Skip to content

Commit

Permalink
ARTEMIS-4580 security settings for FQQN not enforced on send
Browse files Browse the repository at this point in the history
  • Loading branch information
@jbertram
jbertram committed Jan 22, 2024
1 parent 5e99516 commit a70c421
Show file tree
Hide file tree
Showing 2 changed files with 105 additions and 2 deletions.
4 changes: 2 additions & 2 deletions ...-server/src/main/java/org/apache/activemq/artemis/core/server/impl/ServerSessionImpl.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2324,9 +2324,9 @@ public synchronized RoutingStatus doSend(final Transaction tx,
msg.setAddress(art.getName());
}

// check the user has write access to this address.
// check the user has write access to this address (and potentially queue).
try {
securityCheck(CompositeAddress.extractAddressName(art.getName()), CompositeAddress.isFullyQualified(art.getName()) ? CompositeAddress.extractQueueName(art.getName()) : null, CheckType.SEND, this);
securityCheck(CompositeAddress.extractAddressName(msg.getAddressSimpleString()), CompositeAddress.isFullyQualified(msg.getAddressSimpleString()) ? CompositeAddress.extractQueueName(msg.getAddressSimpleString()) : null, CheckType.SEND, this);
} catch (ActiveMQException e) {
if (!autoCommitSends && tx != null) {
tx.markAsRollbackOnly(e);
Expand Down
103 changes: 103 additions & 0 deletions ...est/java/org/apache/activemq/artemis/tests/integration/security/FQQNSendSecurityTest.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.activemq.artemis.tests.integration.security;

import javax.jms.Connection;
import javax.jms.Destination;
import javax.jms.JMSSecurityException;
import javax.jms.MessageProducer;
import javax.jms.Session;

import org.apache.activemq.artemis.api.core.QueueConfiguration;
import org.apache.activemq.artemis.api.core.RoutingType;
import org.apache.activemq.artemis.core.config.Configuration;
import org.apache.activemq.artemis.core.config.impl.RoleSet;
import org.apache.activemq.artemis.core.config.impl.SecurityConfiguration;
import org.apache.activemq.artemis.core.security.Role;
import org.apache.activemq.artemis.core.server.ActiveMQServer;
import org.apache.activemq.artemis.jms.client.ActiveMQConnectionFactory;
import org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager;
import org.apache.activemq.artemis.spi.core.security.jaas.InVMLoginModule;
import org.apache.activemq.artemis.tests.util.ActiveMQTestBase;
import org.apache.activemq.artemis.tests.util.RandomUtil;
import org.apache.activemq.artemis.utils.CompositeAddress;
import org.junit.Before;
import org.junit.Test;

public class FQQNSendSecurityTest extends ActiveMQTestBase {

private final String ALLOWED_USER = "allowedUser";
private final String ALLOWED_ROLE = "allowedRole";
private final String DENIED_USER = "deniedUser";
private final String DENIED_ROLE = "deniedRole";
private final String PASS = RandomUtil.randomString();
private final String ADDRESS = "myAddress";
private final String QUEUE = "myQueue";

@Override
@Before
public void setUp() throws Exception {
super.setUp();
Configuration configuration = createDefaultInVMConfig().setSecurityEnabled(true);
RoleSet roles = new RoleSet();
roles.add(new Role(ALLOWED_ROLE, true, false, false, false, false, false, false, false, false, false));
roles.add(new Role(DENIED_ROLE, false, false, false, false, false, false, false, false, false, false));
configuration.putSecurityRoles(CompositeAddress.toFullyQualified(ADDRESS, QUEUE), roles);

ActiveMQServer server = createServer(false, configuration);

ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager(InVMLoginModule.class.getName());
SecurityConfiguration securityConfiguration = new SecurityConfiguration();
securityConfiguration.addUser(ALLOWED_USER, PASS);
securityConfiguration.addRole(ALLOWED_USER, ALLOWED_ROLE);
securityConfiguration.addUser(DENIED_USER, PASS);
securityConfiguration.addRole(DENIED_USER, DENIED_ROLE);
securityManager.setConfiguration(securityConfiguration);
server.setSecurityManager(securityManager);

configuration.addQueueConfiguration(new QueueConfiguration(QUEUE).setAddress(ADDRESS).setRoutingType(RoutingType.ANYCAST));

server.start();
}

@Test
public void sendMessageToFQQN() throws Exception {
ActiveMQConnectionFactory connectionFactory = new ActiveMQConnectionFactory("vm://0");
try (Connection connection = connectionFactory.createConnection(ALLOWED_USER, PASS)) {
Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
Destination destination = session.createQueue(CompositeAddress.toFullyQualified(ADDRESS, QUEUE));
MessageProducer messageProducer = session.createProducer(destination);
messageProducer.send(session.createMessage());
}
}

@Test
public void sendMessageToFQQNNegative() throws Exception {
ActiveMQConnectionFactory connectionFactory = new ActiveMQConnectionFactory("vm://0");
try (Connection connection = connectionFactory.createConnection(DENIED_USER, PASS)) {
Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
Destination destination = session.createQueue(CompositeAddress.toFullyQualified(ADDRESS, QUEUE));
MessageProducer messageProducer = session.createProducer(destination);
try {
messageProducer.send(session.createMessage());
fail();
} catch (JMSSecurityException e) {
// expected
}
}
}
}

0 comments on commit a70c421

Please sign in to comment.