-
Bug
-
Resolution: Done
-
Critical
-
None
-
None
-
None
With the following configuration, you would assume that only the users with role "xyz" can consume from address A.C.B but users with the role "amq" are also able to consume the messages from the same address.
<security-setting match="#"> <permission type="createNonDurableQueue" roles="amq"/> <permission type="deleteNonDurableQueue" roles="amq"/> <permission type="createDurableQueue" roles="amq"/> <permission type="deleteDurableQueue" roles="amq"/> <permission type="createAddress" roles="amq"/> <permission type="deleteAddress" roles="amq"/> <permission type="consume" roles="amq"/> <permission type="browse" roles="amq"/> <permission type="send" roles="amq"/> <permission type="manage" roles="amq"/> </security-setting> <security-settings> <security-setting match="A.*.B"> <permission type="createNonDurableQueue" roles="xyz"/> <permission type="deleteNonDurableQueue" roles="xyz"/> <permission type="createDurableQueue" roles="xyz"/> <permission type="deleteDurableQueue" roles="xyz"/> <permission type="createAddress" roles="xyz"/> <permission type="deleteAddress" roles="xyz"/> <permission type="consume" roles="xyz"/> <permission type="browse" roles="xyz"/> <permission type="send" roles="xyz"/> <permission type="manage" roles="xyz"/> </security-setting> <security-settings> <addresses> <address name="A.C.B"> <anycast> <queue name="A.C.B" /> </anycast> </address> </addresses>
I have created a Test Case for this. I believe it is happening because of this block of code.
try { securityCheck(address, unPrefixedQueueName, browseOnly ? CheckType.BROWSE : CheckType.CONSUME, this); } catch (Exception e) { // this is here for backwards compatibility with the pre-FQQN syntax from ARTEMIS-592 securityCheck(address.concat(".").concat(unPrefixedQueueName), queueName, browseOnly ? CheckType.BROWSE : CheckType.CONSUME, this); }
After the exception is caught for invalid permissions, it checks again after concatenating the address and queue. Now the new address (address.queue) doesn't match the intended pattern but it matches the global pattern (#) and gets authorized.
- is cloned by
-
ENTMQBR-5182 Security settings are being inherited from the general block (#) for the consume operation if the address pattern is A.*.B
- Closed