[jboss-dev-forums] [Design of Messaging on JBoss (Messaging/JBoss)] - SecurityChecks on Sends (AsyncSend & createProducer)

clebert.suconic@jboss.com do-not-reply at jboss.com
Mon Mar 30 17:26:39 EDT 2009 


Two questions:


First: createProducer doesn't do any security checks, as there is nothing being created on Server for a producer, but shouldn't we do a round-trip just to validate security?


Second: (Assuming createProducer would throw an exception if no-security):

Say you are sending messages (Asynchronously), and you don't have sending permissions... (or you lost permissions after the createProducer). The serverSide will ignore the sends and will only log those errors.

Shouldn't we save exceptions on Async operations, so the next time a Sync operation come (commit, prepare, close) we throw the pending exceptions would validate for past exception and fail the client?

For instance: ATM if you don't have security privileges to send, Prepare is not failing.

The following test is failing:

         prod = sendingSession.createProducer(addressA);
  |          prod.send(createTextMessage(sendingSession, "Test", true));
  |          prod.send(createTextMessage(sendingSession, "Test", true));
  |          sendingSession.end(xid, XAResource.TMSUCCESS);
  |          
  |          try
  |          {
  |             sendingSession.prepare(xid);
  |             fail("Exception was expected");
  |          }
  |          catch (Exception e)
  |          {
  |             e.printStackTrace();
  |          }
  | 
  | 



I would expect the following test to also fail:



  |          prod = sendingSession.createProducer(addressA);
  | 
  |          securityManager.removeRole("auser", "guest"); // removing send privileges
  | 
  |          prod.send(createTextMessage(sendingSession, "Test", true)); // Async, ok.. I can accept not having a failure here.
  |          prod.send(createTextMessage(sendingSession, "Test", true)); // Async.. I can accept not having a failure here.
  |          try
  |          {
  |             sendingSession.close(); // The consumer had failures on Async operations.. should't close throw an exception?
  |             fail("Expected exception");
  |          }
  |          catch (MessagingException e)
  |          {
  |             e.printStackTrace();
  |             // I would expect the close to fail, since there were failures registered
  |          }
  |          
  | 

View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4222149#4222149

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4222149

More information about the jboss-dev-forums mailing list