[
https://issues.apache.org/jira/browse/QPID-4356?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rob Godfrey resolved QPID-4356.
-------------------------------
Resolution: Duplicate
> Java Broker does not validate incoming message-properties.user-id as required
> by AMQP 0-10 spec
> -----------------------------------------------------------------------------------------------
>
> Key: QPID-4356
> URL: https://issues.apache.org/jira/browse/QPID-4356
> Project: Qpid
> Issue Type: Bug
> Components: Java Broker
> Affects Versions: 0.10, 0.12, 0.14, 0.16, 0.18, 0.19
> Reporter: Keith Wall
> Priority: Minor
>
> When the 0-10 protocol is in use, Java Broker does not validate the user-id
> sent by the client as part of the message. According to the AMQP 0-10 spec
> the Broker must (p163):
> {quote}
> user-id vbin creating user id
> The identity of the user responsible for producing the message. The client
> sets this value, and it is authenticated by the broker.
> {quote}
> and
> {quote}
> Rule: authentication
> The server MUST produce an unauthorized-access exception if the user-id field
> is set to a principle for which the client is not authenticated.
> {quote}
> (For 0-8..0-9-1 this validation can be enabled via Broker config see
> advanced/msg-auth)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
