Uploaded image for project: 'ActiveMQ'
  1. ActiveMQ
  2. AMQ-5160

Wildcard subscriptions bypass Authentication / Authorization

    Details

      Description

      I am using MQTT on AMQ 5.9.1
      After latest MQTT hardening from Dhiraj Bokde , there is an issue of MQTT retained messages.

      Simple case:
      Set Authentication / Authorization for two different TOPICS.
      Send retained message to one topic.

      Try to subscribe "#" with other second user.
      It will show retained messages published by TOPIC 1.

      here i have attached test configurations.

        Attachments

        1. activemq.xml
          3 kB
          Surf
        2. groups.properties
          1.0 kB
          Surf
        3. login.config
          1 kB
          Surf
        4. users.properties
          1.0 kB
          Surf
        5. patch.txt
          11 kB
          Dejan Bosanac

          Issue Links

            Activity

              People

              • Assignee:
                dejanb Dejan Bosanac
                Reporter:
                surfnerd Surf
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: