Uploaded image for project: 'ActiveMQ Classic'
  1. ActiveMQ Classic
  2. AMQ-3598

Unprivileged users can receive messages from a protected topic when using wildcards in destination

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 5.5.0, 5.5.1
    • 5.12.0
    • Broker

    • OS: Mac OS X 10.6.8
      JRE/JDK: 1.6.0_29
      ActiveMQ: 5.5.0

    Description

      A consumer can receive messages from protected queues/topics if he uses a Destination which contains a wildcard as described here:

      Destination queue = new ActiveMQQueue("messages.>");
Destination topic = new ActiveMQTopic(">");

      We are using the default authentication/authorization system as described in Security Authentication/Authorization with the following configuration:

      broker.xml
      <plugins>
    <simpleAuthenticationPlugin>
        <users>
            <authenticationUser
                  username="admin"
                  password="admin"
                  groups="admins"/>
            <authenticationUser
                  username="user"
                  password="user"
                  groups="users"/>
        </users>
    </simpleAuthenticationPlugin>
    <authorizationPlugin>
        <map>
            <authorizationMap>
                <authorizationEntries>
                    <authorizationEntry topic="messages.>"
                                        read="admins"
                                        write="admins"
                                        admin="admins"/>
                    <authorizationEntry topic="messages.cat2"
                                        read="admins"
                                        write="admins"
                                        admin="admins"/>
                    <authorizationEntry topic="messages.cat1"
                                        read="admins, users"
                                        write="admins, users"
                                        admin="admins, users"/>
                    <authorizationEntry topic="ActiveMQ.Advisory.>"
                                        read="admins, users"
                                        write="admins, users"
                                        admin="admins, users"/>
                </authorizationEntries>
            </authorizationMap>
        </map>
    </authorizationPlugin>
</plugins>

      As exepected, clients connecting as "user" to the topic "messages.cat2" get an exception ("User user is not authorized to read from: topic://messages.cat2"). Suprisingly "user" can receive messages from topic "messages.cat2" if he creates a consumer with the destination "messages.>":

      consumer.java
      final Destination destination = new ActiveMQTopic("messages.>");
final Connection conn = new ActiveMQConnectionFactory("user", "user", BROKER_URL).createConnection();
final Session session = conn.createSession(false, Session.AUTO_ACKNOWLEDGE);
final MessageConsumer consumer = session.createConsumer(destination);
conn.start();
closure.run();
final Message message = consumer.receive(TIMEOUT);
session.close();
conn.close();

      IMHO this behaviour is a security problem as an unprivileged user can receive messages from a protected topic or queue!

      Attachments

        1. AMQ-3598.patch
          16 kB
          Torsten Mielke
        2. ActiveMQAuthorizationBug.zip
          7 kB
          Thorsten Panitz

        Activity

          People

            Unassigned Unassigned
            panitz Thorsten Panitz
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: