activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alexandre Pauzies (JIRA)" <j...@apache.org>
Subject [jira] [Created] (AMQ-5151) Incorrect authorization on virtual destination (wildcard)
Date Wed, 16 Apr 2014 19:02:18 GMT
Alexandre Pauzies created AMQ-5151:
--------------------------------------

             Summary: Incorrect authorization on virtual destination (wildcard)
                 Key: AMQ-5151
                 URL: https://issues.apache.org/jira/browse/AMQ-5151
             Project: ActiveMQ
          Issue Type: Bug
    Affects Versions: 5.9.1, 5.9.0
            Reporter: Alexandre Pauzies


I'm trying to use authorizationPlugin with virtual destinations:

testTopic.group1
testTopic.group2

This is my authorizationEntries definition:

<authorizationEntry topic="testTopic.group1.>" write="admins" read="group1" admin="admins"
/>
<authorizationEntry topic="testTopic.group2.>" write="admins" read="group2" admin="admins"
/>
<authorizationEntry topic=">" write="admins" read="admins" admin="admins" />

- When group1 tries to subscribe to testTopic.group2, I get an access denied: "User is not
authorized to read from..."
- Same when group2 access group1
- However, if group1 subscribes to testTopic.> it will have access to everything

I tracked the issue down to DefaultAuthorizationMap, getReadACLs(ActiveMQDestination destination)

This method will combine the read ACL from the 2 sub-topic authorization entries and give
access to destination "testTopic.>" to anyone in group1 or group2.

Am I doing something wrong?
Is this scenario supported by authorizationPlugin?

Thanks,
Alex



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message