[jira] [Closed] (AMQ-5151) Incorrect authorization on virtual destination (wildcard)

["Matt Pavlovich (Jira)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/AMQ-5151?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Matt Pavlovich closed AMQ-5151.
-------------------------------

Closing due to inactivity and general improvements in versions since the ticket was created.

> Incorrect authorization on virtual destination (wildcard)
> ---------------------------------------------------------
>
>                 Key: AMQ-5151
>                 URL: https://issues.apache.org/jira/browse/AMQ-5151
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Broker
>    Affects Versions: 5.9.0, 5.9.1
>            Reporter: Alexandre Pauzies
>            Assignee: Matt Pavlovich
>            Priority: Major
>              Labels: authorization, security, virtualDestinations, wildcard
>
> I'm trying to use authorizationPlugin with virtual destinations:
> testTopic.group1
> testTopic.group2
> This is my authorizationEntries definition:
> <authorizationEntry topic="testTopic.group1.>" write="admins" read="group1" admin="admins" />
> <authorizationEntry topic="testTopic.group2.>" write="admins" read="group2" admin="admins" />
> <authorizationEntry topic=">" write="admins" read="admins" admin="admins" />
> - When group1 tries to subscribe to testTopic.group2, I get an access denied: "User is not authorized to read from..."
> - Same when group2 access group1
> - However, if group1 subscribes to testTopic.> it will have access to everything
> I tracked the issue down to DefaultAuthorizationMap, getReadACLs(ActiveMQDestination destination)
> This method will combine the read ACL from the 2 sub-topic authorization entries and give access to destination "testTopic.>" to anyone in group1 or group2.
> Am I doing something wrong?
> Is this scenario supported by authorizationPlugin?
> Thanks,
> Alex



--
This message was sent by Atlassian Jira
(v8.3.4#803005)