Wesley Holevinski created QPID-5833:
---------------------------------------
Summary: Message's userId check in C++ broker prevents sending
messages between different users
Key: QPID-5833
URL: https://issues.apache.org/jira/browse/QPID-5833
Project: Qpid
Issue Type: Bug
Affects Versions: 0.28
Reporter: Wesley Holevinski
The lines in question are :
{noformat}
df36b35e qpid/cpp/src/qpid/broker/SemanticState.cpp (Gordon Sim
2012-08-10 12:04:27 +0000 490) std::string id = msg.getUserId();
ae0f6726 qpid/cpp/src/qpid/broker/SemanticState.cpp (Alan Conway
2011-12-06 15:56:40 +0000 491) if (authMsg && !id.empty() &&
!session.getConnection().isAuthenticatedUser(id))
63f48b2f qpid/cpp/src/qpid/broker/SemanticState.cpp (Rajith Muditha Attapattu
2008-09-25 18:40:32 +0000 492) {
d7c67754 qpid/cpp/src/qpid/broker/SemanticState.cpp (Gordon Sim
2008-10-10 16:54:54 +0000 493) QPID_LOG(debug, "authorised user id : "
<< userID << " but user id in message declared as " << id);
d7c67754 qpid/cpp/src/qpid/broker/SemanticState.cpp (Gordon Sim
2008-10-10 16:54:54 +0000 494) throw
UnauthorizedAccessException(QPID_MSG("authorised user id : " << userID << " but
user id in messag
63f48b2f qpid/cpp/src/qpid/broker/SemanticState.cpp (Rajith Muditha Attapattu
2008-09-25 18:40:32 +0000 495) }
{noformat}
---
Up until this point, we haven't been using a JMS client; we've found that the
JMS client will insert the userId into the message:
{noformat}
d4d85f06 (Rajith Muditha Attapattu 2008-09-25 18:35:11 +0000 117) // On
the receiving side, this will be read in to the JMSXUserID as well.
dd2ed172 (Rajith Muditha Attapattu 2008-10-01 19:27:19 +0000 118)
messageProps.setUserId(userIDBytes);
d4d85f06 (Rajith Muditha Attapattu 2008-09-25 18:35:11 +0000 119)
21c61b77 (Rafael H. Schloming 2008-07-09 13:26:54 +0000 120) if
(messageId != null)
21c61b77 (Rafael H. Schloming 2008-07-09 13:26:54 +0000 121) {
21c61b77 (Rafael H. Schloming 2008-07-09 13:26:54 +0000 122)
messageProps.setMessageId(messageId);
21c61b77 (Rafael H. Schloming 2008-07-09 13:26:54 +0000 123) }
{noformat}
---
Our scenario:
1. Send message to a broker using the JMS client; authenticate as user: 'tester'
2. Consume message from destination queue as user 'mgmt'
{noformat}
Result: "unauthorized-access: authorised user id : mgmt@QPID but user id in
message declared as tester
(/builddir/build/BUILD/qpid-0.28-rc2/cpp/src/qpid/broker/SemanticState.cpp:497"
{noformat}
---
I'll work on providing a full end to end simple example for this.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
