You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by "Modanese, Riccardo" <Ri...@eurotech.com.INVALID> on 2022/08/16 13:59:50 UTC
Artemis security plugin looks like not intercepting MQTT LWT messages
Hello,
moving from ActiveMQ 5 to ActiveMQ Artemis I was investigating a test failure.
It looks like Artemis doesn't allow to intercept the LWT messages triggered by an MQTT connection.
I have both a ServerPlugin (ActiveMQServerPlugin implementation) and a SecurityPlugin (ActiveMQSecurityManager5 implementation) but I don't see any call to authorize method (ActiveMQSecurityManager5) and beforeSend method (ActiveMQServerPlugin).
If I'm not wrong and the message is not intercepted by these plugins there is also a security issue because both the LWT topic and the message are set by the client while connecting to the server so malicious messages to a not allowed (by ACLs) topics could be used.
Thanks in advance for your feedback.
Regards
Riccardo
R: Artemis security plugin looks like not intercepting MQTT LWT messages
Posted by "Modanese, Riccardo" <Ri...@eurotech.com.INVALID>.
Great! Thanks!
Da: Justin Bertram <jb...@apache.org>
Data: mercoledì, 17 agosto 2022 18:46
A: users@activemq.apache.org <us...@activemq.apache.org>
Oggetto: Re: Artemis security plugin looks like not intercepting MQTT LWT messages
Just to follow up...
I created ARTEMIS-3942 [1] for this and sent a PR [2].
Justin
[1] https://issues.apache.org/jira/browse/ARTEMIS-3942
[2] https://github.com/apache/activemq-artemis/pull/4180
On Tue, Aug 16, 2022 at 2:07 PM Justin Bertram <jb...@apache.org> wrote:
> Your observation is correct. Currently MQTT LWT messages are sent using an
> internal mechanism which bypasses authorization and the plugin's beforeSend
> method (although beforeMessageRoute will see it). I'll send a PR ASAP to
> reverse this so the LWT message goes through the normal channel.
>
> Thanks for the heads up!
>
>
> Justin
>
> On Tue, Aug 16, 2022 at 9:02 AM Modanese, Riccardo
> <Ri...@eurotech.com.invalid> wrote:
>
>> Hello,
>> moving from ActiveMQ 5 to ActiveMQ Artemis I was investigating a
>> test failure.
>> It looks like Artemis doesn't allow to intercept the LWT messages
>> triggered by an MQTT connection.
>> I have both a ServerPlugin (ActiveMQServerPlugin implementation) and a
>> SecurityPlugin (ActiveMQSecurityManager5 implementation) but I don't see
>> any call to authorize method (ActiveMQSecurityManager5) and beforeSend
>> method (ActiveMQServerPlugin).
>> If I'm not wrong and the message is not intercepted by these plugins
>> there is also a security issue because both the LWT topic and the message
>> are set by the client while connecting to the server so malicious messages
>> to a not allowed (by ACLs) topics could be used.
>>
>> Thanks in advance for your feedback.
>>
>> Regards
>>
>> Riccardo
>>
>
Re: Artemis security plugin looks like not intercepting MQTT LWT messages
Posted by Justin Bertram <jb...@apache.org>.
Just to follow up...
I created ARTEMIS-3942 [1] for this and sent a PR [2].
Justin
[1] https://issues.apache.org/jira/browse/ARTEMIS-3942
[2] https://github.com/apache/activemq-artemis/pull/4180
On Tue, Aug 16, 2022 at 2:07 PM Justin Bertram <jb...@apache.org> wrote:
> Your observation is correct. Currently MQTT LWT messages are sent using an
> internal mechanism which bypasses authorization and the plugin's beforeSend
> method (although beforeMessageRoute will see it). I'll send a PR ASAP to
> reverse this so the LWT message goes through the normal channel.
>
> Thanks for the heads up!
>
>
> Justin
>
> On Tue, Aug 16, 2022 at 9:02 AM Modanese, Riccardo
> <Ri...@eurotech.com.invalid> wrote:
>
>> Hello,
>> moving from ActiveMQ 5 to ActiveMQ Artemis I was investigating a
>> test failure.
>> It looks like Artemis doesn't allow to intercept the LWT messages
>> triggered by an MQTT connection.
>> I have both a ServerPlugin (ActiveMQServerPlugin implementation) and a
>> SecurityPlugin (ActiveMQSecurityManager5 implementation) but I don't see
>> any call to authorize method (ActiveMQSecurityManager5) and beforeSend
>> method (ActiveMQServerPlugin).
>> If I'm not wrong and the message is not intercepted by these plugins
>> there is also a security issue because both the LWT topic and the message
>> are set by the client while connecting to the server so malicious messages
>> to a not allowed (by ACLs) topics could be used.
>>
>> Thanks in advance for your feedback.
>>
>> Regards
>>
>> Riccardo
>>
>
Re: Artemis security plugin looks like not intercepting MQTT LWT messages
Posted by Justin Bertram <jb...@apache.org>.
Your observation is correct. Currently MQTT LWT messages are sent using an
internal mechanism which bypasses authorization and the plugin's beforeSend
method (although beforeMessageRoute will see it). I'll send a PR ASAP to
reverse this so the LWT message goes through the normal channel.
Thanks for the heads up!
Justin
On Tue, Aug 16, 2022 at 9:02 AM Modanese, Riccardo
<Ri...@eurotech.com.invalid> wrote:
> Hello,
> moving from ActiveMQ 5 to ActiveMQ Artemis I was investigating a test
> failure.
> It looks like Artemis doesn't allow to intercept the LWT messages
> triggered by an MQTT connection.
> I have both a ServerPlugin (ActiveMQServerPlugin implementation) and a
> SecurityPlugin (ActiveMQSecurityManager5 implementation) but I don't see
> any call to authorize method (ActiveMQSecurityManager5) and beforeSend
> method (ActiveMQServerPlugin).
> If I'm not wrong and the message is not intercepted by these plugins there
> is also a security issue because both the LWT topic and the message are set
> by the client while connecting to the server so malicious messages to a not
> allowed (by ACLs) topics could be used.
>
> Thanks in advance for your feedback.
>
> Regards
>
> Riccardo
>