Hi, I noticed that the QueueQuery and ExchangeQuery commands (AMQP 0.10) are not exactly protected using the ACL rules on the Java broker. Once the user is allowed to access the virtual host in the ACLs, he seems to be able to send the QueueQuery and ExchangeQuery requests and receive the responses without any limitation. While this isn't exactly a security hole, it allows everyone to very easily find out what queues and exchanges exist on the broker including some of their statistics. Depending on your queue naming, the client might be also able derive usernames from the queue names etc. (of course the client still cannot consume or publish without the respective ACL rules)
In contrast, the C++ broker is maping the ExchangeQuery and QeueuQuery commands aginst the "access queue name=<queueName>" and "access exchange name=<exhcnageName>" ACL rules and the client is unable to find out which queues/exchanges exist on the broker without being really allowed to do so. Is there some way how to achieve the same in the Java broker? The "access queue" or "access exchange" do not seem to be supported. Do you think this is potential security issue or is it OK from your point of view? Thanks & Regards Jakub
