ARTEMIS-3381 AMQP bypasses session when deleting queues
The AMQP implementation bypasses the ServerSession when deleting queues which also bypasses security authorization.
This commit is contained in:
parent
bf875c3a37
commit
ec508d8306
|
@ -642,7 +642,7 @@ public class AMQPSessionCallback implements SessionCallback {
|
||||||
}
|
}
|
||||||
|
|
||||||
public void deleteQueue(SimpleString queueName) throws Exception {
|
public void deleteQueue(SimpleString queueName) throws Exception {
|
||||||
manager.getServer().destroyQueue(queueName);
|
serverSession.deleteQueue(queueName);
|
||||||
}
|
}
|
||||||
|
|
||||||
public void resetContext(OperationContext oldContext) {
|
public void resetContext(OperationContext oldContext) {
|
||||||
|
|
|
@ -120,7 +120,7 @@ public class SecureConfigurationTest extends ActiveMQTestBase {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testSecureDurableSubscriber() throws Exception {
|
public void testCreateSecureDurableSubscriber() throws Exception {
|
||||||
ConnectionFactory connectionFactory = getConnectionFactory("b", "b");
|
ConnectionFactory connectionFactory = getConnectionFactory("b", "b");
|
||||||
String message = "blah";
|
String message = "blah";
|
||||||
|
|
||||||
|
@ -136,6 +136,23 @@ public class SecureConfigurationTest extends ActiveMQTestBase {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testDeleteSecureDurableSubscriber() throws Exception {
|
||||||
|
ConnectionFactory connectionFactory = getConnectionFactory("c", "c");
|
||||||
|
String message = "blah";
|
||||||
|
|
||||||
|
//Expect to be able to create durable queue for subscription
|
||||||
|
String messageRecieved = sendAndReceiveTextUsingTopic(connectionFactory, "clientId", message, "secured_topic_durable", (t, s) -> s.createDurableSubscriber(t, "secured_topic_durable/non-existant-queue"));
|
||||||
|
Assert.assertEquals(message, messageRecieved);
|
||||||
|
|
||||||
|
try {
|
||||||
|
sendAndReceiveTextUsingTopic(connectionFactory, "clientId", message, "secured_topic_durable", (t, s) -> s.createDurableSubscriber(t, "secured_topic_durable/non-existant-queue", "age > 10", false));
|
||||||
|
Assert.fail("Security exception expected, but did not occur, excepetion expected as not permissioned to dynamically delete queue");
|
||||||
|
} catch (JMSSecurityException j) {
|
||||||
|
//Expected exception
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testTemporaryQueue() throws Exception {
|
public void testTemporaryQueue() throws Exception {
|
||||||
ConnectionFactory connectionFactory = getConnectionFactory("a", "a");
|
ConnectionFactory connectionFactory = getConnectionFactory("a", "a");
|
||||||
|
|
|
@ -127,11 +127,11 @@ under the License.
|
||||||
<security-setting match="secured_topic_durable">
|
<security-setting match="secured_topic_durable">
|
||||||
<permission type="createNonDurableQueue" roles="a"/>
|
<permission type="createNonDurableQueue" roles="a"/>
|
||||||
<permission type="deleteNonDurableQueue" roles="a"/>
|
<permission type="deleteNonDurableQueue" roles="a"/>
|
||||||
<permission type="createDurableQueue" roles="a"/>
|
<permission type="createDurableQueue" roles="a,c"/>
|
||||||
<permission type="deleteDurableQueue" roles="a"/>
|
<permission type="deleteDurableQueue" roles="a"/>
|
||||||
<permission type="browse" roles="a"/>
|
<permission type="browse" roles="a"/>
|
||||||
<permission type="send" roles="a,b"/>
|
<permission type="send" roles="a,b,c"/>
|
||||||
<permission type="consume" roles="a,b" />
|
<permission type="consume" roles="a,b,c" />
|
||||||
<!-- we need this otherwise ./artemis data imp wouldn't work -->
|
<!-- we need this otherwise ./artemis data imp wouldn't work -->
|
||||||
<permission type="manage" roles="a"/>
|
<permission type="manage" roles="a"/>
|
||||||
</security-setting>
|
</security-setting>
|
||||||
|
|
Loading…
Reference in New Issue