mrttx commented on issue #1216: ext fields not signed in client side URL: https://github.com/apache/rocketmq/issues/1216#issuecomment-495074347 I have captured the args of org.apache.rocketmq.acl.common.AclUtils#combineRequestContent in the broker by arthas:  I think the problem is: when viewMessage by unique key 1) before acl rpc hook invoked(org.apache.rocketmq.client.impl.MQClientAPIImpl#queryMessage): ``` public void queryMessage( final String addr, final QueryMessageRequestHeader requestHeader, final long timeoutMillis, final InvokeCallback invokeCallback, final Boolean isUnqiueKey ) throws RemotingException, MQBrokerException, InterruptedException { RemotingCommand request = RemotingCommand.createRequestCommand(RequestCode.QUERY_MESSAGE, requestHeader); request.addExtField(MixAll.UNIQUE_MSG_QUERY_FLAG, isUnqiueKey.toString()); this.remotingClient.invokeAsync(MixAll.brokerVIPChannel(this.clientConfig.isVipChannelEnabled(), addr), request, timeoutMillis, invokeCallback); } ``` 2) when invoke acl rpc hook and before writeAndFlush request(org.apache.rocketmq.remoting.protocol.RemotingCommand#headerEncode), acl rpc hook only uses the fields of custom request headers 3) when verify signature in the broker, broker uses the ext fields of request I have tried to fix it, test in my environment and create a PR #1219, is there any problem?
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
