ARTEMIS-3892 fix tests, add docs

artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/ServerSessionImpl.java

@@ -1996,7 +1996,11 @@ public class ServerSessionImpl implements ServerSession, FailureListener {
 
    @Override
    public String getValidatedUser() {
-      return validatedUser;
+      /*
+       * Security is often disabled in tests so if the validated user is null
+       * then just return the username supplied directly from the client.
+       */
+      return validatedUser != null ? validatedUser : username;
    }
 
    @Override

docs/user-manual/en/versions.md

@@ -16,12 +16,26 @@ Highlights:
 
 #### Upgrading from older versions
 
-Due to [ARTEMIS-3851](https://issues.apache.org/jira/browse/ARTEMIS-3851) the queue
-created for an MQTT 3.x subscriber using `CleanSession=1` is now **non-durable**
-rather than durable. This may impact `security-settings` for MQTT clients which
-previously only had `createDurableQueue` for their role. They will now need
-`createNonDurableQueue` as well. Again, this only has potential impact for MQTT 3.x
-clients using `CleanSession=1`.
+ 1. Due to [ARTEMIS-3851](https://issues.apache.org/jira/browse/ARTEMIS-3851) 
+    the queue created for an MQTT 3.x subscriber using `CleanSession=1` is now
+    **non-durable** rather than durable. This may impact `security-settings`
+    for MQTT clients which previously only had `createDurableQueue` for their
+    role. They will now need `createNonDurableQueue` as well. Again, this only
+    has potential impact for MQTT 3.x clients using `CleanSession=1`.
+ 2. Due to [ARTEMIS-3892](https://issues.apache.org/jira/browse/ARTEMIS-3892)
+    the username assigned to queues will be based on the **validated** user
+    rather than just the username submitted by the client application. This
+    will impact use-cases like the following:
+    1. When `login.config` is configured with the [`GuestLoginModule`](security.md#guestloginmodule)
+       which causes some users to be assigned a specific username and role
+       during the authentication process. 
+    2. When `login.config` is configured with the [`CertificateLoginModule`](security.md#certificateloginmodule)
+       which causes users to be assigned a username and role corresponding to
+       the subject DN from their SSL certificate.
+    
+    In these kinds of situations the broker will use this assigned (i.e. 
+    validated) username for any queues created with the connection. In the past
+    the queue's username would have been left blank.
 
 ## 2.23.1
 [Full release notes](https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12351846&projectId=12315920)

tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/management/ActiveMQServerControlTest.java

@@ -2929,7 +2929,7 @@ public class ActiveMQServerControlTest extends ManagementTestBase {
       Assert.assertNotEquals("consumerCount", "", array.getJsonObject(0).getString("consumerCount"));
       Assert.assertEquals("maxConsumers", "-1", array.getJsonObject(0).getString("maxConsumers"));
       Assert.assertEquals("autoCreated", "false", array.getJsonObject(0).getString("autoCreated"));
-      Assert.assertEquals("user", "", array.getJsonObject(0).getString("user"));
+      Assert.assertEquals("user", "guest", array.getJsonObject(0).getString("user"));
       Assert.assertNotEquals("routingType", "", array.getJsonObject(0).getString("routingType"));
       Assert.assertEquals("messagesAdded", "0", array.getJsonObject(0).getString("messagesAdded"));
       Assert.assertEquals("messageCount", "0", array.getJsonObject(0).getString("messageCount"));