Hi Gordon, Thanks for your answer - I entered it as QPID-5299.
Thanks & Regards Jakub On Wed, Nov 6, 2013 at 2:46 PM, Gordon Sim <[email protected]> wrote: > On 11/06/2013 12:59 PM, Jakub Scholz wrote: > >> Hi, >> >> When a client is connecting with AMQP 1.0 to the C++ broker and the node >> from which it wants to consume messages doesn't exist, the broker throws >> an >> amqp:not-found error even when ACL rules deny the user to access or >> publish >> from the given node (queue). >> >> For a security reasons, I would assume that the ACL check for access or >> publish rules should be done before revealing that the queue doesn't >> exist. >> The broker should not reveal any details about its configuration if the >> ACL >> rights don't allow it. >> >> This problem might to some extent exist also with AMQP 0.10. But the Qpid >> AMQP 0.10 clients always query the existence of a queue/exchange before >> connecting to it and the QueueQuery / QueueDeclare calls are ACL >> protected, >> so the Qpid based AMQP 0.10 client always receives the ACL error before >> the >> not-found error. But I guess if you skip the QueueQuery / QueueDeclare and >> go directly to MessageSubscribe the same problem as with AMQP 1.0 might >> exist in AMQP 0.10 as well. >> >> Do you think it makes sense to change this behaviour? >> > > Yes > > > Is it worth raising a >> JIRA? >> > > Yes please! > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
