Hello,
I’m wondering how one separates permissions of two different roles for
temporary replyTo queues? Let’s say we have two external users which can
consume from their durable queues, but they respond to replyTo queue created by
producer (RPC flow model). We can only set one namespace for the queue and
limit these users by:
<temporary-queue-namespace>temp</temporary-queue-namespace>
<security-setting match="temp.#">
<permission type="send" roles="roleofbothusers" />
</security-setting>
Or we could do:
<security-setting
match="^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$">
<permission type="send" roles=" roleofbothusers " />
</security-setting>
But this doesn’t forbit user1 to send messages to temporary queues of user2.
ReplyTo queues obviously have just random IDs and there is no way to
differentiate between user1 temporary queues and user2 temporary queues.
Are we doing something wrong? Should we just rely on the fact that it would be
very difficult to guess other temp queue names?
--
Best Regards,
Vilius Šumskas
Rivile
IT manager
