Uploaded image for project: 'ActiveMQ Classic'
  1. ActiveMQ Classic
  2. AMQ-8116

ActiveMQWildcardPermission with multiple tokens inconsistent with parent WildcardPermission class

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 5.16.0, 5.15.14
    • 5.16.1, 5.15.15, 5.17.0
    • Plugin
    • None

    Description


      Reminder:
      A permission pattern looks like: A:B:C , A, B and C beoing 'parts' of the permission
      Each 'part' can have one or more 'token', like 'read,write'.
      So a permission with activemq looks like:
      queue:queue1,queue2:read,write
      granting access on queue1 and queue2, for read or write access.


      WildcardPermission class from Shiro library states that tokens are a list of authorized items, for exemple : newsletter:view,edit,create grants view, edit and create rights uppon newsletter item.

      (ref https://github.com/apache/shiro/blob/master/core/src/main/java/org/apache/shiro/authz/permission/WildcardPermission.java )

       

      ActiveMQWildcardPermission class (in activemq projects), extends this class, by allowing each 'part' to not only be a single wildcard '*', but being a wildcard string.

      topic:ActiveMQ.Advisory*  grants all access to the topics starting by the given string.

       

       

      For doing so, this class redefines the implies function, but breaks the above requirements.

      queue:*:read,create
      should grant read and create access on all queues, but this is not working as 
      queue:testqueue:read
      Will fail to validate

       

      Test code:

      WildcardPermission permission = new ActiveMQWildcardPermission("queue:*:read,create", true);
      WildcardPermission action = new ActiveMQWildcardPermission("queue:testqueue:read", true);
      assert(permission .implies(action ));

      replacing new ActiveMQWildcardPermission with new WildcardPermission (parent class) will pass this specific assert (but won't match wildcard string like 'test*' , and is not a suitable swap).

       

      Attachments

        Activity

          People

            jbonofre Jean-Baptiste Onofré
            ikucuze OLIVIER LE TIEC
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 20m
                20m