakClientConfig=${ARTEMIS_INSTANCE_ETC_URI}keycloak-client-hawtio.json 
-Dhawtio.keycloakServerConfig=${ARTEMIS_INSTANCE_ETC}/keycloak-server-bearer.json 
-Djolokia.policyLocation=${ARTEMIS_INSTANCE_ETC_URI}jolokia-access.xml

and the management.xml is:

     ...
      <role-access>
         <match domain="org.apache.activemq.artemis">
            <access method="list*" roles="amq,artemis_admin"/>
            <access method="get*" roles="amq,artemis_admin"/>
            <access method="is*" roles="amq,artemis_admin"/>
            <access method="set*" roles="amq,artemis_admin"/>
            <access method="*" roles="amq,artemis_admin"/>
         </match>
        ...

But seems the role that comes from OpenID Connect doesn't match it. Any ideas? If you need more config details I can add here.


Since ActiveMQ Artemis 2.18 the integration with third-party login modules has improved, see ARTEMIS-3168.

A good example is available at https://github.com/apache/activemq-artemis/tree/2.20.0/examples/features/standard/security-keycloak