This closes #1923

artemis-protocols/artemis-openwire-protocol/src/main/java/org/apache/activemq/artemis/core/protocol/openwire/OpenWireConnection.java

@@ -80,7 +80,6 @@ import org.apache.activemq.artemis.core.transaction.TransactionOperationAbstract
 import org.apache.activemq.artemis.core.transaction.TransactionPropertyIndexes;
 import org.apache.activemq.artemis.spi.core.protocol.AbstractRemotingConnection;
 import org.apache.activemq.artemis.spi.core.protocol.ConnectionEntry;
-import org.apache.activemq.artemis.spi.core.protocol.RemotingConnection;
 import org.apache.activemq.artemis.spi.core.remoting.Connection;
 import org.apache.activemq.artemis.utils.UUIDGenerator;
 import org.apache.activemq.artemis.utils.collections.ConcurrentHashSet;
@@ -227,7 +226,7 @@ public class OpenWireConnection extends AbstractRemotingConnection implements Se
 
    // SecurityAuth implementation
    @Override
-   public RemotingConnection getRemotingConnection() {
+   public OpenWireConnection getRemotingConnection() {
       return this;
    }
 
@@ -989,7 +988,7 @@ public class OpenWireConnection extends AbstractRemotingConnection implements Se
    public void removeDestination(ActiveMQDestination dest) throws Exception {
       if (dest.isQueue()) {
          try {
-            server.destroyQueue(new SimpleString(dest.getPhysicalName()));
+            server.destroyQueue(new SimpleString(dest.getPhysicalName()), getRemotingConnection());
          } catch (ActiveMQNonExistentQueueException neq) {
             //this is ok, ActiveMQ 5 allows this and will actually do it quite often
             ActiveMQServerLogger.LOGGER.debug("queue never existed");

artemis-protocols/artemis-openwire-protocol/src/main/java/org/apache/activemq/artemis/core/protocol/openwire/amq/AMQSession.java

@@ -249,7 +249,7 @@ public class AMQSession implements SessionCallback {
                         routingTypeToUse = as.getDefaultAddressRoutingType();
                      }
                   }
-                  server.createQueue(addressToUse, routingTypeToUse, queueNameToUse, null, true, isTemporary);
+                  coreSession.createQueue(addressToUse, queueNameToUse, routingTypeToUse, null, isTemporary, true);
                   connection.addKnownDestination(queueName);
                } else {
                   hasQueue = false;

tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/SecurityTest.java

@@ -16,10 +16,6 @@
  */
 package org.apache.activemq.artemis.tests.integration.security;
 
-import javax.jms.Session;
-import javax.security.cert.X509Certificate;
-import javax.transaction.xa.XAResource;
-import javax.transaction.xa.Xid;
 import java.lang.management.ManagementFactory;
 import java.net.URL;
 import java.util.HashMap;
@@ -27,6 +23,13 @@ import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
 
+import javax.jms.MessageProducer;
+import javax.jms.QueueBrowser;
+import javax.jms.Session;
+import javax.security.cert.X509Certificate;
+import javax.transaction.xa.XAResource;
+import javax.transaction.xa.Xid;
+
 import org.apache.activemq.ActiveMQConnection;
 import org.apache.activemq.ActiveMQSslConnectionFactory;
 import org.apache.activemq.artemis.api.core.ActiveMQException;
@@ -60,6 +63,7 @@ import org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager2;
 import org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager3;
 import org.apache.activemq.artemis.tests.util.ActiveMQTestBase;
 import org.apache.activemq.artemis.tests.util.CreateMessage;
+import org.apache.activemq.command.ActiveMQQueue;
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Ignore;
@@ -220,6 +224,119 @@ public class SecurityTest extends ActiveMQTestBase {
       }
    }
 
