[
https://issues.apache.org/jira/browse/AMQ-5814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14611809#comment-14611809
]
Christopher L. Shannon edited comment on AMQ-5814 at 7/2/15 11:26 AM:
----------------------------------------------------------------------
I looked at this a little yesterday. When the producer sends a message it
causes a new destination to get created because the subscriber is listening on
a wildcard destination. The issue seems to be that during destination
creation, the ConnectionContext of the producer is used to create the
destination, instead of the consumer. (Happens in
addSubscriptionsForDestination method of TopicRegion). The end result is the
security check fails in the addSubscription method of
AuthorizationDestinationFilter because it uses the producer's ACLs instead of
the consumer's ACLs to determine if the subscription is allowed.
was (Author: christopher.l.shannon):
I looked at this a little yesterday. When the producer sends a message it
causes a new destination to get created because the subscriber is listening on
a wildcard destination. The issue seems to be that during destination
creation, the ConnectionContext of the producer is used to create the
destination, instead of the Consumer. (Happens in
addSubscriptionsForDestination method of TopicRegion). The end result is the
security check fails in the addSubscription method of
AuthorizationDestinationFilter because it uses the producers ACLs instead of
the consumers ACLs to determine if the subscription is allowed.
> Wrong with role-based authorization when using right permission
> ---------------------------------------------------------------
>
> Key: AMQ-5814
> URL: https://issues.apache.org/jira/browse/AMQ-5814
> Project: ActiveMQ
> Issue Type: Bug
> Components: Broker, MQTT
> Affects Versions: 5.10.0, 5.10.2, 5.11.0, 5.11.1
> Environment: Unix, Windows
> Reporter: PhuNH5-VTICT
> Priority: Critical
> Fix For: 5.12.0
>
> Attachments: activemq-snapshot-5.12-20150529.223833.txt
>
>
> Since version 5.10, the problem has been caused by broker. It was behaving
> wrong with role-based authorization. I have configured right
> SimpleAuthorization plugin but no luck.
> I guess it has problem from -AMQ-5160-
> Here my test cases on github, please review and let me know if you have any
> questions:
> https://github.com/hongphu8790/activemq/tree/master/mqtt-authorization-test
> Project test-case descriptions:
> - Using debug mode for broker to view detail
> problem.
> - Repeat with pom.xml file
> + With AMQ 5.9.1 (it will pass all test cases)
> + With AMQ >= 5.10.0 (it will pass only test cases with using publisher have
> super permission
> Here my log occurred when the test case failed:
> {code:title=Log debug mode - activemq.log|borderStyle=solid}
> 2015-05-29 10:30:24,746 | DEBUG | AbstractRegion |
> Subscription denied for TopicSubscription:
> consumer=ID:XXXXXX-50828-1432870224218-2:2:-1:1, destinations=0,
> dispatched=0, delivered=0, matched=0, discarded=0 to destination
> topic://dcu.id: User publisher is not authorized to read from: topic://dcu.id
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
