From 450eac32046354559f733735d8d8be8df64c4607 Mon Sep 17 00:00:00 2001 From: Rajith Muditha Attapattu Date: Fri, 18 Dec 2009 03:52:58 +0000 Subject: This is a fix for QPID-2290 and the proper fix for QPID-2175 If the client doesn't add a domain to the userID supplied in the message, the broker will add the default realm before performing the userID check. git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@892123 13f79535-47bb-0310-9956-ffa450edef68 --- cpp/src/qpid/broker/SemanticState.cpp | 7 ++++--- cpp/src/qpid/broker/SemanticState.h | 1 + 2 files changed, 5 insertions(+), 3 deletions(-) (limited to 'cpp/src') diff --git a/cpp/src/qpid/broker/SemanticState.cpp b/cpp/src/qpid/broker/SemanticState.cpp index 4502ff9f32..e9b6aad967 100644 --- a/cpp/src/qpid/broker/SemanticState.cpp +++ b/cpp/src/qpid/broker/SemanticState.cpp @@ -70,7 +70,8 @@ SemanticState::SemanticState(DeliveryAdapter& da, SessionContext& ss) tagGenerator("sgen"), dtxSelected(false), authMsg(getSession().getBroker().getOptions().auth && !getSession().getConnection().isFederationLink()), - userID(getSession().getConnection().getUserId()) + userID(getSession().getConnection().getUserId()), + defaultRealm(getSession().getBroker().getOptions().realm) { acl = getSession().getBroker().getAcl(); } @@ -429,7 +430,7 @@ void SemanticState::route(intrusive_ptr msg, Deliverable& strategy) { std::string id = msg->hasProperties() ? msg->getProperties()->getUserId() : nullstring; - if (authMsg && !id.empty() && id != userID ) + if (authMsg && !id.empty() && id != userID && id.append("@").append(defaultRealm) != userID) { QPID_LOG(debug, "authorised user id : " << userID << " but user id in message declared as " << id); throw UnauthorizedAccessException(QPID_MSG("authorised user id : " << userID << " but user id in message declared as " << id)); @@ -438,7 +439,7 @@ void SemanticState::route(intrusive_ptr msg, Deliverable& strategy) { if (acl && acl->doTransferAcl()) { if (!acl->authorise(getSession().getConnection().getUserId(),acl::ACT_PUBLISH,acl::OBJ_EXCHANGE,exchangeName, msg->getRoutingKey() )) - throw NotAllowedException(QPID_MSG(getSession().getConnection().getUserId() << " cannot publish to " << + throw NotAllowedException(QPID_MSG(userID << " cannot publish to " << exchangeName << " with routing-key " << msg->getRoutingKey())); } diff --git a/cpp/src/qpid/broker/SemanticState.h b/cpp/src/qpid/broker/SemanticState.h index 99f793c1fc..e5e3f909f1 100644 --- a/cpp/src/qpid/broker/SemanticState.h +++ b/cpp/src/qpid/broker/SemanticState.h @@ -156,6 +156,7 @@ class SemanticState : private boost::noncopyable { AclModule* acl; const bool authMsg; const string userID; + const string defaultRealm; void route(boost::intrusive_ptr msg, Deliverable& strategy); void checkDtxTimeout(); -- cgit v1.2.1