[
https://issues.apache.org/jira/browse/ARTEMIS-4963?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Timothy A. Bish resolved ARTEMIS-4963.
--------------------------------------
Fix Version/s: 2.37.0
Resolution: Fixed
> Reject openwire senders that lack SEND permissions on attach
> ------------------------------------------------------------
>
> Key: ARTEMIS-4963
> URL: https://issues.apache.org/jira/browse/ARTEMIS-4963
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Components: OpenWire
> Affects Versions: 2.36.0
> Reporter: Timothy A. Bish
> Assignee: Timothy A. Bish
> Priority: Minor
> Fix For: 2.37.0
>
> Time Spent: 1h
> Remaining Estimate: 0h
>
> Currently the Openwire producers are allowed to attach even when the named
> destination(s) it requests don't offer send permissions to the logged in user
> (the sends themselves are validated). The sends from these named or from
> anonymous producers are checked for permission but only after such things as
> conversion of the message to Core has happened which leads to unnecessary GC
> overhead and wasted CPU cycles if the send is going to ultimately be
> rejected.
> We should reject Openwire senders on attach (which is what the ActiveMQ
> 'Classic' broker does) and we should check send permissions prior to
> unnecessarily converting messages to Core to reduce overhead from anonymous
> senders that are sending into destinations they cannot write to. This change
> doesn't introduce any new security but simply would respond more quickly and
> efficiently than the current code would.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact
