[jira] [Commented] (AMQ-3598) Unprivileged users can receive messages from a protected topic when using wildcards in destination

[Torsten Mielke (Commented) (JIRA)]

    [ 
https://issues.apache.org/jira/browse/AMQ-3598?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13151931#comment-13151931
 ] 

Torsten Mielke commented on AMQ-3598:
-------------------------------------

I have spent a bit of time on this issue. 
The problem seems to be in 
org.apache.activemq.filter.DestinationMapNode.appendMatchingValues()

{code:title=DestinationMapNode.java}
public void appendMatchingValues(Set answer, String[] paths, int startIndex) {
  DestinationNode node = this;
  boolean couldMatchAny = true;
  int size = paths.length;
  for (int i = startIndex; i < size && node != null; i++) {
    String path = paths[i];
    if (path.equals(ANY_DESCENDENT)) {
      answer.addAll(node.getDesendentValues());
      couldMatchAny = false;
      break;
    }
    ...
{code}

This method iterates through the nodes and if it hits '>' descendant, it simply 
adds all privileges of all child nodes. 

So if the authorization config reads:
{code:xml}
<authorizationEntry topic="messages.>"
  read="admins"
  write="admins"
  admin="admins"/>
<authorizationEntry topic="messages.cat1"
  read="admins, users"
  write="admins, users"
  admin="admins, users"/>
{code} 

then this code will add the privileges of messages.cat2 to messages.>, as in 
its internal representation "messages.cat2" is a subnode of "messages.>".
This privilege inheritance does not look correct to me. 

Should it instead not only grant the priviliges defined explicitly for 
"messages.>"? 
                
> Unprivileged users can receive messages from a protected topic when using 
> wildcards in destination
> --------------------------------------------------------------------------------------------------
>
>                 Key: AMQ-3598
>                 URL: https://issues.apache.org/jira/browse/AMQ-3598
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Broker
>    Affects Versions: 5.5.0, 5.5.1
>         Environment: OS: Mac OS X 10.6.8
> JRE/JDK: 1.6.0_29
> ActiveMQ: 5.5.0
>            Reporter: Thorsten Panitz
>              Labels: authorization, security
>         Attachments: ActiveMQAuthorizationBug.zip
>
>
> A consumer can receive messages from protected queues/topics if he uses a 
> Destination which contains a wildcard as described 
> [here|http://activemq.apache.org/wildcards.html]:
> {code:language=java}
> Destination queue = new ActiveMQQueue("messages.>");
> Destination topic = new ActiveMQTopic(">");
> {code}
> We are using the default authentication/authorization system as described in 
> [Security 
> Authentication/Authorization|http://activemq.apache.org/security.html#Security-Authorization]
>  with the following configuration:
> {code:title=broker.xml|language=xml}
> <plugins>
>     <simpleAuthenticationPlugin>
>         <users>
>             <authenticationUser
>                   username="admin"
>                   password="admin"
>                   groups="admins"/>
>             <authenticationUser
>                   username="user"
>                   password="user"
>                   groups="users"/>
>         </users>
>     </simpleAuthenticationPlugin>
>     <authorizationPlugin>
>         <map>
>             <authorizationMap>
>                 <authorizationEntries>
>                     <authorizationEntry topic="messages.>"
>                                         read="admins"
>                                         write="admins"
>                                         admin="admins"/>
>                     <authorizationEntry topic="messages.cat2"
>                                         read="admins"
>                                         write="admins"
>                                         admin="admins"/>
>                     <authorizationEntry topic="messages.cat1"
>                                         read="admins, users"
>                                         write="admins, users"
>                                         admin="admins, users"/>
>                     <authorizationEntry topic="ActiveMQ.Advisory.>"
>                                         read="admins, users"
>                                         write="admins, users"
>                                         admin="admins, users"/>
>                 </authorizationEntries>
>             </authorizationMap>
>         </map>
>     </authorizationPlugin>
> </plugins>
> {code}
> As exepected, clients connecting as "user" to the topic "messages.cat2" get 
> an exception ("User user is not authorized to read from: 
> topic://messages.cat2"). Suprisingly "user" can receive messages from topic 
> "messages.cat2" if he creates a consumer with the destination "messages.>":
> {code:title=consumer.java|language=java}
> final Destination destination = new ActiveMQTopic("messages.>");
> final Connection conn = new ActiveMQConnectionFactory("user", "user", 
> BROKER_URL).createConnection();
> final Session session = conn.createSession(false, Session.AUTO_ACKNOWLEDGE);
> final MessageConsumer consumer = session.createConsumer(destination);
> conn.start();
> closure.run();
> final Message message = consumer.receive(TIMEOUT);
> session.close();
> conn.close(); 
> {code}
> IMHO this behaviour is a security problem as an unprivileged user can receive 
> messages from a protected topic or queue!

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira