Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-4282

Security settings are being inherited from the general block (#) for the consume operation if the address pattern is A.*.B

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • None
    • None
    • None

      With the following configuration, you would assume that only the users with role "xyz" can consume from address A.C.B but users with the role "amq" are also able to consume the messages from the same address.

      <security-setting match="#">
      	<permission type="createNonDurableQueue" roles="amq"/>
      	<permission type="deleteNonDurableQueue" roles="amq"/>
      	<permission type="createDurableQueue" roles="amq"/>
      	<permission type="deleteDurableQueue" roles="amq"/>
      	<permission type="createAddress" roles="amq"/>
      	<permission type="deleteAddress" roles="amq"/>
      	<permission type="consume" roles="amq"/>
      	<permission type="browse" roles="amq"/>
      	<permission type="send" roles="amq"/>
      	<permission type="manage" roles="amq"/>
      </security-setting>
      
      <security-settings>
      		  <security-setting match="A.*.B">
      	<permission type="createNonDurableQueue" roles="xyz"/>
      	<permission type="deleteNonDurableQueue" roles="xyz"/>
      	<permission type="createDurableQueue" roles="xyz"/>
      	<permission type="deleteDurableQueue" roles="xyz"/>
      	<permission type="createAddress" roles="xyz"/>
      	<permission type="deleteAddress" roles="xyz"/>
      	<permission type="consume" roles="xyz"/>
      	<permission type="browse" roles="xyz"/>
      	<permission type="send" roles="xyz"/>
      	<permission type="manage" roles="xyz"/>
      		</security-setting>
      
      <security-settings>
      
      <addresses>         
      	 <address name="A.C.B">
                  <anycast>
                     <queue name="A.C.B" />
                  </anycast>
               </address>
      		
      </addresses> 
       

      I have created a Test Case for this. I believe it is happening because of this block of code.

          try {
               securityCheck(address, unPrefixedQueueName, browseOnly ? CheckType.BROWSE : CheckType.CONSUME, this);
            } catch (Exception e) {
               // this is here for backwards compatibility with the pre-FQQN syntax from ARTEMIS-592
               securityCheck(address.concat(".").concat(unPrefixedQueueName), queueName, browseOnly ? CheckType.BROWSE : CheckType.CONSUME, this);
            }
      

      After the exception is caught for invalid permissions, it checks again after concatenating the address and queue. Now the new address (address.queue) doesn't match the intended pattern but it matches the global pattern (#) and gets authorized.

              rhn-support-jbertram Justin Bertram
              rhn-support-adongre Avinash Dongre
              Roman Vais Roman Vais (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: