JMSXUserId Can be spoofed by client
-----------------------------------
Key: AMQ-3211
URL: https://issues.apache.org/jira/browse/AMQ-3211
Project: ActiveMQ
Issue Type: Bug
Components: Broker
Affects Versions: 5.4.2
Reporter: Michael Steiner
It seems the JMSXUserId can be spoofed by client contrary to what
http://activemq.apache.org/jmsxuserid.html says.
My test setup is populateJMSXUserID="true set in broker, a JAAS config
org.apache.activemq.jaas.TextFileCertificateLoginModule and using mutual auth
SSL (i.e., ?needClientAuth=true for transportConnector setup).
When the client does not set the property, then i get the properly
authenticated DN as JMSXUserID using message.getStringProperty("JMSXUserID").
However, when the client sets it, i get the value set by the client. The only
difference i notice is that in the former case, message.getPropertyNames() does
not return JMSXUserID whereas in the spoofed case it does.
i wonder whether in the context of
https://issues.apache.org/jira/browse/QPID-943 or
https://issues.apache.org/jira/browse/AMQ-2840 (which interestingly doesn't
list JMSXUserID as supported in a comment even though it is?)
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
