From b8c58028f0abc4d8f19d77c8b613ea389253b1f3 Mon Sep 17 00:00:00 2001 From: ikucuze <37959812+ikucuze@users.noreply.github.com> Date: Wed, 6 Jan 2021 11:26:30 +0100 Subject: [PATCH] AMQ-8116 ActiveMQWildcardPermission buggy ActiveMQWildcardPermission with multiple tokens inconsistent with parent WildcardPermission class Update ActiveMQWildcardPermission.java add testcase (cherry picked from commit 9cf9d20d51590218368f87fb54aeb0505c862461) --- .../authz/ActiveMQWildcardPermission.java | 25 ++++++++++++------- .../authz/ActiveMQWildcardPermissionTest.java | 4 +++ 2 files changed, 20 insertions(+), 9 deletions(-) diff --git a/activemq-shiro/src/main/java/org/apache/activemq/shiro/authz/ActiveMQWildcardPermission.java b/activemq-shiro/src/main/java/org/apache/activemq/shiro/authz/ActiveMQWildcardPermission.java index 38a514c3c8..92854cd5a6 100644 --- a/activemq-shiro/src/main/java/org/apache/activemq/shiro/authz/ActiveMQWildcardPermission.java +++ b/activemq-shiro/src/main/java/org/apache/activemq/shiro/authz/ActiveMQWildcardPermission.java @@ -59,18 +59,25 @@ public class ActiveMQWildcardPermission extends WildcardPermission { } else { Set thisPart = getParts().get(i); - for (String token : thisPart) { - if (token.equals(WILDCARD_TOKEN)) { - continue; + // all tokens from otherPart must pass at least one token from thisPart + for (String otherToken : otherPart) { + if (!caseSensitive) { + otherToken = otherToken.toLowerCase(); } - for (String otherToken : otherPart) { - if (!caseSensitive) { - otherToken = otherToken.toLowerCase(); + boolean otherIsMatched = false; + for (String token : thisPart) { + if (token.equals(WILDCARD_TOKEN)) { + otherIsMatched = true; + break; } - if (!matches(token, otherToken)) { - return false; + if (matches(token, otherToken)) { + otherIsMatched = true; + break; } - } + } + if (!otherIsMatched) { + return false; + } } i++; } diff --git a/activemq-shiro/src/test/java/org/apache/activemq/shiro/authz/ActiveMQWildcardPermissionTest.java b/activemq-shiro/src/test/java/org/apache/activemq/shiro/authz/ActiveMQWildcardPermissionTest.java index 515aeeb49d..a246722cfe 100644 --- a/activemq-shiro/src/test/java/org/apache/activemq/shiro/authz/ActiveMQWildcardPermissionTest.java +++ b/activemq-shiro/src/test/java/org/apache/activemq/shiro/authz/ActiveMQWildcardPermissionTest.java @@ -117,6 +117,10 @@ public class ActiveMQWildcardPermissionTest { assertNoMatch("*:ActiveMQ*", "topic:TEST:*"); assertMatch("topic:ActiveMQ.Advisory*", "topic:ActiveMQ.Advisory.Connection:create"); assertMatch("foo?ar", "foobar"); + + assertMatch("queue:*:read,write", "queue:testqueue:read"); + assertMatch("queue:*:read,write", "queue:test*:read,write"); + assertNoMatch("queue:*:read,write", "queue:*:read,write,delete"); } protected static void assertMatch(String pattern, String value) {