[QFJ-43] Throwing RejectLogon causes Logout message before Disconnect - QuickFIX/J Jira

Details

Type: Bug
Status: Closed
Priority: Default
Resolution: Not a bug
Affects Version/s: 1.0.1
Fix Version/s: None
Component/s: Engine
Labels:
None
Environment:
Windows XP, Sun JVM 1.4.2_06

Description

Trying to reject invalid (potentially malicious) Logon requests from an unrecognised IP address fromAdmin by throwing RejectLogon exception when a "bad" Logon is detected.

The JavaDoc for RejectLogon says:

"This exception causes a logon to be reject with an immediate disconnect."

However Session.next(Message) is calling generateLogout() when RejectLogon is caught, so the disconnect is not "immediate", and the "unauthorized" logon attempt consumes a sequence number in the outgoing direction which the "authorized" connecting system may not be aware of when next it logs in, causing a ResendRequest to be sent when a valid logon is finally established (see FIX Protocol 4.4 with Errata 20030618, Vol 2 - "Session Protocol", page 6).

Attachments

Issue Links

is related to

QFJ-45 When rejecting a logon, allow logout message to be optional before disconnect.

Closed

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Steve Bate added a comment - 10/Aug/06 16:53

I'll investigate this. I understand the issue with the consumed sequence number. However, on page 9 of the specification it states...

The only exception to the "do not terminate the session" rule is for an invalid
Logon attempt. The session acceptor has the right to send a Logout message
and terminate the session immediately. This minimizes the threat of
unauthorized connection attempts.

I'll check on the behavior of the C++ engine. I'd like to keep it consistent. In any case, the Javadocs should be updated to be more accurate.

Show

Steve Bate added a comment - 10/Aug/06 16:53 I'll investigate this. I understand the issue with the consumed sequence number. However, on page 9 of the specification it states... The only exception to the "do not terminate the session" rule is for an invalid Logon attempt. The session acceptor has the right to send a Logout message and terminate the session immediately. This minimizes the threat of unauthorized connection attempts. I'll check on the behavior of the C++ engine. I'd like to keep it consistent. In any case, the Javadocs should be updated to be more accurate.

Hide

Permalink

Steve Bate added a comment - 12/Aug/06 15:19

The behavior is consistent with the C++ engine and the FIX spec so I'm reclassifying this issue as an improvement rather than a bug. However, I'll add the capability for the behavior to be optional. See the linked issue for more details.

Show

Steve Bate added a comment - 12/Aug/06 15:19 The behavior is consistent with the C++ engine and the FIX spec so I'm reclassifying this issue as an improvement rather than a bug. However, I'll add the capability for the behavior to be optional. See the linked issue for more details.

Hide

Permalink

Rob Gilliam added a comment - 14/Aug/06 11:29

OK, we can make that work, although you also might like to consider the inconsistency that then appears to occur when throwing RejectLogon if the Logout message is sent: the engine uses up a MsgSeqNum for its Logout, but doesn't appear to advance the sequence number it expects from the initiator.

Show

Rob Gilliam added a comment - 14/Aug/06 11:29 OK, we can make that work, although you also might like to consider the inconsistency that then appears to occur when throwing RejectLogon if the Logout message is sent: the engine uses up a MsgSeqNum for its Logout, but doesn't appear to advance the sequence number it expects from the initiator.

People

Assignee:

Steve Bate

Reporter:

Rob Gilliam

Votes:

0 Vote for this issue

Watchers:

0 Start watching this issue

Dates

Created:

10/Aug/06 16:17

Updated:

15/Nov/12 10:14

Resolved:

12/Aug/06 15:19