You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@qpid.apache.org by Jakub Scholz <ja...@scholz.cz> on 2013/03/29 15:25:19 UTC
Access control for QueueQuery / ExchangeQuery commands on Java broker
Hi,
I noticed that the QueueQuery and ExchangeQuery commands (AMQP 0.10) are
not exactly protected using the ACL rules on the Java broker. Once the user
is allowed to access the virtual host in the ACLs, he seems to be able to
send the QueueQuery and ExchangeQuery requests and receive the responses
without any limitation. While this isn't exactly a security hole, it allows
everyone to very easily find out what queues and exchanges exist on the
broker including some of their statistics. Depending on your queue naming,
the client might be also able derive usernames from the queue names
etc. (of course the client still cannot consume or publish without the
respective ACL rules)
In contrast, the C++ broker is maping the ExchangeQuery and QeueuQuery
commands aginst the "access queue name=<queueName>" and "access exchange
name=<exhcnageName>" ACL rules and the client is unable to find out which
queues/exchanges exist on the broker without being really allowed to do so.
Is there some way how to achieve the same in the Java broker? The "access
queue" or "access exchange" do not seem to be supported.
Do you think this is potential security issue or is it OK from your point
of view?
Thanks & Regards
Jakub
Re: Access control for QueueQuery / ExchangeQuery commands on Java broker
Posted by Robbie Gemmell <ro...@gmail.com>.
Hi Jakub,
We will take a look with regard to making the query behaviour similar to
the C++ broker.
Robbie
On 29 March 2013 14:25, Jakub Scholz <ja...@scholz.cz> wrote:
> Hi,
>
> I noticed that the QueueQuery and ExchangeQuery commands (AMQP 0.10) are
> not exactly protected using the ACL rules on the Java broker. Once the user
> is allowed to access the virtual host in the ACLs, he seems to be able to
> send the QueueQuery and ExchangeQuery requests and receive the responses
> without any limitation. While this isn't exactly a security hole, it allows
> everyone to very easily find out what queues and exchanges exist on the
> broker including some of their statistics. Depending on your queue naming,
> the client might be also able derive usernames from the queue names
> etc. (of course the client still cannot consume or publish without the
> respective ACL rules)
>
> In contrast, the C++ broker is maping the ExchangeQuery and QeueuQuery
> commands aginst the "access queue name=<queueName>" and "access exchange
> name=<exhcnageName>" ACL rules and the client is unable to find out which
> queues/exchanges exist on the broker without being really allowed to do so.
>
> Is there some way how to achieve the same in the Java broker? The "access
> queue" or "access exchange" do not seem to be supported.
>
> Do you think this is potential security issue or is it OK from your point
> of view?
>
> Thanks & Regards
> Jakub
>