qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wesley Holevinski (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (QPID-5833) Message's userId check in C++ broker prevents sending messages between different users
Date Thu, 19 Jun 2014 17:56:25 GMT

     [ https://issues.apache.org/jira/browse/QPID-5833?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Wesley Holevinski updated QPID-5833:
------------------------------------

    Description: 
The lines in question are :

{noformat}
df36b35e qpid/cpp/src/qpid/broker/SemanticState.cpp (Gordon Sim               2012-08-10 12:04:27
+0000 490)     std::string id = msg.getUserId();
ae0f6726 qpid/cpp/src/qpid/broker/SemanticState.cpp (Alan Conway              2011-12-06 15:56:40
+0000 491)     if (authMsg &&  !id.empty() && !session.getConnection().isAuthenticatedUser(id))
63f48b2f qpid/cpp/src/qpid/broker/SemanticState.cpp (Rajith Muditha Attapattu 2008-09-25 18:40:32
+0000 492)     {
d7c67754 qpid/cpp/src/qpid/broker/SemanticState.cpp (Gordon Sim               2008-10-10 16:54:54
+0000 493)         QPID_LOG(debug, "authorised user id : " << userID << " but
user id in message declared as " << id);
d7c67754 qpid/cpp/src/qpid/broker/SemanticState.cpp (Gordon Sim               2008-10-10 16:54:54
+0000 494)         throw UnauthorizedAccessException(QPID_MSG("authorised user id : " <<
userID << " but user id in messag
63f48b2f qpid/cpp/src/qpid/broker/SemanticState.cpp (Rajith Muditha Attapattu 2008-09-25 18:40:32
+0000 495)     }

{noformat}

---

Up until this point, we haven't been using a JMS client; we've found that the JMS client will
insert the userId into the message:

{noformat}
d4d85f06 (Rajith Muditha Attapattu 2008-09-25 18:35:11 +0000 117)         // On the receiving
side, this will be read in to the JMSXUserID as well.
dd2ed172 (Rajith Muditha Attapattu 2008-10-01 19:27:19 +0000 118)         messageProps.setUserId(userIDBytes);
d4d85f06 (Rajith Muditha Attapattu 2008-09-25 18:35:11 +0000 119)                 
21c61b77 (Rafael H. Schloming      2008-07-09 13:26:54 +0000 120)         if (messageId !=
null)
21c61b77 (Rafael H. Schloming      2008-07-09 13:26:54 +0000 121)         {
21c61b77 (Rafael H. Schloming      2008-07-09 13:26:54 +0000 122)             messageProps.setMessageId(messageId);
21c61b77 (Rafael H. Schloming      2008-07-09 13:26:54 +0000 123)         }

{noformat}

---

Our scenario:

1. Send message to a broker using the JMS client; authenticate as user: 'tester'
2. Consume message from destination queue as user 'mgmt'

{noformat}
Result: "unauthorized-access: authorised user id : mgmt@QPID but user id in message declared
as tester (/builddir/build/BUILD/qpid-0.28-rc2/cpp/src/qpid/broker/SemanticState.cpp:497"
{noformat}

---

I'll work on providing a full end to end simple example for this.

---

Per Gordon in the mailing list:

That error occurs in the broker when a message is sent by a client. SO I
suspect what may be happening is that your c++ client is receiving the
message from JMS, then sending the same message back (including the
userid of the JMS client that originally sent it).

If I'm right, all you need to do is clear the message in the c++ client,
before resending it (using Message::setUserId()).


---

See attached tgz for quick and dirty reproduction steps, c++ client, and jms client.  Setup
in README

  was:
The lines in question are :

{noformat}
df36b35e qpid/cpp/src/qpid/broker/SemanticState.cpp (Gordon Sim               2012-08-10 12:04:27
+0000 490)     std::string id = msg.getUserId();
ae0f6726 qpid/cpp/src/qpid/broker/SemanticState.cpp (Alan Conway              2011-12-06 15:56:40
+0000 491)     if (authMsg &&  !id.empty() && !session.getConnection().isAuthenticatedUser(id))
63f48b2f qpid/cpp/src/qpid/broker/SemanticState.cpp (Rajith Muditha Attapattu 2008-09-25 18:40:32
+0000 492)     {
d7c67754 qpid/cpp/src/qpid/broker/SemanticState.cpp (Gordon Sim               2008-10-10 16:54:54
+0000 493)         QPID_LOG(debug, "authorised user id : " << userID << " but
user id in message declared as " << id);
d7c67754 qpid/cpp/src/qpid/broker/SemanticState.cpp (Gordon Sim               2008-10-10 16:54:54
+0000 494)         throw UnauthorizedAccessException(QPID_MSG("authorised user id : " <<
userID << " but user id in messag
63f48b2f qpid/cpp/src/qpid/broker/SemanticState.cpp (Rajith Muditha Attapattu 2008-09-25 18:40:32
+0000 495)     }

{noformat}

---

Up until this point, we haven't been using a JMS client; we've found that the JMS client will
insert the userId into the message:

