cshannon commented on PR #1198: URL: https://github.com/apache/activemq/pull/1198#issuecomment-2043752900
This is not really a bug to me, it's a side effect of how wild card subscriptions work in the broker. The issue here is not with the authorization plugin or logic but with how subscriptions currently work. When consumers are created, subscriptions get added for all matching destinations. In this case, there are 2 matching destinations because of the wildcard destination that was auto created. When creating a consumer on Topic A.B, first the new consumer is [authorized](https://github.com/apache/activemq/blob/e025e443e65d4bd3c2c27f11d6caa7bfbd2c9626/activemq-broker/src/main/java/org/apache/activemq/security/AuthorizationBroker.java#L148) on that destination and that passes. But then later on the addSubscription() is called for both destinations to add two subscriptions for the new consumer...one on A.B which is properly [authorized](https://github.com/apache/activemq/blob/e025e443e65d4bd3c2c27f11d6caa7bfbd2c9626/activemq-broker/src/main/java/org/apache/activemq/security/AuthorizationDestinationFilter.java#L40) and then another on A.> which is not authorized because there's no proper ACLs for "users" when adding the subscription for A.> So this is just how the broker currently works to handle wildcard subscriptions, since you are publishing to a wildcard topic then any subscription that matches needs to also subscribe tot he wildcard to get that message. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
