activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thorsten Panitz <th.pan...@googlemail.com>
Subject Re: Security bug in authorization system?
Date Tue, 15 Nov 2011 16:13:30 GMT
Am 14.11.11 18:18, schrieb Torsten Mielke:

Hello,

> I have debugged your unit test today and the reason for not getting an authorization
exception in test accessToProtectedTopicWithWildcardsDestinationAsUserShouldFail() is that
the AuthorizationBroker appends the security roles of all of the sub nodes in its authorization
configuration.
>
> You have entries for "messages.>" as well as "messages.cat1" and "messages.cat" in
your authorization config.
> Because of the wildcard in "messages.>" it appends the group names of all sub nodes.
From the entry "messages.cat1" it also adds the "users" groups.
>
> This is a bug IMHO. Although I believe there must be some reason for adding the authorization
groups of sub nodes in the brokers authorization plugin at runtime.
> Do you mind raising a JIRA ticket and attaching your JUnit test?

I have created the JIRA ticket: 
https://issues.apache.org/jira/browse/AMQ-3598


Thanks,

      Thorsten Panitz


Mime
View raw message