[jboss-dev-forums] [Design of Messaging on JBoss (Messaging/JBoss)] - Permissions on temporary destinations (JBMESSAGING-994)

[sergeypk]

Currently, temporary destinations are assigned the default security configuration when they are created. This means that if I log in as a user who has less permissions than required by the default security configuration, and create a temporary destination, I can't access it afterwards.

Something should be done about it. Here are some options:

1) Skip permission checks on temporary destinations. Bad because there's a possibility of DoS attacks if someone guesses the temp destination name.

2) Disallow creating temporary destinations that the logged-in user will not be able to use - doesn't solve the actual problem.

3) Have some configuration mechanism for temporary destination permissions - not sure where it would go, to make it sufficiently flexible.

Any ideas?

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4055557#4055557

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4055557