In the documentation we can find that:
Because client identifier and user names can be used for substitution in the permissions, MQTT wildcard characters # and + are prohibited for client identifier and user names when this extension is used. MQTT connections which include these characters are denied by this extension.
Because of that clientId and username should be checked for presence of these characters. Currently we are only checking for "#" and not for "+".
IS:
Character "+" can be used in username and clientId.
SHOULD BE:
Both "#" and "+" should not be permitted for usage in username and clientId.
Code in com/hivemq/extensions/rbac/FileAuthAuthenticator.java:62:
//prevent clientIds with MQTT wildcard characters
if (clientId.contains("#")) {
//client is not authenticated
simpleAuthOutput.failAuthentication(ConnackReasonCode.CLIENT_IDENTIFIER_NOT_VALID, "The characters '#' and '+' are not allowed in the client identifier");
return;
}
//prevent usernames with MQTT wildcard characters
if (userName.contains("#")) {
//client is not authenticated
simpleAuthOutput.failAuthentication(ConnackReasonCode.BAD_USER_NAME_OR_PASSWORD, "The characters '#' and '+' are not allowed in the username");
return;
}
In the documentation we can find that: Because client identifier and user names can be used for substitution in the permissions, MQTT wildcard characters
#
and+
are prohibited for client identifier and user names when this extension is used. MQTT connections which include these characters are denied by this extension. Because of that clientId and username should be checked for presence of these characters. Currently we are only checking for "#" and not for "+".IS: Character "+" can be used in username and clientId.
SHOULD BE: Both "#" and "+" should not be permitted for usage in username and clientId.
Code in com/hivemq/extensions/rbac/FileAuthAuthenticator.java:62: