[
https://issues.apache.org/jira/browse/AMQ-9472?focusedWorklogId=913534&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-913534
]
ASF GitHub Bot logged work on AMQ-9472:
---------------------------------------
Author: ASF GitHub Bot
Created on: 08/Apr/24 22:36
Start Date: 08/Apr/24 22:36
Worklog Time Spent: 10m
Work Description: cshannon commented on PR #1198:
URL: https://github.com/apache/activemq/pull/1198#issuecomment-2043752900
This is not really a bug to me, it's a side effect of how wild card
subscriptions work in the broker. The issue here is not with the authorization
plugin or logic but with how subscriptions currently work.
When consumers are created, subscriptions get added for all matching
destinations. In this case, there are 2 matching destinations because of the
wildcard destination that was auto created. When creating a consumer on Topic
A.B, first the new consumer is
[authorized](https://github.com/apache/activemq/blob/e025e443e65d4bd3c2c27f11d6caa7bfbd2c9626/activemq-broker/src/main/java/org/apache/activemq/security/AuthorizationBroker.java#L148)
on that destination and that passes.
But then later on the addSubscription() is called for both destinations to
add two subscriptions for the new consumer...one on A.B which is properly
[authorized](https://github.com/apache/activemq/blob/e025e443e65d4bd3c2c27f11d6caa7bfbd2c9626/activemq-broker/src/main/java/org/apache/activemq/security/AuthorizationDestinationFilter.java#L40)
and then another on A.> which is not authorized because there's no proper ACLs
for "users" when adding the subscription for A.>
So this is just how the broker currently works to handle wildcard
subscriptions, since you are publishing to a wildcard topic then any
subscription that matches needs to also subscribe tot he wildcard to get that
message.
Issue Time Tracking
-------------------
Worklog Id: (was: 913534)
Time Spent: 0.5h (was: 20m)
> Wildcard publisher auto-creates wildcard topic and breaks authorization
> -----------------------------------------------------------------------
>
> Key: AMQ-9472
> URL: https://issues.apache.org/jira/browse/AMQ-9472
> Project: ActiveMQ Classic
> Issue Type: Bug
> Components: Broker
> Reporter: Albertas Vyšniauskas
> Assignee: Jean-Baptiste Onofré
> Priority: Major
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Hi,
> after publishing a message to wildcard topic, a wildcard topic is
> auto-created and interacts poorly with authorization rules.
> Suppose that authorization map contains the following entries:
> <authorizationEntry read="admin" write="admin" admin="admin" topic=">" />
> <authorizationEntry read="user" topic="A.B" />
> Admin creates "A.B" topic and publishes a message to "A.>" causing
> auto-creation of "A.>" topic.
> User attempts to consume "A.B" topic, but receives "User user is not
> authorized to read from: topic://A.>" error.
> I asked on user mailing list if wildcard publishing is supposed to work at
> all, as I could not find any documentation about that. Unfortunately I did
> not receive any response, so I have to assume that it does.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
