Alexandre Pauzies created AMQ-5151:
--------------------------------------
Summary: Incorrect authorization on virtual destination (wildcard)
Key: AMQ-5151
URL: https://issues.apache.org/jira/browse/AMQ-5151
Project: ActiveMQ
Issue Type: Bug
Affects Versions: 5.9.1, 5.9.0
Reporter: Alexandre Pauzies
I'm trying to use authorizationPlugin with virtual destinations:
testTopic.group1
testTopic.group2
This is my authorizationEntries definition:
<authorizationEntry topic="testTopic.group1.>" write="admins" read="group1"
admin="admins" />
<authorizationEntry topic="testTopic.group2.>" write="admins" read="group2"
admin="admins" />
<authorizationEntry topic=">" write="admins" read="admins" admin="admins" />
- When group1 tries to subscribe to testTopic.group2, I get an access denied:
"User is not authorized to read from..."
- Same when group2 access group1
- However, if group1 subscribes to testTopic.> it will have access to everything
I tracked the issue down to DefaultAuthorizationMap,
getReadACLs(ActiveMQDestination destination)
This method will combine the read ACL from the 2 sub-topic authorization
entries and give access to destination "testTopic.>" to anyone in group1 or
group2.
Am I doing something wrong?
Is this scenario supported by authorizationPlugin?
Thanks,
Alex
--
This message was sent by Atlassian JIRA
(v6.2#6252)
