You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@activemq.apache.org by "OLIVIER LE TIEC (Jira)" <ji...@apache.org> on 2021/01/06 09:39:00 UTC

[jira] [Created] (AMQ-8116) ActiveMQWildcardPermission with multiple tokens inconsistent with parent WildcardPermission class

OLIVIER LE TIEC created AMQ-8116:
------------------------------------

             Summary: ActiveMQWildcardPermission with multiple tokens inconsistent with parent WildcardPermission class
                 Key: AMQ-8116
                 URL: https://issues.apache.org/jira/browse/AMQ-8116
             Project: ActiveMQ
          Issue Type: Bug
          Components: Plugin
    Affects Versions: 5.15.14, 5.16.0
            Reporter: OLIVIER LE TIEC


-----
Reminder:
A permission pattern looks like: A:B:C , A, B and C beoing 'parts' of the permission
Each 'part' can have one or more 'token', like 'read,write'.
So a permission with activemq looks like:
queue:queue1,queue2:read,write
granting access on queue1 and queue2, for read or write access.
-----

WildcardPermission class from Shiro library states that tokens are a list of authorized items, for exemple : newsletter:view,edit,create grants view, edit and create rights uppon newsletter item.

(ref [https://github.com/apache/shiro/blob/master/core/src/main/java/org/apache/shiro/authz/permission/WildcardPermission.java] )

 

ActiveMQWildcardPermission class (in activemq projects), extends this class, by allowing each 'part' to not only be a single wildcard '*', but being a wildcard string.

topic:ActiveMQ.Advisory*  grants all access to the topics starting by the given string.

 

 

For doing so, this class redefines the implies function, but breaks the above requirements.

queue:*:read,create
should grant read and create access on all queues, but this is not working as 
queue:testqueue:read
Will fail to validate

 

Test code:

WildcardPermission permission = new ActiveMQWildcardPermission("queue:*:read,create", true);
WildcardPermission action = new ActiveMQWildcardPermission("queue:testqueue:read", true);
assert(permission .implies(action ));

replacing new ActiveMQWildcardPermission with new WildcardPermission (parent class) will pass the assert.

 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)