[
https://issues.apache.org/jira/browse/QPID-5299?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gordon Sim reassigned QPID-5299:
--------------------------------
Assignee: Gordon Sim
> ACL rules should be checked before checking node's existence and returning
> amqp:not-found error
> -----------------------------------------------------------------------------------------------
>
> Key: QPID-5299
> URL: https://issues.apache.org/jira/browse/QPID-5299
> Project: Qpid
> Issue Type: Bug
> Components: C++ Broker
> Affects Versions: 0.25
> Environment: Apache Qpid C++ broker, CentOS
> Reporter: JAkub Scholz
> Assignee: Gordon Sim
> Fix For: 0.25
>
>
> When a client is connecting with AMQP 1.0 to the C++ broker and the node from
> which it wants to consume messages doesn't exist, the broker throws an
> amqp:not-found error even when ACL rules deny the user to access or publish
> from the given node (queue).
> This problem might to some extent exist also with AMQP 0.10. But the Qpid
> AMQP 0.10 clients always query the existence of a queue/exchange before
> connecting to it and the QueueQuery / QueueDeclare calls are ACL protected,
> so the Qpid based AMQP 0.10 client always receives the ACL error before the
> not-found error. But I guess if you skip the QueueQuery / QueueDeclare and go
> directly to MessageSubscribe the same problem as with AMQP 1.0 might exist in
> AMQP 0.10 as well.
> For a security reasons, I would assume that the ACL check for access or
> publish rules should be done before revealing that the queue doesn't exist.
> The broker should not reveal any details about its configuration if the ACL
> rights don't allow it.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
