[jboss-dev-forums] [Design of Messaging on JBoss (Messaging/JBoss)] - Re: Permissions on temporary destinations (JBMESSAGING-994)

[timfox]

"thomasra" wrote : To sum it all up: I don't think rolebased security is appropriate for temp destinations at all (neither consuming nor producing), the only restriction needed is the one related to consumers, which isn't security code.

Well, yes, that is one option, we just drop role based security altogether for temp destinations and just have the current check which verifies that consumers can only be created by the connection that created the temp dest. (Easy option).

But most of this thread is about how do we configure security for users who *write* (i.e. send messages) to the destination - this is what we are really discussing.

Here is the use case:

User creates temp reply queue and sends a message to a topic with the JMSReplyTo header set.

The message is received by many subscribers, but only some of them are allowed to reply.

E.g. it might be a news feed and only "gold subcribers" can reply. We don't want all the unregulated subscribers to reply since they could implement a DOS attack.

So, in this case role based security for *writing* to the destination is useful, but only useful for *writing*.

This is why Sergey is allowing this to be specified on the connection factory.

So, I think what we should do is the following:

1) If no security override is specified on the connection factory then the temp destination has full access to everyone. The check in the code will prevent consumers being created by anyone other than the creating connection anyway.

2) If security override is specified on the connection factory then that will take effect, this is useful for the use case explained above.



View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4055960#4055960

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4055960