Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-4282

Security settings are being inherited from the general block (#) for the consume operation if the address pattern is A.*.B

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Done
    • None
    • None
    • None

    Description

      With the following configuration, you would assume that only the users with role "xyz" can consume from address A.C.B but users with the role "amq" are also able to consume the messages from the same address.

      <security-setting match="#">
      	<permission type="createNonDurableQueue" roles="amq"/>
      	<permission type="deleteNonDurableQueue" roles="amq"/>
      	<permission type="createDurableQueue" roles="amq"/>
      	<permission type="deleteDurableQueue" roles="amq"/>
      	<permission type="createAddress" roles="amq"/>
      	<permission type="deleteAddress" roles="amq"/>
      	<permission type="consume" roles="amq"/>
      	<permission type="browse" roles="amq"/>
      	<permission type="send" roles="amq"/>
      	<permission type="manage" roles="amq"/>
      </security-setting>
      
      <security-settings>
      		  <security-setting match="A.*.B">
      	<permission type="createNonDurableQueue" roles="xyz"/>
      	<permission type="deleteNonDurableQueue" roles="xyz"/>
      	<permission type="createDurableQueue" roles="xyz"/>
      	<permission type="deleteDurableQueue" roles="xyz"/>
      	<permission type="createAddress" roles="xyz"/>
      	<permission type="deleteAddress" roles="xyz"/>
      	<permission type="consume" roles="xyz"/>
      	<permission type="browse" roles="xyz"/>
      	<permission type="send" roles="xyz"/>
      	<permission type="manage" roles="xyz"/>
      		</security-setting>
      
      <security-settings>
      
      <addresses>         
      	 <address name="A.C.B">
                  <anycast>
                     <queue name="A.C.B" />
                  </anycast>
               </address>
      		
      </addresses> 
       

      I have created a Test Case for this. I believe it is happening because of this block of code.

          try {
               securityCheck(address, unPrefixedQueueName, browseOnly ? CheckType.BROWSE : CheckType.CONSUME, this);
            } catch (Exception e) {
               // this is here for backwards compatibility with the pre-FQQN syntax from ARTEMIS-592
               securityCheck(address.concat(".").concat(unPrefixedQueueName), queueName, browseOnly ? CheckType.BROWSE : CheckType.CONSUME, this);
            }
      

      After the exception is caught for invalid permissions, it checks again after concatenating the address and queue. Now the new address (address.queue) doesn't match the intended pattern but it matches the global pattern (#) and gets authorized.

      Attachments

        Issue Links

          Activity

            People

              rhn-support-jbertram Justin Bertram
              rhn-support-adongre Avinash Dongre
              Roman Vais Roman Vais
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: