Details
-
Bug
-
Resolution: Done
-
Major
-
JBoss A-MQ 6.1
-
None
Description
an MQTT client, with retain set to true, can publish on a not allowed topic although not authorized by SimpleAuthenticationPlugin plugin filter implementation and although the security plugin throw a SecurityException during publish attempt.
We configured SimpleAuthenticationPlugin as follows we defined 2 users:
<authenticationUser username="user1" password=“user1" groups="users1”/> <authenticationUser username="user2" password=“user2" groups="users2”/>
that are allowed to publish/subscribe on 2 different topics
<authorizationEntry topic="USER1.>" read="users1" write="users1" admin="users1" /> <authorizationEntry topic="USER2.>" read="users2" write="users2" admin="users2" />
We connected the client 1 with the credential users1 and subscribe USER1/TOPIC1/TOPIC2.
Then we connected the client 2 with the credential users2 and we publish a message to topic USER1/TOPIC1/TOPIC2.
The broker throw a SecurityException and the client 1 doesn’t receive any message.
But if the client 1 subscribe again the topic USER1/TOPIC1/TOPIC2 it receive the message that client 2 shouldn’t be allowed to sent.
