qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Keith Wall (JIRA)" <j...@apache.org>
Subject [jira] [Created] (QPID-4356) Java Broker does not validate incoming message-properties.user-id as required by AMQP 0-10 spec
Date Thu, 04 Oct 2012 11:53:08 GMT
Keith Wall created QPID-4356:
--------------------------------

             Summary: Java Broker does not validate incoming message-properties.user-id as
required by AMQP 0-10 spec
                 Key: QPID-4356
                 URL: https://issues.apache.org/jira/browse/QPID-4356
             Project: Qpid
          Issue Type: Bug
          Components: Java Broker
    Affects Versions: 0.18, 0.16, 0.14, 0.12, 0.10, 0.19
            Reporter: Keith Wall
            Priority: Minor


When the 0-10 protocol is in use, Java Broker does not validate the user-id sent by the client
as part of the message. According to the AMQP 0-10 spec the Broker must (p163):

{quote}
user-id vbin creating user id
The identity of the user responsible for producing the message. The client sets this value,
and it is authenticated by the broker.
{quote}

and 

{quote}
Rule: authentication

The server MUST produce an unauthorized-access exception if the user-id field is set to a
principle for which the client is not authenticated.
{quote}

(For 0-8..0-9-1 this validation can be enabled via Broker config see advanced/msg-auth)

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message