Issue

A MQTT client, with retain set to true, can publish on a not allowed topic although not authorized by SimpleAuthenticationPlugin plugin filter implementation and although the security plugin throw a SecurityException during publish attempt.

We configured SimpleAuthenticationPlugin as follows we defined 2 users:

<authenticationUser username="user1" password=“user1" groups="users1”/>
<authenticationUser username="user2" password=“user2" groups="users2”/>

that are allowed to publish/subscribe on 2 different topics

<authorizationEntry topic="USER1.>" read="users1" write="users1" admin="users1" />
<authorizationEntry topic="USER2.>" read="users2" write="users2" admin="users2" />

We connected the client 1 with the credential users1 and subscribe USER1/TOPIC1/TOPIC2.

Then we connected the client 2 with the credential users2 and we publish a message to topic USER1/TOPIC1/TOPIC2.

The broker throw a SecurityException and the client 1 doesn’t receive any message.

But if the client 1 subscribe again the topic USER1/TOPIC1/TOPIC2 it receive the message that client 2 shouldn’t be allowed to sent.