[
https://issues.apache.org/jira/browse/AMQ-5151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17244620#comment-17244620
]
Matt Pavlovich commented on AMQ-5151:
-------------------------------------
[~apauzies]Have you tried this with more recent versions of ActiveMQ? Please
test with 5.15.14 or 5.16.0.
This issue is marked for close in 30-days if there are no further updates.
> Incorrect authorization on virtual destination (wildcard)
> ---------------------------------------------------------
>
> Key: AMQ-5151
> URL: https://issues.apache.org/jira/browse/AMQ-5151
> Project: ActiveMQ
> Issue Type: Bug
> Components: Broker
> Affects Versions: 5.9.0, 5.9.1
> Reporter: Alexandre Pauzies
> Assignee: Matt Pavlovich
> Priority: Major
> Labels: authorization, security, virtualDestinations, wildcard
>
> I'm trying to use authorizationPlugin with virtual destinations:
> testTopic.group1
> testTopic.group2
> This is my authorizationEntries definition:
> <authorizationEntry topic="testTopic.group1.>" write="admins" read="group1"
> admin="admins" />
> <authorizationEntry topic="testTopic.group2.>" write="admins" read="group2"
> admin="admins" />
> <authorizationEntry topic=">" write="admins" read="admins" admin="admins" />
> - When group1 tries to subscribe to testTopic.group2, I get an access denied:
> "User is not authorized to read from..."
> - Same when group2 access group1
> - However, if group1 subscribes to testTopic.> it will have access to
> everything
> I tracked the issue down to DefaultAuthorizationMap,
> getReadACLs(ActiveMQDestination destination)
> This method will combine the read ACL from the 2 sub-topic authorization
> entries and give access to destination "testTopic.>" to anyone in group1 or
> group2.
> Am I doing something wrong?
> Is this scenario supported by authorizationPlugin?
> Thanks,
> Alex
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
