mq
  1. mq
  2. MQ-308

accesscontrol: produce.allow with '*' and produce.deny combining doesn't work as expected

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 4.2, 4.3, 4.4, 4.4u1, 4.4u2, 4.5, 4.5.1, 4.5.2, 5.0-RI (JMS2.0), 5.0
    • Fix Version/s: 5.1 (RI-Bug-Fix)
    • Component/s: broker-core
    • Labels:
      None

      Description

      In accesscontrol.properties, if the combining is

      queue.myqueue.produce.allow.user=someuser
      queue.myqueue.produce.deny.user=someuser

      Then creating producer on myqueue with someuser will be denied as expected:

      Exception in thread "main" com.sun.messaging.jms.JMSSecurityException: [C4076]: Client does not have permission to create producer on destination: myQueue user=someuser, broker=localhost:7677(53126)

      But if the combining is

      queue.*.produce.allow.user=*
      queue.myqueue.produce.deny.user=someuser
      

      Then creating producer on myqueue with someuser can succeed, which is unexpected.

        Issue Links

          Activity

          Hide
          amyk added a comment - - edited

          This bug is a regression since MQ 4.2 when the wildcard destination is added

          queue.*.produce.allow.user=*
          queue.myqueue.produce.deny.user=someuser
          

          The above setting works as expected with MQ 4.1 - ie. client get expected exception, e.g.:
          com.sun.messaging.jms.JMSSecurityException: [C4076]: Client does not have permission to create producer on destination: q0 user=guest, broker=localhost:7676(48139)

          The bug is now fixed in 5.0.1 and 4.5.2p3 and 4.4u2p9

          test cases qexample18.properties, texample18.properties in
          testlist/jmsclient/sublists/acl.list

          Show
          amyk added a comment - - edited This bug is a regression since MQ 4.2 when the wildcard destination is added queue.*.produce.allow.user=* queue.myqueue.produce.deny.user=someuser The above setting works as expected with MQ 4.1 - ie. client get expected exception, e.g.: com.sun.messaging.jms.JMSSecurityException: [C4076] : Client does not have permission to create producer on destination: q0 user=guest, broker=localhost:7676(48139) The bug is now fixed in 5.0.1 and 4.5.2p3 and 4.4u2p9 test cases qexample18.properties, texample18.properties in testlist/jmsclient/sublists/acl.list
          Hide
          amyk added a comment -

          This is internal bug 17316839

          Show
          amyk added a comment - This is internal bug 17316839

            People

            • Assignee:
              amyk
              Reporter:
              David Zhao
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: