activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nikola Goran Cutura (JIRA)" <j...@apache.org>
Subject [jira] Commented: (AMQ-826) LDAP based authorization support
Date Wed, 25 Oct 2006 22:02:02 GMT
    [ https://issues.apache.org/activemq/browse/AMQ-826?page=comments#action_37283 ] 
            
Nikola Goran Cutura commented on AMQ-826:
-----------------------------------------

Thanks for wildcard link. I did not implement '*', I'll finish it as well. Is it possible
to have kind of regular expression like STOCKS.PRICE.NYSE.*BM ?

Regarding composite destinations, I would like your attention:

Union of ACLs means that if a user has privilege on at least one destination, all destinations
will allow operation.
Intersection of ACLs means that if a user lacks privilege on at least one destination, no
destination will allow operation.

I'll produce a test to verify this but my point is that current implementation of union is
a security leak (if my understanding is correct). Suppose that a guest user wants to read
from a destination not authorized for guests, say destination USERS.SECRET. A guest may create
a destination in GUEST space with all necessary privileges, say GUEST.ALLOW. Now, the user
creates a composite destination (GUEST.ALLOW, USERS.SECRET) and attempts an operation:

Case UNION: as operation is permitted on GUEST.ALLOW it is sufficient for composite destination;
operation is performed on both destinations in spite of the fact that user is not authorized
for the other.

Case INTERSECTION: as operation is NOT permitted on USERS.SECRET no operation is attempted
on composite destination.

Now, maybe I got it wrong but the method 'getXXXXXACLs()' in DefaultAuthorizationMap is pretty
clear - it adds all ACLs from all entries...

> LDAP based authorization support
> --------------------------------
>
>                 Key: AMQ-826
>                 URL: https://issues.apache.org/activemq/browse/AMQ-826
>             Project: ActiveMQ
>          Issue Type: Improvement
>            Reporter: james strachan
>         Assigned To: Nikola Goran Cutura
>         Attachments: LdapAuth.zip
>
>
> Patch kindly added by ngcutura - discussion thread...
> http://www.nabble.com/LDAP-Authorization-tf1851705.html#a5344494

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/activemq/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message