https://issues.apache.org/jira/browse/AMQ-3211 - ensure that a JMSXUserID property set by a client is ignored if an alternative userId mechanism is in place. This ensures that a client cannot spoof this value when the broker is configured to supply if from credentials. The client supplied value is only used as a last resourt

git-svn-id: https://svn.apache.org/repos/asf/activemq/trunk@1080212 13f79535-47bb-0310-9956-ffa450edef68

activemq-core/src/main/java/org/apache/activemq/command/ActiveMQMessage.java

@@ -593,11 +593,14 @@ public class ActiveMQMessage extends Message implements org.apache.activemq.Mess
     }
 
     public String getStringProperty(String name) throws JMSException {
-        Object value = getObjectProperty(name);
-        if (value == null) {
-            if (name.equals("JMSXUserID")) {
-                value = getUserID();
+        Object value = null;
+        if (name.equals("JMSXUserID")) {
+            value = getUserID();
+            if (value == null) {
+                value = getObjectProperty(name);
             }
+        } else {
+            value = getObjectProperty(name);
         }
         if (value == null) {
             return null;

activemq-core/src/test/java/org/apache/activemq/test/JmsTopicSendReceiveWithEmbeddedBrokerAndUserIDTest.java

@@ -60,4 +60,21 @@ public class JmsTopicSendReceiveWithEmbeddedBrokerAndUserIDTest extends JmsTopic
             assertEquals("JMSXUserID header", userName, userID);
         }
     }
+
+    public void testSpoofedJMSXUserIdIsIgnored() throws Exception {
+        Thread.sleep(1000);
+        messages.clear();
+
+        for (int i = 0; i < data.length; i++) {
+            Message message = createMessage(i);
+            configureMessage(message);
+            message.setStringProperty("JMSXUserID", "spoofedId");
+            if (verbose) {
+                LOG.info("About to send a message: " + message + " with text: " + data[i]);
+            }
+            sendMessage(i, message);
+        }
+        assertMessagesAreReceived();
+        LOG.info("" + data.length + " messages(s) received, closing down connections");
+    }
 }

activemq-core/src/test/java/org/apache/activemq/test/message/NestedMapAndListPropertyTest.java

@@ -66,6 +66,7 @@ public class NestedMapAndListPropertyTest extends JmsTopicSendReceiveWithTwoConn
         assertEquals("listField[0]", "a", list.get(0));
         assertEquals("listField[1]", "b", list.get(1));
         assertEquals("listField[2]", "c", list.get(2));
+        assertEquals("JohnDoe", message.getStringProperty("JMSXUserID"));
     }
 
     protected Message createMessage(int index) throws JMSException {
@@ -85,6 +86,7 @@ public class NestedMapAndListPropertyTest extends JmsTopicSendReceiveWithTwoConn
 
         answer.setObjectProperty("mapField", nestedMap);
         answer.setObjectProperty("listField", Arrays.asList(new Object[] {"a", "b", "c"}));
+        answer.setStringProperty("JMSXUserID", "JohnDoe");
 
         return answer;
     }