You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@activemq.apache.org by "Thorsten Panitz (Created) (JIRA)" <ji...@apache.org> on 2011/11/15 17:06:52 UTC
[jira] [Created] (AMQ-3598) Unprivileged users can receive messages
from a protected topic when using wildcards in destination
Unprivileged users can receive messages from a protected topic when using wildcards in destination
--------------------------------------------------------------------------------------------------
Key: AMQ-3598
URL: https://issues.apache.org/jira/browse/AMQ-3598
Project: ActiveMQ
Issue Type: Bug
Components: Broker
Affects Versions: 5.5.1, 5.5.0
Environment: OS: Mac OS X 10.6.8
JRE/JDK: 1.6.0_29
ActiveMQ: 5.5.0
Reporter: Thorsten Panitz
A consumer can receive messages from protected queues/topics if he uses a Destination which contains a wildcard as described [here|http://activemq.apache.org/wildcards.html]:
{code:language=java}
Destination queue = new ActiveMQQueue("messages.>");
Destination topic = new ActiveMQTopic(">");
{code}
We are using the default authentication/authorization system as described in [Security Authentication/Authorization|http://activemq.apache.org/security.html#Security-Authorization] with the following configuration:
{code:title=broker.xml|language=xml}
<plugins>
<simpleAuthenticationPlugin>
<users>
<authenticationUser
username="admin"
password="admin"
groups="admins"/>
<authenticationUser
username="user"
password="user"
groups="users"/>
</users>
</simpleAuthenticationPlugin>
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry topic="messages.>"
read="admins"
write="admins"
admin="admins"/>
<authorizationEntry topic="messages.cat2"
read="admins"
write="admins"
admin="admins"/>
<authorizationEntry topic="messages.cat1"
read="admins, users"
write="admins, users"
admin="admins, users"/>
<authorizationEntry topic="ActiveMQ.Advisory.>"
read="admins, users"
write="admins, users"
admin="admins, users"/>
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
</plugins>
{code}
As exepected, clients connecting as "user" to the topic "messages.cat2" get an exception ("User user is not authorized to read from: topic://messages.cat2"). Suprisingly "user" can receive messages from topic "messages.cat2" if he creates a consumer with the destination "messages.>":
{code:title=consumer.java|language=java}
final Destination destination = new ActiveMQTopic("messages.>");
final Connection conn = new ActiveMQConnectionFactory("user", "user", BROKER_URL).createConnection();
final Session session = conn.createSession(false, Session.AUTO_ACKNOWLEDGE);
final MessageConsumer consumer = session.createConsumer(destination);
conn.start();
closure.run();
final Message message = consumer.receive(TIMEOUT);
session.close();
conn.close();
{code}
IMHO this behaviour is a security problem as an unprivileged user can receive messages from a protected topic or queue!
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (AMQ-3598) Unprivileged users can receive messages
from a protected topic when using wildcards in destination
Posted by "Torsten Mielke (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMQ-3598?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Torsten Mielke updated AMQ-3598:
--------------------------------
Attachment: AMQ-3598.patch
Attaching a possible patch including JUnit tests that are based on the tests uploaded by Thorsten Parnitz.
With this patch privileges of subnodes are not added.
> Unprivileged users can receive messages from a protected topic when using wildcards in destination
> --------------------------------------------------------------------------------------------------
>
> Key: AMQ-3598
> URL: https://issues.apache.org/jira/browse/AMQ-3598
> Project: ActiveMQ
> Issue Type: Bug
> Components: Broker
> Affects Versions: 5.5.0, 5.5.1
> Environment: OS: Mac OS X 10.6.8
> JRE/JDK: 1.6.0_29
> ActiveMQ: 5.5.0
> Reporter: Thorsten Panitz
> Labels: authorization, security
> Attachments: AMQ-3598.patch, ActiveMQAuthorizationBug.zip
>
>
> A consumer can receive messages from protected queues/topics if he uses a Destination which contains a wildcard as described [here|http://activemq.apache.org/wildcards.html]:
> {code:language=java}
> Destination queue = new ActiveMQQueue("messages.>");
> Destination topic = new ActiveMQTopic(">");
> {code}
> We are using the default authentication/authorization system as described in [Security Authentication/Authorization|http://activemq.apache.org/security.html#Security-Authorization] with the following configuration:
> {code:title=broker.xml|language=xml}
> <plugins>
> <simpleAuthenticationPlugin>
> <users>
> <authenticationUser
> username="admin"
> password="admin"
> groups="admins"/>
> <authenticationUser
> username="user"
> password="user"
> groups="users"/>
> </users>
> </simpleAuthenticationPlugin>
> <authorizationPlugin>
> <map>
> <authorizationMap>
> <authorizationEntries>
> <authorizationEntry topic="messages.>"
> read="admins"
> write="admins"
> admin="admins"/>
> <authorizationEntry topic="messages.cat2"
> read="admins"
> write="admins"
> admin="admins"/>
> <authorizationEntry topic="messages.cat1"
> read="admins, users"
> write="admins, users"
> admin="admins, users"/>
> <authorizationEntry topic="ActiveMQ.Advisory.>"
> read="admins, users"
> write="admins, users"
> admin="admins, users"/>
> </authorizationEntries>
> </authorizationMap>
> </map>
> </authorizationPlugin>
> </plugins>
> {code}
> As exepected, clients connecting as "user" to the topic "messages.cat2" get an exception ("User user is not authorized to read from: topic://messages.cat2"). Suprisingly "user" can receive messages from topic "messages.cat2" if he creates a consumer with the destination "messages.>":
> {code:title=consumer.java|language=java}
> final Destination destination = new ActiveMQTopic("messages.>");
> final Connection conn = new ActiveMQConnectionFactory("user", "user", BROKER_URL).createConnection();
> final Session session = conn.createSession(false, Session.AUTO_ACKNOWLEDGE);
> final MessageConsumer consumer = session.createConsumer(destination);
> conn.start();
> closure.run();
> final Message message = consumer.receive(TIMEOUT);
> session.close();
> conn.close();
> {code}
> IMHO this behaviour is a security problem as an unprivileged user can receive messages from a protected topic or queue!
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (AMQ-3598) Unprivileged users can receive
messages from a protected topic when using wildcards in destination
Posted by "Torsten Mielke (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMQ-3598?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13151931#comment-13151931 ]
Torsten Mielke commented on AMQ-3598:
-------------------------------------
I have spent a bit of time on this issue.
The problem seems to be in org.apache.activemq.filter.DestinationMapNode.appendMatchingValues()
{code:title=DestinationMapNode.java}
public void appendMatchingValues(Set answer, String[] paths, int startIndex) {
DestinationNode node = this;
boolean couldMatchAny = true;
int size = paths.length;
for (int i = startIndex; i < size && node != null; i++) {
String path = paths[i];
if (path.equals(ANY_DESCENDENT)) {
answer.addAll(node.getDesendentValues());
couldMatchAny = false;
break;
}
...
{code}
This method iterates through the nodes and if it hits '>' descendant, it simply adds all privileges of all child nodes.
So if the authorization config reads:
{code:xml}
<authorizationEntry topic="messages.>"
read="admins"
write="admins"
admin="admins"/>
<authorizationEntry topic="messages.cat1"
read="admins, users"
write="admins, users"
admin="admins, users"/>
{code}
then this code will add the privileges of messages.cat2 to messages.>, as in its internal representation "messages.cat2" is a subnode of "messages.>".
This privilege inheritance does not look correct to me.
Should it instead not only grant the priviliges defined explicitly for "messages.>"?
> Unprivileged users can receive messages from a protected topic when using wildcards in destination
> --------------------------------------------------------------------------------------------------
>
> Key: AMQ-3598
> URL: https://issues.apache.org/jira/browse/AMQ-3598
> Project: ActiveMQ
> Issue Type: Bug
> Components: Broker
> Affects Versions: 5.5.0, 5.5.1
> Environment: OS: Mac OS X 10.6.8
> JRE/JDK: 1.6.0_29
> ActiveMQ: 5.5.0
> Reporter: Thorsten Panitz
> Labels: authorization, security
> Attachments: ActiveMQAuthorizationBug.zip
>
>
> A consumer can receive messages from protected queues/topics if he uses a Destination which contains a wildcard as described [here|http://activemq.apache.org/wildcards.html]:
> {code:language=java}
> Destination queue = new ActiveMQQueue("messages.>");
> Destination topic = new ActiveMQTopic(">");
> {code}
> We are using the default authentication/authorization system as described in [Security Authentication/Authorization|http://activemq.apache.org/security.html#Security-Authorization] with the following configuration:
> {code:title=broker.xml|language=xml}
> <plugins>
> <simpleAuthenticationPlugin>
> <users>
> <authenticationUser
> username="admin"
> password="admin"
> groups="admins"/>
> <authenticationUser
> username="user"
> password="user"
> groups="users"/>
> </users>
> </simpleAuthenticationPlugin>
> <authorizationPlugin>
> <map>
> <authorizationMap>
> <authorizationEntries>
> <authorizationEntry topic="messages.>"
> read="admins"
> write="admins"
> admin="admins"/>
> <authorizationEntry topic="messages.cat2"
> read="admins"
> write="admins"
> admin="admins"/>
> <authorizationEntry topic="messages.cat1"
> read="admins, users"
> write="admins, users"
> admin="admins, users"/>
> <authorizationEntry topic="ActiveMQ.Advisory.>"
> read="admins, users"
> write="admins, users"
> admin="admins, users"/>
> </authorizationEntries>
> </authorizationMap>
> </map>
> </authorizationPlugin>
> </plugins>
> {code}
> As exepected, clients connecting as "user" to the topic "messages.cat2" get an exception ("User user is not authorized to read from: topic://messages.cat2"). Suprisingly "user" can receive messages from topic "messages.cat2" if he creates a consumer with the destination "messages.>":
> {code:title=consumer.java|language=java}
> final Destination destination = new ActiveMQTopic("messages.>");
> final Connection conn = new ActiveMQConnectionFactory("user", "user", BROKER_URL).createConnection();
> final Session session = conn.createSession(false, Session.AUTO_ACKNOWLEDGE);
> final MessageConsumer consumer = session.createConsumer(destination);
> conn.start();
> closure.run();
> final Message message = consumer.receive(TIMEOUT);
> session.close();
> conn.close();
> {code}
> IMHO this behaviour is a security problem as an unprivileged user can receive messages from a protected topic or queue!
