[jira] Resolved: (QPID-2570) Broker uses NotAllowedException for ACL violations, should use UnauthorisedAccessException

Thu, 06 May 2010 02:51:19 -0700 

     [ 
https://issues.apache.org/jira/browse/QPID-2570?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Gordon Sim resolved QPID-2570.
------------------------------

    Resolution: Fixed

Resolved by r941636.

> Broker uses NotAllowedException for ACL violations, should use 
> UnauthorisedAccessException
> ------------------------------------------------------------------------------------------
>
>                 Key: QPID-2570
>                 URL: https://issues.apache.org/jira/browse/QPID-2570
>             Project: Qpid
>          Issue Type: Bug
>          Components: C++ Broker
>    Affects Versions: 0.6
>            Reporter: Gordon Sim
>            Assignee: Gordon Sim
>             Fix For: 0.7
>
>
> The broker uses NotAllowedException[1] in most places when authorisation 
> fails. This seems wrong to me as NotAllowedException is used for specific 
> types of invalid command requests (e.g. declaring an existing exchange with a 
> different type, or trying to create exchanges with prohibited prefixes). As 
> it stands it is not possible to reliably distinguish between these two very 
> different situations in code.
> A more appropriate exception for authorisation failures would be 
> UnauthorisedAccessException[2] which is only used in one place (when a 
> message is sent with a userid that differs from the authenticated id).
> Obviously this breaks backwards compatibility to a degree, but I think in 
> this case it is justified. At worst it would require applications to 
> reconsider catching UnauthorizedAccessException wherever they are currently 
> explicitly catching NotAllowedException.
> [1] Described in specification as indicating: "The peer tried to use a 
> command a manner that is inconsistent with the rules described in the 
> specification."
> [2] Described in specification as indicating: "The client attempted to work 
> with a server entity to which it has no access due to security settings."

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:[email protected]

Reply via email to