[ https://issues.apache.org/jira/browse/AMQ-9472?focusedWorklogId=913536&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-913536 ]
ASF GitHub Bot logged work on AMQ-9472: --------------------------------------- Author: ASF GitHub Bot Created on: 08/Apr/24 23:09 Start Date: 08/Apr/24 23:09 Worklog Time Spent: 10m Work Description: cshannon commented on PR #1198: URL: https://github.com/apache/activemq/pull/1198#issuecomment-2043790765 In terms of working around this, the options are pretty much: 1. If you are going to create topics then you need to make sure you have proper ACLs set up for those topics (including matching subscriptions on wildcards) that consumers might subscribe to. In this case you could add read ACLs for A.> for the users group. 2. You could always customize the authorization logic by implementing your own plugin or overriding/extending the `AuthorizationBroker` and `AuthorizationDestinationInterceptor` Issue Time Tracking ------------------- Worklog Id: (was: 913536) Time Spent: 40m (was: 0.5h) > Wildcard publisher auto-creates wildcard topic and breaks authorization > ----------------------------------------------------------------------- > > Key: AMQ-9472 > URL: https://issues.apache.org/jira/browse/AMQ-9472 > Project: ActiveMQ Classic > Issue Type: Bug > Components: Broker > Reporter: Albertas Vyšniauskas > Assignee: Jean-Baptiste Onofré > Priority: Major > Time Spent: 40m > Remaining Estimate: 0h > > Hi, > after publishing a message to wildcard topic, a wildcard topic is > auto-created and interacts poorly with authorization rules. > Suppose that authorization map contains the following entries: > <authorizationEntry read="admin" write="admin" admin="admin" topic=">" /> > <authorizationEntry read="user" topic="A.B" /> > Admin creates "A.B" topic and publishes a message to "A.>" causing > auto-creation of "A.>" topic. > User attempts to consume "A.B" topic, but receives "User user is not > authorized to read from: topic://A.>" error. > I asked on user mailing list if wildcard publishing is supposed to work at > all, as I could not find any documentation about that. Unfortunately I did > not receive any response, so I have to assume that it does. -- This message was sent by Atlassian Jira (v8.20.10#820010)