activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sepand M" <sepa...@gmail.com>
Subject Creating a secure connection system and using JMSXUserID support
Date Mon, 17 Jul 2006 19:06:56 GMT
Hi,

I'm trying to modify ActiveMQ so it can handle SSL connections and
authorize access to different queues based on client IDs.
I've been looking at your "JMSXUserID support" (
http://incubator.apache.org/activemq/jmsxuserid.html) to see if it
could be used for authentication once the connection has been
established.
>From what I see, using the BrokerService.setPopulateJMSXUserID(true);
causes the BrokerService to use a UserIDBroker, which in turn uses the
ConnectionContext to retreive the userID.

The problem I see is that the connection context is set in
AbstractConnection.processMessage, which uses the producerId received
from the message, which has been send by the producer (and is not
validated by the server).
This, to me, means that if the producer manages to guess a correct
producerId, it will have impersonated another producer.

Is this true?

Thanks in advance,
Sepand

Mime
View raw message