Uploaded image for project: 'ActiveMQ'
  1. ActiveMQ
  2. AMQ-8116

ActiveMQWildcardPermission with multiple tokens inconsistent with parent WildcardPermission class

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.16.0, 5.15.14
    • Fix Version/s: 5.17.0, 5.16.1, 5.15.15
    • Component/s: Plugin
    • Labels:
      None

      Description


      Reminder:
      A permission pattern looks like: A:B:C , A, B and C beoing 'parts' of the permission
      Each 'part' can have one or more 'token', like 'read,write'.
      So a permission with activemq looks like:
      queue:queue1,queue2:read,write
      granting access on queue1 and queue2, for read or write access.


      WildcardPermission class from Shiro library states that tokens are a list of authorized items, for exemple : newsletter:view,edit,create grants view, edit and create rights uppon newsletter item.

      (ref https://github.com/apache/shiro/blob/master/core/src/main/java/org/apache/shiro/authz/permission/WildcardPermission.java )

       

      ActiveMQWildcardPermission class (in activemq projects), extends this class, by allowing each 'part' to not only be a single wildcard '*', but being a wildcard string.

      topic:ActiveMQ.Advisory*  grants all access to the topics starting by the given string.

       

       

      For doing so, this class redefines the implies function, but breaks the above requirements.

      queue:*:read,create
      should grant read and create access on all queues, but this is not working as 
      queue:testqueue:read
      Will fail to validate

       

      Test code:

      WildcardPermission permission = new ActiveMQWildcardPermission("queue:*:read,create", true);
      WildcardPermission action = new ActiveMQWildcardPermission("queue:testqueue:read", true);
      assert(permission .implies(action ));

      replacing new ActiveMQWildcardPermission with new WildcardPermission (parent class) will pass this specific assert (but won't match wildcard string like 'test*' , and is not a suitable swap).

       

        Attachments

          Activity

            People

            • Assignee:
              jbonofre Jean-Baptiste Onofré
              Reporter:
              ikucuze OLIVIER LE TIEC
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 20m
                20m