Great! Thanks! Da: Justin Bertram <jbert...@apache.org> Data: mercoledì, 17 agosto 2022 18:46 A: users@activemq.apache.org <users@activemq.apache.org> Oggetto: Re: Artemis security plugin looks like not intercepting MQTT LWT messages Just to follow up...
I created ARTEMIS-3942 [1] for this and sent a PR [2]. Justin [1] https://issues.apache.org/jira/browse/ARTEMIS-3942 [2] https://github.com/apache/activemq-artemis/pull/4180 On Tue, Aug 16, 2022 at 2:07 PM Justin Bertram <jbert...@apache.org> wrote: > Your observation is correct. Currently MQTT LWT messages are sent using an > internal mechanism which bypasses authorization and the plugin's beforeSend > method (although beforeMessageRoute will see it). I'll send a PR ASAP to > reverse this so the LWT message goes through the normal channel. > > Thanks for the heads up! > > > Justin > > On Tue, Aug 16, 2022 at 9:02 AM Modanese, Riccardo > <riccardo.modan...@eurotech.com.invalid> wrote: > >> Hello, >> moving from ActiveMQ 5 to ActiveMQ Artemis I was investigating a >> test failure. >> It looks like Artemis doesn't allow to intercept the LWT messages >> triggered by an MQTT connection. >> I have both a ServerPlugin (ActiveMQServerPlugin implementation) and a >> SecurityPlugin (ActiveMQSecurityManager5 implementation) but I don't see >> any call to authorize method (ActiveMQSecurityManager5) and beforeSend >> method (ActiveMQServerPlugin). >> If I'm not wrong and the message is not intercepted by these plugins >> there is also a security issue because both the LWT topic and the message >> are set by the client while connecting to the server so malicious messages >> to a not allowed (by ACLs) topics could be used. >> >> Thanks in advance for your feedback. >> >> Regards >> >> Riccardo >> >
