diff --git a/ChangeLog.txt b/ChangeLog.txt
index 5bd29dde..661ec2f1 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -64,6 +64,12 @@ Broker:
Closes #8.
- Add set_tcp_nodelay option to allow Nagle's algorithm to be disabled on
client sockets. Closes #433.
+- The behaviour of allow_anonymous has changed. In the old behaviour, the
+ default if not set was to allow anonymous access. The new behaviour is to
+ default is to allow anonymous access unless another security option is set.
+ For example, if password_file is set and allow_anonymous is not set, then
+ anonymous access will be denied. It is still possible to allow anonymous
+ access by setting it explicitly.
Client library:
- Outgoing messages with QoS>1 are no longer retried after a timeout period.
diff --git a/man/mosquitto.conf.5.xml b/man/mosquitto.conf.5.xml
index f8673198..f492a70a 100644
--- a/man/mosquitto.conf.5.xml
+++ b/man/mosquitto.conf.5.xml
@@ -161,8 +161,12 @@
connect without providing a username are allowed to
connect. If set to false
then another means of connection should be created to
- control authenticated client access. Defaults to
- true.
+ control authenticated client access.
+ Defaults to true if no
+ other security options are set. If any other
+ authentication options are set, then
+ defaults to
+ false.Reloaded on reload signal.
diff --git a/mosquitto.conf b/mosquitto.conf
index a71e5519..ecb8cefb 100644
--- a/mosquitto.conf
+++ b/mosquitto.conf
@@ -141,7 +141,7 @@
# options are controlled on a per listener basis. The following options are
# affected:
#
-# password_file acl_file psk_file auth_plugin auth_opt_*
+# password_file acl_file psk_file auth_plugin auth_opt_* allow_anonymous
#
# The default behaviour is for this to be set to false, which maintains the
# setting behaviour from previous versions of mosquitto.
@@ -543,7 +543,10 @@
# without providing a username are allowed to connect. If set to
# false then a password file should be created (see the
# password_file option) to control authenticated client access.
-# Defaults to true.
+#
+# Defaults to true if no other security options are set. If any other
+# authentication options are set, then allow_anonymous defaults to false.
+#
#allow_anonymous true
# -----------------------------------------------------------------
diff --git a/src/conf.c b/src/conf.c
index e62d22c6..f1e77462 100644
--- a/src/conf.c
+++ b/src/conf.c
@@ -150,7 +150,7 @@ static void config__init_reload(struct mosquitto__config *config)
/* Set defaults */
mosquitto__free(config->acl_file);
config->acl_file = NULL;
- config->security_options.allow_anonymous = true;
+ config->security_options.allow_anonymous = -1;
config->allow_duplicate_messages = false;
config->allow_zero_length_clientid = true;
config->auto_id_prefix = NULL;
@@ -524,9 +524,7 @@ int config__read(struct mosquitto__config *config, bool reload)
struct config_recurse cr;
int lineno = 0;
int len;
-#ifdef WITH_BRIDGE
int i;
-#endif
cr.log_dest = MQTT3_LOG_NONE;
cr.log_dest_set = 0;
@@ -549,6 +547,40 @@ int config__read(struct mosquitto__config *config, bool reload)
return rc;
}
+ /* If auth/access options are set and allow_anonymous not explicitly set, disallow anon. */
+ if(config->per_listener_settings){
+ for(i=0; ilistener_count; i++){
+ if(config->listeners[i].security_options.allow_anonymous == -1){
+ if(config->listeners[i].security_options.password_file
+ || config->listeners[i].security_options.psk_file
+ || config->listeners[i].security_options.auth_plugins){
+
+ /* allow_anonymous not set explicitly, some other security options
+ * have been set - so disable allow_anonymous
+ */
+ config->listeners[i].security_options.allow_anonymous = false;
+ }else{
+ /* Default option if no security options set */
+ config->listeners[i].security_options.allow_anonymous = true;
+ }
+ }
+ }
+ }else{
+ if(config->security_options.allow_anonymous == -1){
+ if(config->security_options.password_file
+ || config->security_options.psk_file
+ || config->security_options.auth_plugins){
+
+ /* allow_anonymous not set explicitly, some other security options
+ * have been set - so disable allow_anonymous
+ */
+ config->security_options.allow_anonymous = false;
+ }else{
+ /* Default option if no security options set */
+ config->security_options.allow_anonymous = true;
+ }
+ }
+ }
#ifdef WITH_PERSISTENCE
if(config->persistence){
if(!config->persistence_file){
@@ -697,7 +729,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, const
#endif
}else if(!strcmp(token, "allow_anonymous")){
conf__set_cur_security_options(config, cur_listener, &cur_security_options);
- if(conf__parse_bool(&token, "allow_anonymous", &cur_security_options->allow_anonymous, saveptr)) return MOSQ_ERR_INVAL;
+ if(conf__parse_bool(&token, "allow_anonymous", (bool *)&cur_security_options->allow_anonymous, saveptr)) return MOSQ_ERR_INVAL;
}else if(!strcmp(token, "allow_duplicate_messages")){
if(conf__parse_bool(&token, "allow_duplicate_messages", &config->allow_duplicate_messages, saveptr)) return MOSQ_ERR_INVAL;
}else if(!strcmp(token, "allow_zero_length_clientid")){
@@ -1184,7 +1216,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, const
}
cur_listener = &config->listeners[config->listener_count-1];
memset(cur_listener, 0, sizeof(struct mosquitto__listener));
- cur_listener->security_options.allow_anonymous = true;
+ cur_listener->security_options.allow_anonymous = -1;
cur_listener->protocol = mp_mqtt;
cur_listener->port = tmp_int;
token = strtok_r(NULL, "", &saveptr);
diff --git a/src/mosquitto_broker_internal.h b/src/mosquitto_broker_internal.h
index 771adab3..28768625 100644
--- a/src/mosquitto_broker_internal.h
+++ b/src/mosquitto_broker_internal.h
@@ -147,11 +147,15 @@ struct mosquitto__auth_plugin_config
};
struct mosquitto__security_options {
+ /* Any options that get added here also need considering
+ * in config__read() with regards whether allow_anonymous
+ * should be disabled when these options are set.
+ */
char *password_file;
char *psk_file;
struct mosquitto__auth_plugin_config *auth_plugins;
int auth_plugin_count;
- bool allow_anonymous;
+ char allow_anonymous;
};
struct mosquitto__listener {