I am running ActiveMQ 5.14.0, with all of the following: * the JAAS plugin - for user authentication on connection * a custom plugin - similar to authorizationPlugin - for user authorization on connection per destination * Selectors, defined in the broker config, as per http://activemq.apache.org/virtual-destinations.html ("Using filtered destinations").
Having tested it, I see that when a producer sends a message to a virtual destination (the 'ingest' queue) on the broker which is configured with Selectors to forward a copy of the message to one or more 'destination' queues, ActiveMQ first checks that the producer has write permission on the ingest queue but it does NOT check if the producer has write permission on any of the destination queues. I can't figure out where in the ActiveMQ codebase to look at the code, to work out if / how it would be possible to enable this extra checking. I have looked at CompositeDestinationFilter::send - I see that ActiveMQ iterates over the set of destinations for which the Selectors are matched on an incoming message, and sends a copy of the message to each one - but I can't see where, outside of this class, ActiveMQ makes a decision to check for write permissions on the ingest queue, but NOT on any of the destination queues. Can anyone shed any light on this please? I am hoping that a VirtualDestinationInterceptors config setting somewhere can be changed to enable the destination checks, otherwise I am going to have to write my own CompositeDestinationFilter ? -- View this message in context: http://activemq.2283324.n4.nabble.com/where-is-a-producer-authorized-for-writing-to-a-virtual-destination-tp4726149.html Sent from the ActiveMQ - User mailing list archive at Nabble.com.
