[
https://issues.apache.org/jira/browse/AMQ-3211?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13005050#comment-13005050
]
Gary Tully commented on AMQ-3211:
---------------------------------
This seems broken to me. ActiveMQ does allow setting the JMSXUserId property
but it should only be used in the absence of any other setting of user
credentials.
Currently, the call to get JMSXUserId looks first at the existing properties
and then at the internal userId attribute. That logic should be reversed.
Typically, users should not set the JMSXUserId value, but if they do, it should
be ignored if there is an alternative policy in place, ie: when
BrokerService.populateJMSXUserID is specified and either the user id is set on
the ActiveMQConnectionFactory or found through Authentication.
> JMSXUserId Can be spoofed by client
> -----------------------------------
>
> Key: AMQ-3211
> URL: https://issues.apache.org/jira/browse/AMQ-3211
> Project: ActiveMQ
> Issue Type: Bug
> Components: Broker
> Affects Versions: 5.4.2
> Reporter: Michael Steiner
> Attachments: JMSXUserID-bug.conf-src.tar.bz2, JMSXUserID-bug.diff
>
>
> It seems the JMSXUserId can be spoofed by client contrary to what
> http://activemq.apache.org/jmsxuserid.html says.
> My test setup is populateJMSXUserID="true set in a single broker, a JAAS
> config org.apache.activemq.jaas.TextFileCertificateLoginModule and using
> mutual auth SSL (i.e., ?needClientAuth=true for transportConnector setup),
> and a single consumer and producer based on small modifications of the
> ConsumerTool and ProducerTool examples in the 5.4.2 distro. See attached the
> changes to the distro package to demonstrate the bug. Just do
> 1. run apache-activemq-5.4.2/bin/activemq-admin start
> 2. in apache-activemq-5.4.2/example run ant consumer
> -Durl=ssl://localhost:61617 -Dmax=3 -Dverbose=true
> 3. in another shell in apache-activemq-5.4.2/example run ant producer
> -Durl=ssl://localhost:61617 -Dmax=3 -Dverbose=true
> 4. look at the output of the consumer for the properties printed after each
> received message (the producer spoofs only on even numbered messages)
> When the client does not set the property, then i get the properly
> authenticated DN as JMSXUserID using message.getStringProperty("JMSXUserID").
> However, when the client sets it, i get the value set by the client. The
> only difference i notice is that in the former case,
> message.getPropertyNames() does not return JMSXUserID whereas in the spoofed
> case it does.
> i wonder whether in the context of
> https://issues.apache.org/jira/browse/QPID-943 or
> https://issues.apache.org/jira/browse/AMQ-2840 (which interestingly doesn't
> list JMSXUserID as supported in a comment even though it is?) something got
> messed up?
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
