Lionel Cons created APLO-250:
--------------------------------
Summary: add_user_header should prevent forging
Key: APLO-250
URL: https://issues.apache.org/jira/browse/APLO-250
Project: ActiveMQ Apollo
Issue Type: Improvement
Environment: apollo-99-trunk-20120827.123709-100
Reporter: Lionel Cons
add_user_header currently adds or overwrites the specified header if the
corresponding principal exists. If the principal is not present, it does
nothing.
This opens for forgeries since the sent message may contain a header with the
same name and, if the principal is missing, Apollo will leave it there. By
examining the message, there is no way to know if the header has been set by
the sender or by Apollo.
IMHO it would be safer for Apollo to remove the header in case the
corresponding principal is not present.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
