[jira] [Work logged] (ARTEMIS-4420) User authentication leaks into non-Artemis servlets

Fri, 19 Apr 2024 21:40:35 -0700 


     [ 
https://issues.apache.org/jira/browse/ARTEMIS-4420?focusedWorklogId=915652&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915652
 ]

ASF GitHub Bot logged work on ARTEMIS-4420:
-------------------------------------------

                Author: ASF GitHub Bot
            Created on: 20/Apr/24 04:38
            Start Date: 20/Apr/24 04:38
    Worklog Time Spent: 10m 
      Work Description: jbertram opened a new pull request, #4897:
URL: https://github.com/apache/activemq-artemis/pull/4897

   (no comment)




Issue Time Tracking
-------------------

            Worklog Id:     (was: 915652)
    Remaining Estimate: 0h
            Time Spent: 10m

> User authentication leaks into non-Artemis servlets
> ---------------------------------------------------
>
>                 Key: ARTEMIS-4420
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-4420
>             Project: ActiveMQ Artemis
>          Issue Type: Bug
>    Affects Versions: 2.30.0
>            Reporter: Dries Harnie
>            Priority: Minor
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> ActiveMQ Artemis supports audit logs, which log all administrative actions 
> that happen on the broker.
> These logs identify the "current user" for an administrative access [by one 
> of two 
> methods|https://github.com/apache/activemq-artemis/blob/main/artemis-commons/src/main/java/org/apache/activemq/artemis/logs/AuditLogger.java#L67-L73]:
>  # The {{Subject}} associated with the current security manager context, or
>  # A {{{}ThreadLocal<Subject>{}}}, which is set by JolokiaFilter as part of 
> interaction with the admin console.
> For a non-Artemis servlet such as [the metrics 
> plugin|https://github.com/rh-messaging/artemis-prometheus-metrics-plugin], 
> this {{ThreadLocal}} is set to whatever {{Subject}} made the previous request 
> on this thread. This leads to situations where metric accesses are logged as 
> being done by ghost users.
> To reproduce the issue:
>  # Set up Artemis with the default admin/admin user and [the metrics 
> plugin|https://github.com/rh-messaging/artemis-prometheus-metrics-plugin].
>  # Enable audit logging ({{{}logger.audit_base{}}} should be at {{INFO}} 
> level)
>  # Tail -f the audit log and start the server
>  # Log in to the admin console
>  # Observe that a lot of audit logs fly by for {*}admin(amq)@127.0.0.1{*}.
>  # Access the metrics with eg {{{}curl http://localhost:8161/metrics/{}}}.
>  # Observe that a lot of audit logs fly by for {*}admin(amq)@127.0.0.1{*}, 
> even though these requests are completely anonymous.
>  
> I think the solution involves a modification to 
> {{org.apache.activemq.artemis.component.JolokiaFilter}} but I do not 
> understand the purpose of the code after the {{doFilter}} invocation.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to