Hi Jakub, We will take a look with regard to making the query behaviour similar to the C++ broker.
Robbie On 29 March 2013 14:25, Jakub Scholz <ja...@scholz.cz> wrote: > Hi, > > I noticed that the QueueQuery and ExchangeQuery commands (AMQP 0.10) are > not exactly protected using the ACL rules on the Java broker. Once the user > is allowed to access the virtual host in the ACLs, he seems to be able to > send the QueueQuery and ExchangeQuery requests and receive the responses > without any limitation. While this isn't exactly a security hole, it allows > everyone to very easily find out what queues and exchanges exist on the > broker including some of their statistics. Depending on your queue naming, > the client might be also able derive usernames from the queue names > etc. (of course the client still cannot consume or publish without the > respective ACL rules) > > In contrast, the C++ broker is maping the ExchangeQuery and QeueuQuery > commands aginst the "access queue name=<queueName>" and "access exchange > name=<exhcnageName>" ACL rules and the client is unable to find out which > queues/exchanges exist on the broker without being really allowed to do so. > > Is there some way how to achieve the same in the Java broker? The "access > queue" or "access exchange" do not seem to be supported. > > Do you think this is potential security issue or is it OK from your point > of view? > > Thanks & Regards > Jakub >
