On 18 January 2016 at 22:59, Keith W <[email protected]> wrote: > Hello > > On 17 January 2016 at 18:34, [email protected] <[email protected]> wrote: > > << snip >>
> > > 2.) Message user-Id > > Using the java broker, the client seems to be able to set any user id. > > However, the broker does not seem to reject messages with wrong user Ids > > (i.e. user-Ids != connection.getAuthenticatedUsername()). Again, the c++ > > broker correctly refuses messages with invalid Ids. > > > > The Java Broker does support message authorisation but it is off by > default (qpid.broker_msg_auth) and currently only supported by the > AMQP 0-8..0-91 protocols. It would not be a lot of work to make the > feature protocol neutral i.e AMQP 0-10 and AMQP 1.0 too. QPID-4356 > describes the 0-10 gap. I see if I can find time to look at this for > the quid-java-6.1 release (Q1 timeframe). > > I raised https://issues.apache.org/jira/browse/QPID-7008 and applied a change to trunk which I think should address this issue. If the qpid.broker_msg_auth system property/context value is set to true, then an attempt to send a message where the user id does not have the same identifier as the connection authenticated principal will result in failure. Further work still needs to be done around how identities are serialized as Strings and how the client should set these in the user-id field (particularly when using mechanisms such as SSL client auth, LDAP or Kerberos). Hope this helps, -- Rob > > > Am I just missing some options? > > Regards > > > > > > > > -- > > View this message in context: > http://qpid.2158936.n2.nabble.com/Several-issues-with-the-Java-Broker-tp7636726.html > > Sent from the Apache Qpid users mailing list archive at Nabble.com. > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
