activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gary Tully (Created) (JIRA)" <j...@apache.org>
Subject [jira] [Created] (AMQ-3749) Composite destinations break simple authorisation through role aggregation
Date Thu, 01 Mar 2012 13:03:58 GMT
Composite destinations break simple authorisation through role aggregation
--------------------------------------------------------------------------

                 Key: AMQ-3749
                 URL: https://issues.apache.org/jira/browse/AMQ-3749
             Project: ActiveMQ
          Issue Type: Bug
          Components: Broker
    Affects Versions: 5.5.1
            Reporter: Gary Tully
            Assignee: Gary Tully
            Priority: Blocker
             Fix For: 5.6.0


Given authorisation where there is overlap in roles, using a composite destination can gain
access in error. eg:{code}
  <authorizationMap>
    <authorizationEntries>
      <authorizationEntry queue=">" read="admins" write="admins" admin="admins" />
      <authorizationEntry queue="USER.>" read="users" write="users" admin="users" />
      ...
{code} The correct expectation is that a 'user' can only access queues that match 'USER.>'
but a user can bypass this and access a private queue using a composite destination q(PRIVATE,USER.A)
because the permissions are aggregated in error and we look for a single match.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message