activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gary Tully (JIRA)" <>
Subject [jira] Issue Comment Edited: (AMQ-3211) JMSXUserId Can be spoofed by client
Date Fri, 11 Mar 2011 11:08:59 GMT


Gary Tully edited comment on AMQ-3211 at 3/11/11 11:07 AM:

there is an additional broker attribute: useAuthenticatedPrincipalForJMSXUserID which will
ensure that the authenticated principal is placed in the JMSXUserId, such that it is explicitly
set or overridden in the authenticated case. 

      was (Author: gtully):
    new broker attribute: useAuthenticatedPrincipalForJMSXUserID which will ensure user id
"guest" ends up in JMSXUserID
> JMSXUserId Can be spoofed by client
> -----------------------------------
>                 Key: AMQ-3211
>                 URL:
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Broker
>    Affects Versions: 5.4.2
>            Reporter: Michael Steiner
>            Assignee: Gary Tully
>             Fix For: 5.5.0
>         Attachments: JMSXUserID-bug.conf-src.tar.bz2, JMSXUserID-bug.diff
> It seems the JMSXUserId can be spoofed by client contrary to what
> My test setup is populateJMSXUserID="true set in a single broker, a JAAS config org.apache.activemq.jaas.TextFileCertificateLoginModule
and using mutual auth SSL (i.e., ?needClientAuth=true for transportConnector setup), and a
single consumer and producer based on small modifications of the ConsumerTool and ProducerTool
examples in the 5.4.2 distro.  See attached the changes to the distro package to demonstrate
the bug. Just do
> 1. run apache-activemq-5.4.2/bin/activemq-admin start
> 2. in apache-activemq-5.4.2/example run ant consumer -Durl=ssl://localhost:61617 -Dmax=3
> 3. in another shell in apache-activemq-5.4.2/example run ant producer -Durl=ssl://localhost:61617
-Dmax=3 -Dverbose=true
> 4. look at the output of the consumer for the properties printed after each received
message (the producer spoofs only on even numbered messages)
> When the client does not set the property, then i get the properly authenticated DN as
JMSXUserID using message.getStringProperty("JMSXUserID"). However, when the client sets it,
i get the value set by the client.  The only difference i notice is that in the former case,
message.getPropertyNames() does not return JMSXUserID whereas in the spoofed case it does.

> i wonder whether in the context of or (which interestingly doesn't list JMSXUserID
as supported in a comment even though it is?) something got messed up?

This message is automatically generated by JIRA.
For more information on JIRA, see:

View raw message