From 514b3cb858518726bd64d658feb33a8106b1ff1b Mon Sep 17 00:00:00 2001
From: gchuf <gasper.cefarin@gmail.com>
Date: Thu, 16 Apr 2026 10:25:39 +0200
Subject: [PATCH 1/2] ARTEMIS-6010 - remove if authorized check for trace log

---
 .../spi/core/security/ActiveMQBasicSecurityManager.java    | 7 ++-----
 .../spi/core/security/ActiveMQJAASSecurityManager.java     | 6 +-----
 2 files changed, 3 insertions(+), 10 deletions(-)

diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQBasicSecurityManager.java b/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQBasicSecurityManager.java
index fb52093bc47..3ff7e54e219 100644
--- a/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQBasicSecurityManager.java
+++ b/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQBasicSecurityManager.java
@@ -108,11 +108,8 @@ public boolean authorize(final Subject subject,
                             final CheckType checkType,
                             final String address) {
       boolean authorized = SecurityManagerUtil.authorize(subject, roles, checkType, RolePrincipal.class);
-      if (authorized) {
-         logger.trace("user is authorized");
-      } else {
-         logger.trace("user is NOT authorized");
-      }
+
+      logger.trace("user is authorized: {}", authorized);
 
       return authorized;
    }
diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQJAASSecurityManager.java b/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQJAASSecurityManager.java
index a0aaed7641c..c31fa48423b 100644
--- a/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQJAASSecurityManager.java
+++ b/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQJAASSecurityManager.java
@@ -116,11 +116,7 @@ public boolean authorize(final Subject subject,
                             final String address) {
       boolean authorized = SecurityManagerUtil.authorize(subject, roles, checkType, rolePrincipalClass);
 
-      if (authorized) {
-         logger.trace("user is authorized");
-      } else {
-         logger.trace("user is NOT authorized");
-      }
+      logger.trace("user is authorized: {}", authorized);
 
       return authorized;
    }

From 905731bcb1661d098140002b874ed8b897449ff3 Mon Sep 17 00:00:00 2001
From: gchuf <gasper.cefarin@gmail.com>
Date: Thu, 16 Apr 2026 10:26:18 +0200
Subject: [PATCH 2/2] ARTEMIS-6010 - Improve roles checking in authorize call

---
 .../artemis/utils/SecurityManagerUtil.java    | 20 +++++++------------
 1 file changed, 7 insertions(+), 13 deletions(-)

diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/utils/SecurityManagerUtil.java b/artemis-server/src/main/java/org/apache/activemq/artemis/utils/SecurityManagerUtil.java
index bda8d367855..6ec9bbcffd7 100644
--- a/artemis-server/src/main/java/org/apache/activemq/artemis/utils/SecurityManagerUtil.java
+++ b/artemis-server/src/main/java/org/apache/activemq/artemis/utils/SecurityManagerUtil.java
@@ -21,7 +21,6 @@
 import java.lang.reflect.Method;
 import java.security.Principal;
 import java.util.HashSet;
-import java.util.Iterator;
 import java.util.Set;
 
 import org.apache.activemq.artemis.core.security.CheckType;
@@ -114,31 +113,26 @@ public int hashCode() {
     * This method tries to match the RolePrincipals in the Subject with the provided Set of Roles and CheckType
     */
    public static boolean authorize(final Subject subject, final Set<Role> roles, final CheckType checkType, final Class rolePrincipalClass) {
-      boolean authorized = false;
 
       if (subject != null) {
          Set<RolePrincipal> rolesWithPermission = getPrincipalsInRole(checkType, roles, rolePrincipalClass);
 
          // Check the caller's roles
-         Set<Principal> rolesForSubject = new HashSet<>();
+         Set<Principal> rolesForSubject;
          try {
-            rolesForSubject.addAll(subject.getPrincipals(rolePrincipalClass));
+            rolesForSubject = subject.getPrincipals(rolePrincipalClass);
          } catch (Exception e) {
             ActiveMQServerLogger.LOGGER.failedToFindRolesForTheSubject(e);
+            return false;
          }
          if (!rolesForSubject.isEmpty() && !rolesWithPermission.isEmpty()) {
-            Iterator<Principal> rolesForSubjectIter = rolesForSubject.iterator();
-            while (!authorized && rolesForSubjectIter.hasNext()) {
-               Iterator<RolePrincipal> rolesWithPermissionIter = rolesWithPermission.iterator();
-               Principal subjectRole = rolesForSubjectIter.next();
-               while (!authorized && rolesWithPermissionIter.hasNext()) {
-                  Principal roleWithPermission = rolesWithPermissionIter.next();
-                  authorized = subjectRole.equals(roleWithPermission);
+            for (Principal subjectRole : rolesForSubject) {
+               if (rolesWithPermission.contains(subjectRole)) {
+                  return true;
                }
             }
          }
       }
-
-      return authorized;
+      return false;
    }
 }