[
https://issues.apache.org/jira/browse/AMQ-5160?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13991105#comment-13991105
]
Dhiraj Bokde commented on AMQ-5160:
-----------------------------------
[~dejanb] How are you planning on adding the MQTT retained message recovery
policy? In theory it should be added on the fly from the MQTT protocol
converter when an MQTT client sends a message to a Topic. Also, if another
recovery policy exists on the Topic, then the MQTT policy should act in
parallel with it. What do you think?
In general I like the idea of the recovery policy, since it would allow
non-MQTT connections to receive retained messages too.
Meanwhile, I opened a pull request https://github.com/apache/activemq/pull/21
to add authorization for retained messages with the current approach.
> Wildcard subscriptions bypass Authentication / Authorization
> ------------------------------------------------------------
>
> Key: AMQ-5160
> URL: https://issues.apache.org/jira/browse/AMQ-5160
> Project: ActiveMQ
> Issue Type: Bug
> Components: MQTT
> Affects Versions: 5.9.1
> Reporter: Surf
> Priority: Critical
> Labels: authentication, authorization, mqtt, security
> Fix For: 5.10.0
>
> Attachments: activemq.xml, groups.properties, login.config,
> users.properties
>
>
> I am using MQTT on AMQ 5.9.1
> After latest MQTT hardening from [~dhirajsb] , there is an issue of MQTT
> retained messages.
> Simple case:
> Set Authentication / Authorization for two different TOPICS.
> Send retained message to one topic.
> Try to subscribe "#" with other second user.
> It will show retained messages published by TOPIC 1.
> here i have attached test configurations.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
