Unprivileged users can receive messages from a protected topic when using
wildcards in destination
--------------------------------------------------------------------------------------------------
Key: AMQ-3598
URL: https://issues.apache.org/jira/browse/AMQ-3598
Project: ActiveMQ
Issue Type: Bug
Components: Broker
Affects Versions: 5.5.1, 5.5.0
Environment: OS: Mac OS X 10.6.8
JRE/JDK: 1.6.0_29
ActiveMQ: 5.5.0
Reporter: Thorsten Panitz
A consumer can receive messages from protected queues/topics if he uses a
Destination which contains a wildcard as described
[here|http://activemq.apache.org/wildcards.html]:
{code:language=java}
Destination queue = new ActiveMQQueue("messages.>");
Destination topic = new ActiveMQTopic(">");
{code}
We are using the default authentication/authorization system as described in
[Security
Authentication/Authorization|http://activemq.apache.org/security.html#Security-Authorization]
with the following configuration:
{code:title=broker.xml|language=xml}
<plugins>
<simpleAuthenticationPlugin>
<users>
<authenticationUser
username="admin"
password="admin"
groups="admins"/>
<authenticationUser
username="user"
password="user"
groups="users"/>
</users>
</simpleAuthenticationPlugin>
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry topic="messages.>"
read="admins"
write="admins"
admin="admins"/>
<authorizationEntry topic="messages.cat2"
read="admins"
write="admins"
admin="admins"/>
<authorizationEntry topic="messages.cat1"
read="admins, users"
write="admins, users"
admin="admins, users"/>
<authorizationEntry topic="ActiveMQ.Advisory.>"
read="admins, users"
write="admins, users"
admin="admins, users"/>
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
</plugins>
{code}
As exepected, clients connecting as "user" to the topic "messages.cat2" get an
exception ("User user is not authorized to read from: topic://messages.cat2").
Suprisingly "user" can receive messages from topic "messages.cat2" if he
creates a consumer with the destination "messages.>":
{code:title=consumer.java|language=java}
final Destination destination = new ActiveMQTopic("messages.>");
final Connection conn = new ActiveMQConnectionFactory("user", "user",
BROKER_URL).createConnection();
final Session session = conn.createSession(false, Session.AUTO_ACKNOWLEDGE);
final MessageConsumer consumer = session.createConsumer(destination);
conn.start();
closure.run();
final Message message = consumer.receive(TIMEOUT);
session.close();
conn.close();
{code}
IMHO this behaviour is a security problem as an unprivileged user can receive
messages from a protected topic or queue!
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