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (AMQ-3598) Unprivileged users can receive messages
from a protected topic when using wildcards in destination
Posted by "Thorsten Panitz (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMQ-3598?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Thorsten Panitz updated AMQ-3598:
---------------------------------
Attachment: ActiveMQAuthorizationBug.zip
Added a maven project with junit tests showing the problem.
> Unprivileged users can receive messages from a protected topic when using wildcards in destination
> --------------------------------------------------------------------------------------------------
>
> Key: AMQ-3598
> URL: https://issues.apache.org/jira/browse/AMQ-3598
> Project: ActiveMQ
> Issue Type: Bug
> Components: Broker
> Affects Versions: 5.5.0, 5.5.1
> Environment: OS: Mac OS X 10.6.8
> JRE/JDK: 1.6.0_29
> ActiveMQ: 5.5.0
> Reporter: Thorsten Panitz
> Labels: authorization, security
> Attachments: ActiveMQAuthorizationBug.zip
>
>
> A consumer can receive messages from protected queues/topics if he uses a Destination which contains a wildcard as described [here|http://activemq.apache.org/wildcards.html]:
> {code:language=java}
> Destination queue = new ActiveMQQueue("messages.>");
> Destination topic = new ActiveMQTopic(">");
> {code}
> We are using the default authentication/authorization system as described in [Security Authentication/Authorization|http://activemq.apache.org/security.html#Security-Authorization] with the following configuration:
> {code:title=broker.xml|language=xml}
> <plugins>
> <simpleAuthenticationPlugin>
> <users>
> <authenticationUser
> username="admin"
> password="admin"
> groups="admins"/>
> <authenticationUser
> username="user"
> password="user"
> groups="users"/>
> </users>
> </simpleAuthenticationPlugin>
> <authorizationPlugin>
> <map>
> <authorizationMap>
> <authorizationEntries>
> <authorizationEntry topic="messages.>"
> read="admins"
> write="admins"
> admin="admins"/>
> <authorizationEntry topic="messages.cat2"
> read="admins"
> write="admins"
> admin="admins"/>
> <authorizationEntry topic="messages.cat1"
> read="admins, users"
> write="admins, users"
> admin="admins, users"/>
> <authorizationEntry topic="ActiveMQ.Advisory.>"
> read="admins, users"
> write="admins, users"
> admin="admins, users"/>
> </authorizationEntries>
> </authorizationMap>
> </map>
> </authorizationPlugin>
> </plugins>
> {code}
> As exepected, clients connecting as "user" to the topic "messages.cat2" get an exception ("User user is not authorized to read from: topic://messages.cat2"). Suprisingly "user" can receive messages from topic "messages.cat2" if he creates a consumer with the destination "messages.>":
> {code:title=consumer.java|language=java}
> final Destination destination = new ActiveMQTopic("messages.>");
> final Connection conn = new ActiveMQConnectionFactory("user", "user", BROKER_URL).createConnection();
> final Session session = conn.createSession(false, Session.AUTO_ACKNOWLEDGE);
> final MessageConsumer consumer = session.createConsumer(destination);
> conn.start();
> closure.run();
> final Message message = consumer.receive(TIMEOUT);
> session.close();
> conn.close();
> {code}
> IMHO this behaviour is a security problem as an unprivileged user can receive messages from a protected topic or queue!
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira