activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Steiner (JIRA)" <j...@apache.org>
Subject [jira] Updated: (AMQ-3211) JMSXUserId Can be spoofed by client
Date Wed, 09 Mar 2011 15:30:59 GMT

     [ https://issues.apache.org/jira/browse/AMQ-3211?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Michael Steiner updated AMQ-3211:
---------------------------------

    Attachment: JMSXUserID-bug.conf-src.tar.bz2

The files from apache-activemq-5.4.2/conf and apache-activemq-5.4.2/examples which include
all changes i've done to demonstrate problem (see for comments with MSTEINER in it ...)

> JMSXUserId Can be spoofed by client
> -----------------------------------
>
>                 Key: AMQ-3211
>                 URL: https://issues.apache.org/jira/browse/AMQ-3211
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Broker
>    Affects Versions: 5.4.2
>            Reporter: Michael Steiner
>         Attachments: JMSXUserID-bug.conf-src.tar.bz2
>
>
> It seems the JMSXUserId can be spoofed by client contrary to what http://activemq.apache.org/jmsxuserid.html
says.
> My test setup is populateJMSXUserID="true set in a single broker, a JAAS config org.apache.activemq.jaas.TextFileCertificateLoginModule
and using mutual auth SSL (i.e., ?needClientAuth=true for transportConnector setup), and a
single consumer and producer based on small modifications of the ConsumerTool and ProducerTool
examples in the 5.4.2 distro.
> When the client does not set the property, then i get the properly authenticated DN as
JMSXUserID using message.getStringProperty("JMSXUserID"). However, when the client sets it,
i get the value set by the client.  The only difference i notice is that in the former case,
message.getPropertyNames() does not return JMSXUserID whereas in the spoofed case it does.

> i wonder whether in the context of https://issues.apache.org/jira/browse/QPID-943 or
https://issues.apache.org/jira/browse/AMQ-2840 (which interestingly doesn't list JMSXUserID
as supported in a comment even though it is?) something got messed up?

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message