[
https://issues.apache.org/jira/browse/AMQ-5151?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alexandre Pauzies updated AMQ-5151:
-----------------------------------
Component/s: Broker
> Incorrect authorization on virtual destination (wildcard)
> ---------------------------------------------------------
>
> Key: AMQ-5151
> URL: https://issues.apache.org/jira/browse/AMQ-5151
> Project: ActiveMQ
> Issue Type: Bug
> Components: Broker
> Affects Versions: 5.9.0, 5.9.1
> Reporter: Alexandre Pauzies
> Labels: authorization, security, virtualDestinations, wildcard
>
> I'm trying to use authorizationPlugin with virtual destinations:
> testTopic.group1
> testTopic.group2
> This is my authorizationEntries definition:
> <authorizationEntry topic="testTopic.group1.>" write="admins" read="group1"
> admin="admins" />
> <authorizationEntry topic="testTopic.group2.>" write="admins" read="group2"
> admin="admins" />
> <authorizationEntry topic=">" write="admins" read="admins" admin="admins" />
> - When group1 tries to subscribe to testTopic.group2, I get an access denied:
> "User is not authorized to read from..."
> - Same when group2 access group1
> - However, if group1 subscribes to testTopic.> it will have access to
> everything
> I tracked the issue down to DefaultAuthorizationMap,
> getReadACLs(ActiveMQDestination destination)
> This method will combine the read ACL from the 2 sub-topic authorization
> entries and give access to destination "testTopic.>" to anyone in group1 or
> group2.
> Am I doing something wrong?
> Is this scenario supported by authorizationPlugin?
> Thanks,
> Alex
--
This message was sent by Atlassian JIRA
(v6.2#6252)
