Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: AMQ 7.9.0.CR1
Affects Version/s: None
Component/s: None
Labels:
- upstream-test-coverage

Blocked:
False
Ready:
False
GSS Priority:
QE Test Coverage:
+
Release Note Text:
Undefined
Target Release:

AMQ 7.9.0.GA
Upstream Jira:
https://issues.apache.org/jira/browse/ARTEMIS-3012
Workaround Description:

Hide

There is a workaround but it's not ideal. It needs another security-setting tag with the pattern "A.*.B.A.*.B"

Show
There is a workaround but it's not ideal. It needs another security-setting tag with the pattern "A.*.B.A.*.B"
Git Pull Request:
https://github.com/rh-messaging/activemq-artemis/pull/468
Market:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

With the following configuration, you would assume that only the users with role "xyz" can consume from address A.C.B but users with the role "amq" are also able to consume the messages from the same address.

<security-setting match="#">
	<permission type="createNonDurableQueue" roles="amq"/>
	<permission type="deleteNonDurableQueue" roles="amq"/>
	<permission type="createDurableQueue" roles="amq"/>
	<permission type="deleteDurableQueue" roles="amq"/>
	<permission type="createAddress" roles="amq"/>
	<permission type="deleteAddress" roles="amq"/>
	<permission type="consume" roles="amq"/>
	<permission type="browse" roles="amq"/>
	<permission type="send" roles="amq"/>
	<permission type="manage" roles="amq"/>
</security-setting>

<security-settings>
		  <security-setting match="A.*.B">
	<permission type="createNonDurableQueue" roles="xyz"/>
	<permission type="deleteNonDurableQueue" roles="xyz"/>
	<permission type="createDurableQueue" roles="xyz"/>
	<permission type="deleteDurableQueue" roles="xyz"/>
	<permission type="createAddress" roles="xyz"/>
	<permission type="deleteAddress" roles="xyz"/>
	<permission type="consume" roles="xyz"/>
	<permission type="browse" roles="xyz"/>
	<permission type="send" roles="xyz"/>
	<permission type="manage" roles="xyz"/>
		</security-setting>

<security-settings>

<addresses>         
	 <address name="A.C.B">
            <anycast>
               <queue name="A.C.B" />
            </anycast>
         </address>
		
</addresses>

I have created a Test Case for this. I believe it is happening because of this block of code.

    try {
         securityCheck(address, unPrefixedQueueName, browseOnly ? CheckType.BROWSE : CheckType.CONSUME, this);
      } catch (Exception e) {
         // this is here for backwards compatibility with the pre-FQQN syntax from ARTEMIS-592
         securityCheck(address.concat(".").concat(unPrefixedQueueName), queueName, browseOnly ? CheckType.BROWSE : CheckType.CONSUME, this);
      }

After the exception is caught for invalid permissions, it checks again after concatenating the address and queue. Now the new address (address.queue) doesn't match the intended pattern but it matches the global pattern (#) and gets authorized.

clones

ENTMQBR-4282 Security settings are being inherited from the general block (#) for the consume operation if the address pattern is A.*.B

Closed

Assignee:: Justin Bertram

Reporter:: Domenico Francesco Bruscino

Tester:: Roman Vais (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2021/07/08 11:31 AM

Updated:: 2021/08/18 3:49 PM

Resolved:: 2021/08/18 3:49 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates