activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thorsten Panitz <th.pan...@googlemail.com>
Subject Security bug in authorization system?
Date Sat, 12 Nov 2011 18:29:45 GMT
Hi,

I'm working for 6 month with ActiveMQ so this could be a 
misconfiguration on my side. Here is the problem.

We are using the default authentication/authorization system as 
described in 
http://activemq.apache.org/security.html#Security-Authorization with the 
following configuration:

<plugins>
     <simpleAuthenticationPlugin>
         <users>
             <authenticationUser
                   username="admin"
                   password="admin"
                   groups="admins"/>
             <authenticationUser
                   username="user"
                   password="user"
                   groups="users"/>
         </users>
     </simpleAuthenticationPlugin>
     <authorizationPlugin>
         <map>
             <authorizationMap>
                 <authorizationEntries>
                     <authorizationEntry topic="messages.>"
                                         read="admins"
                                         write="admins"
                                         admin="admins"/>
                     <authorizationEntry topic="messages.cat2"
                                         read="admins"
                                         write="admins"
                                         admin="admins"/>
                     <authorizationEntry topic="messages.cat1"
                                         read="admins, users"
                                         write="admins, users"
                                         admin="admins, users"/>
                     <authorizationEntry topic="ActiveMQ.Advisory.>"
                                         read="admins, users"
                                         write="admins, users"
                                         admin="admins, users"/>
                 </authorizationEntries>
             </authorizationMap>
         </map>
     </authorizationPlugin>
</plugins>

As exepected, clients connecting as "user" to the topic "messages.cat2" 
get an exception ("User user is not authorized to read from: 
topic://messages.cat2"). Suprisingly "user" can receive messages from 
topic "messages.cat2" if he creates a consumer with the destination 
"messages.>":

<code>
final Destination destination = new ActiveMQTopic("messages.>");
final Connection conn = new ActiveMQConnectionFactory("user", "user",
     BROKER_URL).createConnection();
final Session session = conn.createSession(false, Session.AUTO_ACKNOWLEDGE);
final MessageConsumer consumer = session.createConsumer(destination);
conn.start();
closure.run();
final Message message = consumer.receive(TIMEOUT);
session.close();
conn.close();
</code>

IMHO this behaviour is a security problem as an unprivileged user can 
receive messages from a protected topic or queue!

I've attached a maven project with JUnit tests showing the problem.


Environment:

OS: Mac OS X 10.6.8
JRE/JDK: 1.6.0_29
ActiveMQ: 5.5.0


Thanks for your help!


Regards,

    Thorsten


Mime
View raw message