Uploaded image for project: 'ActiveMQ Artemis'
  1. ActiveMQ Artemis
  2. ARTEMIS-4963

Reject openwire senders that lack SEND permissions on attach

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 2.36.0
    • 2.37.0
    • OpenWire
    • None

    Description

      Currently the Openwire producers are allowed to attach even when the named destination(s) it requests don't offer send permissions to the logged in user (the sends themselves are validated). The sends from these named or from anonymous producers are checked for permission but only after such things as conversion of the message to Core has happened which leads to unnecessary GC overhead and wasted CPU cycles if the send is going to ultimately be rejected.

      We should reject Openwire senders on attach (which is what the ActiveMQ 'Classic' broker does) and we should check send permissions prior to unnecessarily converting messages to Core to reduce overhead from anonymous senders that are sending into destinations they cannot write to. This change doesn't introduce any new security but simply would respond more quickly and efficiently than the current code would.

      Attachments

        Issue Links

          Activity

            People

              tabish Timothy A. Bish
              tabish Timothy A. Bish
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 1h
                  1h