QPID-5599: C++ Broker silently ignores --max-connections option when no ACL file is loaded
Simply installing a null and permissive rule file trips up the 'create link'
security check. The security check from
https://issues.apache.org/jira/browse/QPID-4631 reasons that if authentication
is enabled and no ACL rule file is specified then interbroker links are
denied. The check for 'ACL rule file is loaded' is simply the existence of
the ACL object. That check is voided by always having an ACL object regardless
of whether the ACL rule file was specified or not.
One fix considered was adding an ACL rule "acl deny-log all create link" to
the formerly null rule set when no ACL file is specified. This solution has
too much complexity in several places and is too hard.
The fix implemented here is a boolean flag indicating if the ACL rule set
in force is specified by the user or not. Then the security check tests
that the acl exists (always true) and that the rule set is specified by the
user.
|