You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@activemq.apache.org by "Michael Steiner (JIRA)" <ji...@apache.org> on 2011/03/09 04:31:59 UTC
[jira] Updated: (AMQ-3211) JMSXUserId Can be spoofed by client
[ https://issues.apache.org/jira/browse/AMQ-3211?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Michael Steiner updated AMQ-3211:
---------------------------------
Description:
It seems the JMSXUserId can be spoofed by client contrary to what http://activemq.apache.org/jmsxuserid.html says.
My test setup is populateJMSXUserID="true set in a single broker, a JAAS config org.apache.activemq.jaas.TextFileCertificateLoginModule and using mutual auth SSL (i.e., ?needClientAuth=true for transportConnector setup), and a single consumer and producer based on small modifications of the ConsumerTool and ProducerTool examples in the 5.4.2 distro.
When the client does not set the property, then i get the properly authenticated DN as JMSXUserID using message.getStringProperty("JMSXUserID"). However, when the client sets it, i get the value set by the client. The only difference i notice is that in the former case, message.getPropertyNames() does not return JMSXUserID whereas in the spoofed case it does.
i wonder whether in the context of https://issues.apache.org/jira/browse/QPID-943 or https://issues.apache.org/jira/browse/AMQ-2840 (which interestingly doesn't list JMSXUserID as supported in a comment even though it is?) something got messed up?
was:
It seems the JMSXUserId can be spoofed by client contrary to what http://activemq.apache.org/jmsxuserid.html says.
My test setup is populateJMSXUserID="true set in broker, a JAAS config org.apache.activemq.jaas.TextFileCertificateLoginModule and using mutual auth SSL (i.e., ?needClientAuth=true for transportConnector setup).
When the client does not set the property, then i get the properly authenticated DN as JMSXUserID using message.getStringProperty("JMSXUserID"). However, when the client sets it, i get the value set by the client. The only difference i notice is that in the former case, message.getPropertyNames() does not return JMSXUserID whereas in the spoofed case it does.
i wonder whether in the context of https://issues.apache.org/jira/browse/QPID-943 or https://issues.apache.org/jira/browse/AMQ-2840 (which interestingly doesn't list JMSXUserID as supported in a comment even though it is?)
> JMSXUserId Can be spoofed by client
> -----------------------------------
>
> Key: AMQ-3211
> URL: https://issues.apache.org/jira/browse/AMQ-3211
> Project: ActiveMQ
> Issue Type: Bug
> Components: Broker
> Affects Versions: 5.4.2
> Reporter: Michael Steiner
>
> It seems the JMSXUserId can be spoofed by client contrary to what http://activemq.apache.org/jmsxuserid.html says.
> My test setup is populateJMSXUserID="true set in a single broker, a JAAS config org.apache.activemq.jaas.TextFileCertificateLoginModule and using mutual auth SSL (i.e., ?needClientAuth=true for transportConnector setup), and a single consumer and producer based on small modifications of the ConsumerTool and ProducerTool examples in the 5.4.2 distro.
> When the client does not set the property, then i get the properly authenticated DN as JMSXUserID using message.getStringProperty("JMSXUserID"). However, when the client sets it, i get the value set by the client. The only difference i notice is that in the former case, message.getPropertyNames() does not return JMSXUserID whereas in the spoofed case it does.
> i wonder whether in the context of https://issues.apache.org/jira/browse/QPID-943 or https://issues.apache.org/jira/browse/AMQ-2840 (which interestingly doesn't list JMSXUserID as supported in a comment even though it is?) something got messed up?
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira