Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-5182

Security settings are being inherited from the general block (#) for the consume operation if the address pattern is A.*.B

    XMLWordPrintable

Details

    Description

      With the following configuration, you would assume that only the users with role "xyz" can consume from address A.C.B but users with the role "amq" are also able to consume the messages from the same address.

      <security-setting match="#">
	<permission type="createNonDurableQueue" roles="amq"/>
	<permission type="deleteNonDurableQueue" roles="amq"/>
	<permission type="createDurableQueue" roles="amq"/>
	<permission type="deleteDurableQueue" roles="amq"/>
	<permission type="createAddress" roles="amq"/>
	<permission type="deleteAddress" roles="amq"/>
	<permission type="consume" roles="amq"/>
	<permission type="browse" roles="amq"/>
	<permission type="send" roles="amq"/>
	<permission type="manage" roles="amq"/>
</security-setting>

<security-settings>
		  <security-setting match="A.*.B">
	<permission type="createNonDurableQueue" roles="xyz"/>
	<permission type="deleteNonDurableQueue" roles="xyz"/>
	<permission type="createDurableQueue" roles="xyz"/>
	<permission type="deleteDurableQueue" roles="xyz"/>
	<permission type="createAddress" roles="xyz"/>
	<permission type="deleteAddress" roles="xyz"/>
	<permission type="consume" roles="xyz"/>
	<permission type="browse" roles="xyz"/>
	<permission type="send" roles="xyz"/>
	<permission type="manage" roles="xyz"/>
		</security-setting>

<security-settings>

<addresses>         
	 <address name="A.C.B">
            <anycast>
               <queue name="A.C.B" />
            </anycast>
         </address>
		
</addresses> 
 

      I have created a Test Case for this. I believe it is happening because of this block of code. 

          try {
         securityCheck(address, unPrefixedQueueName, browseOnly ? CheckType.BROWSE : CheckType.CONSUME, this);
      } catch (Exception e) {
         // this is here for backwards compatibility with the pre-FQQN syntax from ARTEMIS-592
         securityCheck(address.concat(".").concat(unPrefixedQueueName), queueName, browseOnly ? CheckType.BROWSE : CheckType.CONSUME, this);
      }

      After the exception is caught for invalid permissions, it checks again after concatenating the address and queue. Now the new address (address.queue) doesn't match the intended pattern but it matches the global pattern (#) and gets authorized.

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. ENTMQBR-4282 Security settings are being inherited from the general block (#) for the consume operation if the address pattern is A.*.B

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Activity

            People

              rhn-support-jbertram Justin Bertram
              dbruscin Domenico Francesco Bruscino
              Roman Vais Roman Vais
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: