Keith Wall created QPID-4356:
--------------------------------
Summary: Java Broker does not validate incoming
message-properties.user-id as required by AMQP 0-10 spec
Key: QPID-4356
URL: https://issues.apache.org/jira/browse/QPID-4356
Project: Qpid
Issue Type: Bug
Components: Java Broker
Affects Versions: 0.18, 0.16, 0.14, 0.12, 0.10, 0.19
Reporter: Keith Wall
Priority: Minor
When the 0-10 protocol is in use, Java Broker does not validate the user-id
sent by the client as part of the message. According to the AMQP 0-10 spec the
Broker must (p163):
{quote}
user-id vbin creating user id
The identity of the user responsible for producing the message. The client sets
this value, and it is authenticated by the broker.
{quote}
and
{quote}
Rule: authentication
The server MUST produce an unauthorized-access exception if the user-id field
is set to a principle for which the client is not authenticated.
{quote}
(For 0-8..0-9-1 this validation can be enabled via Broker config see
advanced/msg-auth)
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
