Hi,
I am using ActiveMQ 6.1.0 and have some questions about usage of
wildcard topic consumers. If I subscribe to wildcard topic name using
STOMP protocol, a new topic appears in Web Console Topics page with name
containing wildcard symbols. Is this correct and intended behavior?
addConsumer() method in AbstractRegion class does not auto-create
destination if it is a pattern or composite destination, but
processConsumerControl() and send() methods have no such conditions.
STOMP protocol converter sends ConsumerControl immediately after
consumer creation to increase prefetch size, and this causes
auto-creation of destination containing wildcards. The other way to
create a topic containing wildcards is to send a message to wildcard
topic. I could not find any documentation if sending messages to
wildcard destinations is actually supposed to work or not.
Once a topic with wildcard name is created, it breaks authorization.
Suppose that authorization map contains the following entries:
<authorizationEntry read="admin" write="admin" admin="admin" topic=">" />
<authorizationEntry read="user" topic="A.B" />
Admin creates "A.B" topic and subscribes to "A.>".
User tries to subscribe to "A.B", but receives the following error:
Caused by: java.lang.SecurityException: User user is not authorized to
read from: topic://A.>
at
org.apache.activemq.security.AuthorizationDestinationFilter.addSubscription(AuthorizationDestinationFilter.java:57)
at
org.apache.activemq.broker.region.AbstractRegion.addConsumer(AbstractRegion.java:406)
at
org.apache.activemq.broker.region.TopicRegion.addConsumer(TopicRegion.java:188)
at
org.apache.activemq.broker.region.RegionBroker.addConsumer(RegionBroker.java:436)
at
org.apache.activemq.broker.jmx.ManagedRegionBroker.addConsumer(ManagedRegionBroker.java:243)
at
org.apache.activemq.broker.BrokerFilter.addConsumer(BrokerFilter.java:104)
at
org.apache.activemq.broker.BrokerFilter.addConsumer(BrokerFilter.java:104)
at
org.apache.activemq.broker.BrokerFilter.addConsumer(BrokerFilter.java:104)
at
org.apache.activemq.security.AuthorizationBroker.addConsumer(AuthorizationBroker.java:183)
at
org.apache.activemq.broker.BrokerFilter.addConsumer(BrokerFilter.java:104)
at
org.apache.activemq.broker.BrokerFilter.addConsumer(BrokerFilter.java:104)
at
org.apache.activemq.broker.TransportConnection.processAddConsumer(TransportConnection.java:707)
at
org.apache.activemq.command.ConsumerInfo.visit(ConsumerInfo.java:352)
at
org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:337)
at
org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:201)
at
org.apache.activemq.transport.ResponseCorrelator.onCommand(ResponseCorrelator.java:116)
at
org.apache.activemq.transport.MutexTransport.onCommand(MutexTransport.java:50)
at
org.apache.activemq.transport.vm.VMTransport.iterate(VMTransport.java:275)
at
org.apache.activemq.thread.PooledTaskRunner.runTask(PooledTaskRunner.java:133)
at
org.apache.activemq.thread.PooledTaskRunner$1.run(PooledTaskRunner.java:48)
at
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:833)
This happens because AbstractRegion.addConsumer() method calls
destinationMap.unsynchronizedGet() and receives a set with two
destinations: "A.B" and "A.>". And user does not have permissions to
read from "A.>".
Either destination matching code is wrong and
destinationMap.unsynchronizedGet() returns destinations that should not
be returned, or auto-creation of topic destinations containing wildcards
is wrong and they should never appear in broker destination map.
