I'm trying to use authorizationPlugin with virtual destinations:
This is my authorizationEntries definition:
<authorizationEntry topic="testTopic.group1.>" write="admins" read="group1" admin="admins" />
<authorizationEntry topic="testTopic.group2.>" write="admins" read="group2" admin="admins" />
<authorizationEntry topic=">" write="admins" read="admins" admin="admins" />
- When group1 tries to subscribe to testTopic.group2, I get an access denied: "User is not authorized to read from..."
- Same when group2 access group1
- However, if group1 subscribes to testTopic.> it will have access to everything
I tracked the issue down to DefaultAuthorizationMap, getReadACLs(ActiveMQDestination destination)
This method will combine the read ACL from the 2 sub-topic authorization entries and give access to destination "testTopic.>" to anyone in group1 or group2.
Am I doing something wrong?
Is this scenario supported by authorizationPlugin?