[jira] Commented: (AMQ-826) LDAP based authorization support

Wed, 25 Oct 2006 15:03:12 -0700 

    [ 
https://issues.apache.org/activemq/browse/AMQ-826?page=comments#action_37283 ] 
            
Nikola Goran Cutura commented on AMQ-826:
-----------------------------------------

Thanks for wildcard link. I did not implement '*', I'll finish it as well. Is 
it possible to have kind of regular expression like STOCKS.PRICE.NYSE.*BM ?

Regarding composite destinations, I would like your attention:

Union of ACLs means that if a user has privilege on at least one destination, 
all destinations will allow operation.
Intersection of ACLs means that if a user lacks privilege on at least one 
destination, no destination will allow operation.

I'll produce a test to verify this but my point is that current implementation 
of union is a security leak (if my understanding is correct). Suppose that a 
guest user wants to read from a destination not authorized for guests, say 
destination USERS.SECRET. A guest may create a destination in GUEST space with 
all necessary privileges, say GUEST.ALLOW. Now, the user creates a composite 
destination (GUEST.ALLOW, USERS.SECRET) and attempts an operation:

Case UNION: as operation is permitted on GUEST.ALLOW it is sufficient for 
composite destination; operation is performed on both destinations in spite of 
the fact that user is not authorized for the other.

Case INTERSECTION: as operation is NOT permitted on USERS.SECRET no operation 
is attempted on composite destination.

Now, maybe I got it wrong but the method 'getXXXXXACLs()' in 
DefaultAuthorizationMap is pretty clear - it adds all ACLs from all entries...

> LDAP based authorization support
> --------------------------------
>
>                 Key: AMQ-826
>                 URL: https://issues.apache.org/activemq/browse/AMQ-826
>             Project: ActiveMQ
>          Issue Type: Improvement
>            Reporter: james strachan
>         Assigned To: Nikola Goran Cutura
>         Attachments: LdapAuth.zip
>
>
> Patch kindly added by ngcutura - discussion thread...
> http://www.nabble.com/LDAP-Authorization-tf1851705.html#a5344494

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
https://issues.apache.org/activemq/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to