diff options
| author | Rajith Muditha Attapattu <rajith@apache.org> | 2009-12-18 03:52:58 +0000 |
|---|---|---|
| committer | Rajith Muditha Attapattu <rajith@apache.org> | 2009-12-18 03:52:58 +0000 |
| commit | d4a9b295bd33eddc564cab93a282d70a6932d640 (patch) | |
| tree | 29c218d56b793f3cd4eaa9bde6f7a58429ca7d8d | |
| parent | 1404bc3d1da6da84e9de4c80fecf457c32fd937a (diff) | |
| download | qpid-python-d4a9b295bd33eddc564cab93a282d70a6932d640.tar.gz | |
This is a fix for QPID-2290 and the proper fix for QPID-2175
If the client doesn't add a domain to the userID supplied in the message, the broker will add the default realm before performing the userID check.
git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@892123 13f79535-47bb-0310-9956-ffa450edef68
| -rw-r--r-- | qpid/cpp/src/qpid/broker/SemanticState.cpp | 7 | ||||
| -rw-r--r-- | qpid/cpp/src/qpid/broker/SemanticState.h | 1 |
2 files changed, 5 insertions, 3 deletions
diff --git a/qpid/cpp/src/qpid/broker/SemanticState.cpp b/qpid/cpp/src/qpid/broker/SemanticState.cpp index 4502ff9f32..e9b6aad967 100644 --- a/qpid/cpp/src/qpid/broker/SemanticState.cpp +++ b/qpid/cpp/src/qpid/broker/SemanticState.cpp @@ -70,7 +70,8 @@ SemanticState::SemanticState(DeliveryAdapter& da, SessionContext& ss) tagGenerator("sgen"), dtxSelected(false), authMsg(getSession().getBroker().getOptions().auth && !getSession().getConnection().isFederationLink()), - userID(getSession().getConnection().getUserId()) + userID(getSession().getConnection().getUserId()), + defaultRealm(getSession().getBroker().getOptions().realm) { acl = getSession().getBroker().getAcl(); } @@ -429,7 +430,7 @@ void SemanticState::route(intrusive_ptr<Message> msg, Deliverable& strategy) { std::string id = msg->hasProperties<MessageProperties>() ? msg->getProperties<MessageProperties>()->getUserId() : nullstring; - if (authMsg && !id.empty() && id != userID ) + if (authMsg && !id.empty() && id != userID && id.append("@").append(defaultRealm) != userID) { QPID_LOG(debug, "authorised user id : " << userID << " but user id in message declared as " << id); throw UnauthorizedAccessException(QPID_MSG("authorised user id : " << userID << " but user id in message declared as " << id)); @@ -438,7 +439,7 @@ void SemanticState::route(intrusive_ptr<Message> msg, Deliverable& strategy) { if (acl && acl->doTransferAcl()) { if (!acl->authorise(getSession().getConnection().getUserId(),acl::ACT_PUBLISH,acl::OBJ_EXCHANGE,exchangeName, msg->getRoutingKey() )) - throw NotAllowedException(QPID_MSG(getSession().getConnection().getUserId() << " cannot publish to " << + throw NotAllowedException(QPID_MSG(userID << " cannot publish to " << exchangeName << " with routing-key " << msg->getRoutingKey())); } diff --git a/qpid/cpp/src/qpid/broker/SemanticState.h b/qpid/cpp/src/qpid/broker/SemanticState.h index 99f793c1fc..e5e3f909f1 100644 --- a/qpid/cpp/src/qpid/broker/SemanticState.h +++ b/qpid/cpp/src/qpid/broker/SemanticState.h @@ -156,6 +156,7 @@ class SemanticState : private boost::noncopyable { AclModule* acl; const bool authMsg; const string userID; + const string defaultRealm; void route(boost::intrusive_ptr<Message> msg, Deliverable& strategy); void checkDtxTimeout(); |