Uploaded image for project: 'ActiveMQ'
  1. ActiveMQ
  2. AMQ-5151

Incorrect authorization on virtual destination (wildcard)

    XMLWordPrintableJSON

    Details

      Description

      I'm trying to use authorizationPlugin with virtual destinations:

      testTopic.group1
      testTopic.group2

      This is my authorizationEntries definition:

      <authorizationEntry topic="testTopic.group1.>" write="admins" read="group1" admin="admins" />
      <authorizationEntry topic="testTopic.group2.>" write="admins" read="group2" admin="admins" />
      <authorizationEntry topic=">" write="admins" read="admins" admin="admins" />

      • When group1 tries to subscribe to testTopic.group2, I get an access denied: "User is not authorized to read from..."
      • Same when group2 access group1
      • However, if group1 subscribes to testTopic.> it will have access to everything

      I tracked the issue down to DefaultAuthorizationMap, getReadACLs(ActiveMQDestination destination)

      This method will combine the read ACL from the 2 sub-topic authorization entries and give access to destination "testTopic.>" to anyone in group1 or group2.

      Am I doing something wrong?
      Is this scenario supported by authorizationPlugin?

      Thanks,
      Alex

        Attachments

          Activity

            People

            • Assignee:
              mattrpav Matt Pavlovich
              Reporter:
              apauzies Alexandre Pauzies
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: