You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Michael Andre Pearce (JIRA)" <ji...@apache.org> on 2017/12/07 22:54:00 UTC
[jira] [Created] (ARTEMIS-1545) JMS MessageProducer fails to throw
security exception on send when message is sent non-persistent, but not
authorised
Michael Andre Pearce created ARTEMIS-1545:
---------------------------------------------
Summary: JMS MessageProducer fails to throw security exception on send when message is sent non-persistent, but not authorised
Key: ARTEMIS-1545
URL: https://issues.apache.org/jira/browse/ARTEMIS-1545
Project: ActiveMQ Artemis
Issue Type: Bug
Reporter: Michael Andre Pearce
When sending persistent, behaviour is as expected and a Security exception is thrown. The same behaviour should be expected when sending non-persistent, by default.
This can be recreated easily by the following:
Add the following security section , that means guest is not auth'd to send to "guest.cannot.send"
activemq-artemis/tests/jms-tests/src/test/resources/broker.xml
<security-setting match="guest.cannot.send">
<permission type="createDurableQueue" roles="guest,def"/>
<permission type="deleteDurableQueue" roles="guest,def"/>
<permission type="createNonDurableQueue" roles="guest,def"/>
<permission type="deleteNonDurableQueue" roles="guest,def"/>
<permission type="consume" roles="guest,def"/>
<permission type="browse" roles="guest,def"/>
<permission type="send" roles="def"/>
</security-setting>
Then add the following tests to this test (first is proving exception correctly is thrown when persistent is sent using jms api, and second shows behaviour difference and no error):
activemq-artemis/tests/jms-tests/src/test/java/org/apache/activemq/artemis/jms/tests/SecurityTest.java
/**
* Login with valid user and password
* But try send to address not authorised - Persistent
* Should not allow and should throw exception
*/
@Test
public void testLoginValidUserAndPasswordButNotAuthorisedToSend() throws Exception {
ConnectionFactory connectionFactory = new ActiveMQConnectionFactory("tcp://localhost:61616");
Connection connection = connectionFactory.createConnection("guest", "guest");
Session session = connection.createSession();
Destination destination = session.createQueue("guest.cannot.send");
MessageProducer messageProducer = session.createProducer(destination);
try {
messageProducer.send(session.createTextMessage("hello"));
fail("JMSSecurityException expected as guest is not allowed to send");
} catch (JMSSecurityException activeMQSecurityException){
//pass
}
connection.close();
}
/**
* Login with valid user and password
* But try send to address not authorised - Non Persistent.
* Should have same behaviour as Persistent with exception on send.
*/
@Test
public void testLoginValidUserAndPasswordButNotAuthorisedToSendNonPersistent() throws Exception {
ConnectionFactory connectionFactory = new ActiveMQConnectionFactory("tcp://localhost:61616");
Connection connection = connectionFactory.createConnection("guest", "guest");
Session session = connection.createSession();
Destination destination = session.createQueue("guest.cannot.send");
MessageProducer messageProducer = session.createProducer(destination);
messageProducer.setDeliveryMode(DeliveryMode.NON_PERSISTENT);
try {
messageProducer.send(session.createTextMessage("hello"));
fail("JMSSecurityException expected as guest is not allowed to send");
} catch (JMSSecurityException activeMQSecurityException){
//pass
}
connection.close();
}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)