Return-Path: 
 <dev-return-44100-apmail-activemq-dev-archive=activemq.apache.org@activemq.apache.org>
X-Original-To: apmail-activemq-dev-archive@www.apache.org
Delivered-To: apmail-activemq-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 73BDC10952
	for <apmail-activemq-dev-archive@www.apache.org>;
 Sat, 29 Mar 2014 11:01:22 +0000 (UTC)
Received: (qmail 5446 invoked by uid 500); 29 Mar 2014 11:01:21 -0000
Delivered-To: apmail-activemq-dev-archive@activemq.apache.org
Received: (qmail 4807 invoked by uid 500); 29 Mar 2014 11:01:17 -0000
Mailing-List: contact dev-help@activemq.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@activemq.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@activemq.apache.org>
List-Post: <mailto:dev@activemq.apache.org>
List-Id: <dev.activemq.apache.org>
Reply-To: dev@activemq.apache.org
Delivered-To: mailing list dev@activemq.apache.org
Received: (qmail 4787 invoked by uid 99); 29 Mar 2014 11:01:16 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 29 Mar 2014 11:01:16 +0000
Date: Sat, 29 Mar 2014 11:01:16 +0000 (UTC)
From: "Claus Ibsen (JIRA)" <jira@apache.org>
To: dev@activemq.apache.org
Message-ID: <JIRA.12531481.1321373147892.29939.1396090876771@arcas>
In-Reply-To: <JIRA.12531481.1321373147892@arcas>
References: <JIRA.12531481.1321373147892@arcas>
Subject: [jira] [Updated] (AMQ-3598) Unprivileged users can receive messages
 from a protected topic when using wildcards in destination
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


     [ https://issues.apache.org/jira/browse/AMQ-3598?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Claus Ibsen updated AMQ-3598:
-----------------------------

    Fix Version/s:     (was: 5.10.0)
                   5.11.0

> Unprivileged users can receive messages from a protected topic when using wildcards in destination
> --------------------------------------------------------------------------------------------------
>
>                 Key: AMQ-3598
>                 URL: https://issues.apache.org/jira/browse/AMQ-3598
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Broker
>    Affects Versions: 5.5.0, 5.5.1
>         Environment: OS: Mac OS X 10.6.8
> JRE/JDK: 1.6.0_29
> ActiveMQ: 5.5.0
>            Reporter: Thorsten Panitz
>              Labels: authorization, security
>             Fix For: 5.11.0
>
>         Attachments: AMQ-3598.patch, ActiveMQAuthorizationBug.zip
>
>
> A consumer can receive messages from protected queues/topics if he uses a Destination which contains a wildcard as described [here|http://activemq.apache.org/wildcards.html]:
> {code:language=java}
> Destination queue = new ActiveMQQueue("messages.>");
> Destination topic = new ActiveMQTopic(">");
> {code}
> We are using the default authentication/authorization system as described in [Security Authentication/Authorization|http://activemq.apache.org/security.html#Security-Authorization] with the following configuration:
> {code:title=broker.xml|language=xml}
> <plugins>
>     <simpleAuthenticationPlugin>
>         <users>
>             <authenticationUser
>                   username="admin"
>                   password="admin"
>                   groups="admins"/>
>             <authenticationUser
>                   username="user"
>                   password="user"
>                   groups="users"/>
>         </users>
>     </simpleAuthenticationPlugin>
>     <authorizationPlugin>
>         <map>
>             <authorizationMap>
>                 <authorizationEntries>
>                     <authorizationEntry topic="messages.>"
>                                         read="admins"
>                                         write="admins"
>                                         admin="admins"/>
>                     <authorizationEntry topic="messages.cat2"
>                                         read="admins"
>                                         write="admins"
>                                         admin="admins"/>
>                     <authorizationEntry topic="messages.cat1"
>                                         read="admins, users"
>                                         write="admins, users"
>                                         admin="admins, users"/>
>                     <authorizationEntry topic="ActiveMQ.Advisory.>"
>                                         read="admins, users"
>                                         write="admins, users"
>                                         admin="admins, users"/>
>                 </authorizationEntries>
>             </authorizationMap>
>         </map>
>     </authorizationPlugin>
> </plugins>
> {code}
> As exepected, clients connecting as "user" to the topic "messages.cat2" get an exception ("User user is not authorized to read from: topic://messages.cat2"). Suprisingly "user" can receive messages from topic "messages.cat2" if he creates a consumer with the destination "messages.>":
> {code:title=consumer.java|language=java}
> final Destination destination = new ActiveMQTopic("messages.>");
> final Connection conn = new ActiveMQConnectionFactory("user", "user", BROKER_URL).createConnection();
> final Session session = conn.createSession(false, Session.AUTO_ACKNOWLEDGE);
> final MessageConsumer consumer = session.createConsumer(destination);
> conn.start();
> closure.run();
> final Message message = consumer.receive(TIMEOUT);
> session.close();
> conn.close(); 
> {code}
> IMHO this behaviour is a security problem as an unprivileged user can receive messages from a protected topic or queue!



--
This message was sent by Atlassian JIRA
(v6.2#6252)