{noformat}
d4d85f06 (Rajith Muditha Attapattu 2008-09-25 18:35:11 +0000 117)         // On the receiving
side, this will be read in to the JMSXUserID as well.
dd2ed172 (Rajith Muditha Attapattu 2008-10-01 19:27:19 +0000 118)         messageProps.setUserId(userIDBytes);
d4d85f06 (Rajith Muditha Attapattu 2008-09-25 18:35:11 +0000 119)                 
21c61b77 (Rafael H. Schloming      2008-07-09 13:26:54 +0000 120)         if (messageId !=
null)
21c61b77 (Rafael H. Schloming      2008-07-09 13:26:54 +0000 121)         {
21c61b77 (Rafael H. Schloming      2008-07-09 13:26:54 +0000 122)             messageProps.setMessageId(messageId);
21c61b77 (Rafael H. Schloming      2008-07-09 13:26:54 +0000 123)         }

{noformat}

---

Our scenario:

1. Send message to a broker using the JMS client; authenticate as user: 'tester'
2. Consume message from destination queue as user 'mgmt'

{noformat}
Result: "unauthorized-access: authorised user id : mgmt@QPID but user id in message declared
as tester (/builddir/build/BUILD/qpid-0.28-rc2/cpp/src/qpid/broker/SemanticState.cpp:497"
{noformat}

---

I'll work on providing a full end to end simple example for this.

---

Per Gordon in the mailing list:

That error occurs in the broker when a message is sent by a client. SO I
suspect what may be happening is that your c++ client is receiving the
message from JMS, then sending the same message back (including the
userid of the JMS client that originally sent it).

If I'm right, all you need to do is clear the message in the c++ client,
before resending it (using Message::setUserId()).


---


> Message's userId check in C++ broker prevents sending messages between different users
> --------------------------------------------------------------------------------------
>
>                 Key: QPID-5833
>                 URL: https://issues.apache.org/jira/browse/QPID-5833
>             Project: Qpid
>          Issue Type: Bug
>    Affects Versions: 0.28
>            Reporter: Wesley Holevinski
>         Attachments: qpid_5833_steps.tgz
>
>
> The lines in question are :
> {noformat}
> df36b35e qpid/cpp/src/qpid/broker/SemanticState.cpp (Gordon Sim               2012-08-10
12:04:27 +0000 490)     std::string id = msg.getUserId();
> ae0f6726 qpid/cpp/src/qpid/broker/SemanticState.cpp (Alan Conway              2011-12-06
15:56:40 +0000 491)     if (authMsg &&  !id.empty() && !session.getConnection().isAuthenticatedUser(id))
> 63f48b2f qpid/cpp/src/qpid/broker/SemanticState.cpp (Rajith Muditha Attapattu 2008-09-25
18:40:32 +0000 492)     {
> d7c67754 qpid/cpp/src/qpid/broker/SemanticState.cpp (Gordon Sim               2008-10-10
16:54:54 +0000 493)         QPID_LOG(debug, "authorised user id : " << userID <<
" but user id in message declared as " << id);
> d7c67754 qpid/cpp/src/qpid/broker/SemanticState.cpp (Gordon Sim               2008-10-10
16:54:54 +0000 494)         throw UnauthorizedAccessException(QPID_MSG("authorised user id
: " << userID << " but user id in messag
> 63f48b2f qpid/cpp/src/qpid/broker/SemanticState.cpp (Rajith Muditha Attapattu 2008-09-25
18:40:32 +0000 495)     }
> {noformat}
> ---
> Up until this point, we haven't been using a JMS client; we've found that the JMS client
will insert the userId into the message:
> {noformat}
> d4d85f06 (Rajith Muditha Attapattu 2008-09-25 18:35:11 +0000 117)         // On the receiving
side, this will be read in to the JMSXUserID as well.
> dd2ed172 (Rajith Muditha Attapattu 2008-10-01 19:27:19 +0000 118)         messageProps.setUserId(userIDBytes);
> d4d85f06 (Rajith Muditha Attapattu 2008-09-25 18:35:11 +0000 119)                 
> 21c61b77 (Rafael H. Schloming      2008-07-09 13:26:54 +0000 120)         if (messageId
!= null)
> 21c61b77 (Rafael H. Schloming      2008-07-09 13:26:54 +0000 121)         {
> 21c61b77 (Rafael H. Schloming      2008-07-09 13:26:54 +0000 122)             messageProps.setMessageId(messageId);
> 21c61b77 (Rafael H. Schloming      2008-07-09 13:26:54 +0000 123)         }
> {noformat}
> ---
> Our scenario:
> 1. Send message to a broker using the JMS client; authenticate as user: 'tester'
> 2. Consume message from destination queue as user 'mgmt'
> {noformat}
> Result: "unauthorized-access: authorised user id : mgmt@QPID but user id in message declared
as tester (/builddir/build/BUILD/qpid-0.28-rc2/cpp/src/qpid/broker/SemanticState.cpp:497"
> {noformat}
> ---
> I'll work on providing a full end to end simple example for this.
> ---
> Per Gordon in the mailing list:
> That error occurs in the broker when a message is sent by a client. SO I
> suspect what may be happening is that your c++ client is receiving the
> message from JMS, then sending the same message back (including the
> userid of the JMS client that originally sent it).
> If I'm right, all you need to do is clear the message in the c++ client,
> before resending it (using Message::setUserId()).
> ---
> See attached tgz for quick and dirty reproduction steps, c++ client, and jms client.
 Setup in README



--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message