4 Replies Latest reply on Apr 24, 2013 5:09 PM by ataylor

Security Problem with CoreBridge

mofarn Apr 22, 2013 9:46 AM

Hi all,

I difined a corebridge between two servers (source and target servers - i'm using hornetq-2.3.0.CR2)

In the target server, only admin role can send message.

My question is, why my bridge from the source server, can send message to the target server, freely?

Thanks in advance.

1. Re: Security Problem with CoreBridge

gaohoward Apr 22, 2013 10:25 PM (in response to mofarn)

Can you provide some more details? like your configuration and how messages are sent and bridged?

Howard
Actions

2. Re: Security Problem with CoreBridge

mofarn Apr 23, 2013 2:06 AM (in response to gaohoward)

Scenario:

Client with user:admin, password:admin (This user has admin role), sends message to jms.queue.source
Bridge messages, between the source queue (In the source server) and target queue (In the target server) ---> This should not work!!!

In the source server, Only admin role can send messages to its queues. (I defined user:admin, password: admin, with admin role in the source server).

In the target server, Only admin2 role can send messages to its queues. (I defined user:admin2, password: admin2, with admin2 role in the target server).

But the bridge, without any user or password, is able to send messages from the source server to the target server. Why??

My Configs (I attached them too):

The source Server:

security settings:

<security-settings>
	<security-setting match="#">
		<permission type="createDurableQueue" roles="admin" />
		<permission type="deleteDurableQueue" roles="admin" />
		<permission type="createNonDurableQueue" roles="admin" />
		<permission type="deleteNonDurableQueue" roles="admin" />
		<permission type="consume" roles="admin" />
		<permission type="send" roles="admin" />
	</security-setting>
</security-settings>

bridge definiation:

<bridges>
		<bridge name="bridge-to-target-server">
			<queue-name>jms.queue.source</queue-name>
			<forwarding-address>jms.queue.target</forwarding-address>
			<ha>false</ha>
			<retry-interval>2000</retry-interval>
			<reconnect-attempts>-1</reconnect-attempts>
			<failover-on-server-shutdown>false</failover-on-server-shutdown>
			<use-duplicate-detection>true</use-duplicate-detection>
		<static-connectors>
			<connector-ref>remote-connector</connector-ref>
		</static-connectors>
		</bridge>
	</bridges>

users:

<defaultuser name="guest" password="guest">
		<role name="guest" />
</defaultuser>
<user name="admin" password="admin">
		<role name="admin"/>
</user>

The target server:

security settings:

<security-settings>
	<security-setting match="#">
		<permission type="createDurableQueue" roles="admin2" />
		<permission type="deleteDurableQueue" roles="admin2" />
		<permission type="createNonDurableQueue" roles="admin2" />
		<permission type="deleteNonDurableQueue" roles="admin2" />
		<permission type="consume" roles="admin2" />
		<permission type="send" roles="admin2" />
	</security-setting>
</security-settings>

users:

<defaultuser name="guest" password="guest">
		<role name="guest" />
</defaultuser>

<user name="admin2" password="admin2">
		<role name="admin2" />
</user>

config-target.zip 3.3 KB
config-source.zip 3.5 KB

3. Re: Security Problem with CoreBridge

mofarn Apr 24, 2013 3:47 PM (in response to mofarn)

I think it's a bug!!
Actions
4. Re: Security Problem with CoreBridge

ataylor Apr 24, 2013 5:09 PM (in response to mofarn)

if you can provide a test or an example we can look into it.
Actions

Go to original post