NIFI-15647 Add SSL configuration support for ActiveMQ Artemis JMS connections#10936
Closed
Chaffelson wants to merge 3 commits intoapache:mainfrom
Closed
NIFI-15647 Add SSL configuration support for ActiveMQ Artemis JMS connections#10936Chaffelson wants to merge 3 commits intoapache:mainfrom
Chaffelson wants to merge 3 commits intoapache:mainfrom
Conversation
Contributor
Author
|
Also should complete https://issues.apache.org/jira/browse/NIFI-13522 |
Chaffelson
force-pushed
the
nifi-15647
branch
from
79a5e58 to
dd18e7d
Compare
…nections JMSConnectionFactoryHandler now augments the broker URL with SSL transport parameters (sslEnabled, trustStorePath, keyStorePath, etc.) when an SSLContextService is configured and the connection factory implementation is ActiveMQ Artemis. Previously, Artemis SSL settings were silently ignored because Artemis does not expose bean-style SSL setters like Classic ActiveMQ.
Chaffelson
force-pushed
the
nifi-15647
branch
from
dd18e7d to
0d97dce
Compare
- URL-encode all query parameter values appended to broker URL, matching
Artemis URISupport.parseQuery() which applies URLDecoder.decode()
- Replace fragile brokerUrl.contains("sslEnabled=") with regex check
that only matches actual query parameters: [?&]sslEnabled=
- Build dynamic log message listing only parameters actually configured
instead of a static list
- Add Javadoc noting password-in-URL tradeoff inherent to Artemis
transport configuration model
- Revert unrelated changes: restore SSLContext shared variable, import,
IBM MQ comment, and two broker URI parsing comments to match upstream
- Add comment on org.apache.activemq prefix match noting it covers both
Classic ActiveMQ and Artemis
- Add test for URL-special characters in passwords and file paths
- Add test for early return when JMS_BROKER_URI is not set
- Add non-SSL Artemis broker routing test
- Mark test local variables final per NiFi code style
- Mock createContext() in Artemis tests for restored SSLContext variable
…th SSLContextService Reject configuration at validation time when an SSLContextService is configured on an Artemis connection factory but the broker URI contains sslEnabled=false. This prevents a confusing failure where trust/key store parameters are appended to the URL but SSL remains disabled. Also adds test for broker URLs with pre-existing query parameters to verify correct separator handling.
pvillard31
approved these changes
Feb 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
When an
SSLContextServiceis configured on aJMSConnectionFactoryProviderusing ActiveMQ Artemis, the trust store and key store settings are silently ignored. This causesAMQ219007connection failures against SSL-enabled Artemis brokers.Unlike Classic ActiveMQ which exposes bean-style setters (
setTrustStore, etc.), Artemis parses SSL configuration from query-string parameters on the broker URL (sslEnabled,trustStorePath,trustStorePassword, etc.).Because the Artemis package prefix (
org.apache.activemq.artemis) matches the existing Classic ActiveMQ check (org.apache.activemq), the handler falls into the wrong branch and the reflection-based setters silently fail.This change adds Artemis-specific handling in
JMSConnectionFactoryHandlerthat augments the broker URL with SSL transport parameters from theSSLContextService. The Artemis check is ordered before the Classic ActiveMQ check to ensure correct prefix matching.Changes
JMSConnectionFactoryHandler.java: AddedconfigureArtemisSSL()method and Artemis-specific branch in SSL configuration sectionJMSConnectionFactoryProviderTest.java: Added unit tests for Artemis SSL URL constructionTesting
sslEnabledparam, trust-only and trust+key store scenarios)Related Issues
ClassCastExceptionfrom using wrong factory class)