+   /**
+    * Verify role permissions are applied properly when using OpenWire
+    *
+    * @throws Exception
+    */
+   @Test
+   public void testJAASSecurityManagerOpenWireNegative() throws Exception {
+      ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager("CertLogin");
+      ActiveMQServer server = addServer(ActiveMQServers.newActiveMQServer(createDefaultInVMConfig().setSecurityEnabled(true), ManagementFactory.getPlatformMBeanServer(), securityManager, false));
+
+      Set<Role> roles = new HashSet<>();
+      roles.add(new Role("programmers", false, false, false, false, false, false, false, false, false, false));
+      server.getConfiguration().putSecurityRoles("#", roles);
+
+      Map<String, Object> params = new HashMap<>();
+      params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
+      params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-side-keystore.jks");
+      params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
+      params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-side-truststore.jks");
+      params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
+      params.put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true);
+
+      server.getConfiguration().addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params));
+      server.start();
+
+      ActiveMQSslConnectionFactory factory = new ActiveMQSslConnectionFactory("ssl://localhost:61616");
+      factory.setUserName("test-user");
+      factory.setTrustStore("client-side-truststore.jks");
+      factory.setTrustStorePassword("secureexample");
+      factory.setKeyStore("client-side-keystore.jks");
+      factory.setKeyStorePassword("secureexample");
+
+      try (ActiveMQConnection connection = (ActiveMQConnection) factory.createConnection()) {
+         Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
+
+         //Test queue creation permission
+         try {
+            session.createConsumer(session.createQueue("test.queue"));
+            Assert.fail("should throw exception here");
+         } catch (Exception e) {
+            assertTrue(e.getMessage().contains("User: test-user does not have permission='CREATE_DURABLE_QUEUE' for queue test.queue on address test.queue"));
+         }
+
+         //Test non durable create permission
+         try {
+            session.createConsumer(session.createTopic("test.topic"));
+            Assert.fail("should throw exception here");
+         } catch (Exception e) {
+            assertTrue(e.getMessage().contains("User: test-user does not have permission='CREATE_NON_DURABLE_QUEUE'"));
+         }
+
+         //Add a test queue and topic to the server
+         SimpleString address = SimpleString.toSimpleString("test.queue");
+         server.addAddressInfo(new AddressInfo(address, RoutingType.ANYCAST));
+         server.createQueue(address, RoutingType.ANYCAST, address, null, true, false);
+
+         SimpleString address2 = SimpleString.toSimpleString("test.topic");
+         server.addAddressInfo(new AddressInfo(address2, RoutingType.MULTICAST));
+
+         //Test queue produce permission
+         try {
+            MessageProducer producer = session.createProducer(session.createQueue("test.queue"));
+            producer.send(session.createMessage());
+            Assert.fail("should throw exception here");
+         } catch (Exception e) {
+            assertTrue(e.getMessage().contains("User: test-user does not have permission='SEND'"));
+         }
+
+         //Test queue consume permission
+         try {
+            session.createConsumer(session.createQueue("test.queue"));
+            Assert.fail("should throw exception here");
+         } catch (Exception e) {
+            assertTrue(e.getMessage().contains("User: test-user does not have permission='CONSUME' for queue test.queue on address test.queue"));
+         }
+
+         //Test queue browse permission
+         try {
+            QueueBrowser browser = session.createBrowser(session.createQueue("test.queue"));
+            browser.getEnumeration();
+            Assert.fail("should throw exception here");
+         } catch (Exception e) {
+            assertTrue(e.getMessage().contains("User: test-user does not have permission='BROWSE' for queue test.queue on address test.queue"));
+         }
+
+         //Test queue deletion permission
+         try {
+            connection.destroyDestination(new ActiveMQQueue("test.queue"));
+            Assert.fail("should throw exception here");
+         } catch (Exception e) {
+            assertTrue(e.getMessage().contains("User: test-user does not have permission='DELETE_DURABLE_QUEUE' for queue test.queue on address test.queue"));
+         }
+
+         //Test temp queue
+         try {
+            session.createTemporaryQueue();
+            Assert.fail("should throw exception here");
+         } catch (Exception e) {
+            assertTrue(e.getMessage().contains("User: test-user does not have permission='CREATE_NON_DURABLE_QUEUE'"));
+         }
+
+         //Test temp topic
+         try {
+            session.createTemporaryTopic();
+            Assert.fail("should throw exception here");
+         } catch (Exception e) {
+            assertTrue(e.getMessage().contains("User: test-user does not have permission='CREATE_ADDRESS'"));
+         }
+
+         session.close();
+      }
+   }
+
    @Test
    public void testJAASSecurityManagerAuthenticationBadPassword() throws Exception {
       ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager("PropertiesLogin");