activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thorsten Panitz (Created) (JIRA)" <j...@apache.org>
Subject [jira] [Created] (AMQ-3598) Unprivileged users can receive messages from a protected topic when using wildcards in destination
Date Tue, 15 Nov 2011 16:06:52 GMT
Unprivileged users can receive messages from a protected topic when using wildcards in destination
--------------------------------------------------------------------------------------------------

                 Key: AMQ-3598
                 URL: https://issues.apache.org/jira/browse/AMQ-3598
             Project: ActiveMQ
          Issue Type: Bug
          Components: Broker
    Affects Versions: 5.5.1, 5.5.0
         Environment: OS: Mac OS X 10.6.8
JRE/JDK: 1.6.0_29
ActiveMQ: 5.5.0
            Reporter: Thorsten Panitz


A consumer can receive messages from protected queues/topics if he uses a Destination which
contains a wildcard as described [here|http://activemq.apache.org/wildcards.html]:

{code:language=java}
Destination queue = new ActiveMQQueue("messages.>");
Destination topic = new ActiveMQTopic(">");
{code}

We are using the default authentication/authorization system as described in [Security Authentication/Authorization|http://activemq.apache.org/security.html#Security-Authorization]
with the following configuration:

{code:title=broker.xml|language=xml}
<plugins>
    <simpleAuthenticationPlugin>
        <users>
            <authenticationUser
                  username="admin"
                  password="admin"
                  groups="admins"/>
            <authenticationUser
                  username="user"
                  password="user"
                  groups="users"/>
        </users>
    </simpleAuthenticationPlugin>
    <authorizationPlugin>
        <map>
            <authorizationMap>
                <authorizationEntries>
                    <authorizationEntry topic="messages.>"
                                        read="admins"
                                        write="admins"
                                        admin="admins"/>
                    <authorizationEntry topic="messages.cat2"
                                        read="admins"
                                        write="admins"
                                        admin="admins"/>
                    <authorizationEntry topic="messages.cat1"
                                        read="admins, users"
                                        write="admins, users"
                                        admin="admins, users"/>
                    <authorizationEntry topic="ActiveMQ.Advisory.>"
                                        read="admins, users"
                                        write="admins, users"
                                        admin="admins, users"/>
                </authorizationEntries>
            </authorizationMap>
        </map>
    </authorizationPlugin>
</plugins>
{code}

As exepected, clients connecting as "user" to the topic "messages.cat2" get an exception ("User
user is not authorized to read from: topic://messages.cat2"). Suprisingly "user" can receive
messages from topic "messages.cat2" if he creates a consumer with the destination "messages.>":

{code:title=consumer.java|language=java}
final Destination destination = new ActiveMQTopic("messages.>");
final Connection conn = new ActiveMQConnectionFactory("user", "user", BROKER_URL).createConnection();
final Session session = conn.createSession(false, Session.AUTO_ACKNOWLEDGE);
final MessageConsumer consumer = session.createConsumer(destination);
conn.start();
closure.run();
final Message message = consumer.receive(TIMEOUT);
session.close();
conn.close(); 
{code}

IMHO this behaviour is a security problem as an unprivileged user can receive messages from
a protected topic or queue!

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message