Your observation is correct. Currently MQTT LWT messages are sent using an internal mechanism which bypasses authorization and the plugin's beforeSend method (although beforeMessageRoute will see it). I'll send a PR ASAP to reverse this so the LWT message goes through the normal channel.
Thanks for the heads up! Justin On Tue, Aug 16, 2022 at 9:02 AM Modanese, Riccardo <riccardo.modan...@eurotech.com.invalid> wrote: > Hello, > moving from ActiveMQ 5 to ActiveMQ Artemis I was investigating a test > failure. > It looks like Artemis doesn't allow to intercept the LWT messages > triggered by an MQTT connection. > I have both a ServerPlugin (ActiveMQServerPlugin implementation) and a > SecurityPlugin (ActiveMQSecurityManager5 implementation) but I don't see > any call to authorize method (ActiveMQSecurityManager5) and beforeSend > method (ActiveMQServerPlugin). > If I'm not wrong and the message is not intercepted by these plugins there > is also a security issue because both the LWT topic and the message are set > by the client while connecting to the server so malicious messages to a not > allowed (by ACLs) topics could be used. > > Thanks in advance for your feedback. > > Regards > > Riccardo >
