[
https://issues.apache.org/jira/browse/AMQ-8116?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
OLIVIER LE TIEC updated AMQ-8116:
---------------------------------
Description:
----
Reminder:
A permission pattern looks like: A:B:C , A, B and C beoing 'parts' of the
permission
Each 'part' can have one or more 'token', like 'read,write'.
So a permission with activemq looks like:
queue:queue1,queue2:read,write
granting access on queue1 and queue2, for read or write access.
----
WildcardPermission class from Shiro library states that tokens are a list of
authorized items, for exemple : newsletter:view,edit,create grants view, edit
and create rights uppon newsletter item.
(ref
[https://github.com/apache/shiro/blob/master/core/src/main/java/org/apache/shiro/authz/permission/WildcardPermission.java]
)
ActiveMQWildcardPermission class (in activemq projects), extends this class, by
allowing each 'part' to not only be a single wildcard '*', but being a wildcard
string.
topic:ActiveMQ.Advisory* grants all access to the topics starting by the given
string.
For doing so, this class redefines the implies function, but breaks the above
requirements.
queue:*:read,create
should grant read and create access on all queues, but this is not working as
queue:testqueue:read
Will fail to validate
Test code:
WildcardPermission permission = new
ActiveMQWildcardPermission("queue:*:read,create", true);
WildcardPermission action = new
ActiveMQWildcardPermission("queue:testqueue:read", true);
assert(permission .implies(action ));
replacing new ActiveMQWildcardPermission with new WildcardPermission (parent
class) will pass this specific assert (but won't match wildcard string like
'test*' , and is not a suitable swap).
was:
-----
Reminder:
A permission pattern looks like: A:B:C , A, B and C beoing 'parts' of the
permission
Each 'part' can have one or more 'token', like 'read,write'.
So a permission with activemq looks like:
queue:queue1,queue2:read,write
granting access on queue1 and queue2, for read or write access.
-----
WildcardPermission class from Shiro library states that tokens are a list of
authorized items, for exemple : newsletter:view,edit,create grants view, edit
and create rights uppon newsletter item.
(ref
[https://github.com/apache/shiro/blob/master/core/src/main/java/org/apache/shiro/authz/permission/WildcardPermission.java]
)
ActiveMQWildcardPermission class (in activemq projects), extends this class, by
allowing each 'part' to not only be a single wildcard '*', but being a wildcard
string.
topic:ActiveMQ.Advisory* grants all access to the topics starting by the given
string.
For doing so, this class redefines the implies function, but breaks the above
requirements.
queue:*:read,create
should grant read and create access on all queues, but this is not working as
queue:testqueue:read
Will fail to validate
Test code:
WildcardPermission permission = new
ActiveMQWildcardPermission("queue:*:read,create", true);
WildcardPermission action = new
ActiveMQWildcardPermission("queue:testqueue:read", true);
assert(permission .implies(action ));
replacing new ActiveMQWildcardPermission with new WildcardPermission (parent
class) will pass the assert.
> ActiveMQWildcardPermission with multiple tokens inconsistent with parent
> WildcardPermission class
> -------------------------------------------------------------------------------------------------
>
> Key: AMQ-8116
> URL: https://issues.apache.org/jira/browse/AMQ-8116
> Project: ActiveMQ
> Issue Type: Bug
> Components: Plugin
> Affects Versions: 5.16.0, 5.15.14
> Reporter: OLIVIER LE TIEC
> Assignee: Jean-Baptiste Onofré
> Priority: Major
> Fix For: 5.17.0, 5.16.1, 5.15.15
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> ----
> Reminder:
> A permission pattern looks like: A:B:C , A, B and C beoing 'parts' of the
> permission
> Each 'part' can have one or more 'token', like 'read,write'.
> So a permission with activemq looks like:
> queue:queue1,queue2:read,write
> granting access on queue1 and queue2, for read or write access.
> ----
> WildcardPermission class from Shiro library states that tokens are a list of
> authorized items, for exemple : newsletter:view,edit,create grants view, edit
> and create rights uppon newsletter item.
> (ref
> [https://github.com/apache/shiro/blob/master/core/src/main/java/org/apache/shiro/authz/permission/WildcardPermission.java]
> )
>
> ActiveMQWildcardPermission class (in activemq projects), extends this class,
> by allowing each 'part' to not only be a single wildcard '*', but being a
> wildcard string.
> topic:ActiveMQ.Advisory* grants all access to the topics starting by the
> given string.
>
>
> For doing so, this class redefines the implies function, but breaks the above
> requirements.
> queue:*:read,create
> should grant read and create access on all queues, but this is not working
> as
> queue:testqueue:read
> Will fail to validate
>
> Test code:
> WildcardPermission permission = new
> ActiveMQWildcardPermission("queue:*:read,create", true);
> WildcardPermission action = new
> ActiveMQWildcardPermission("queue:testqueue:read", true);
> assert(permission .implies(action ));
> replacing new ActiveMQWildcardPermission with new WildcardPermission (parent
> class) will pass this specific assert (but won't match wildcard string like
> 'test*' , and is not a suitable swap).
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
