activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pieter (JIRA)" <j...@apache.org>
Subject [jira] Commented: (AMQ-1272) Stomp protocol does not correctly check authentication (security hole)
Date Fri, 22 Jun 2007 12:06:35 GMT

    [ https://issues.apache.org/activemq/browse/AMQ-1272?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_39469
] 

Pieter commented on AMQ-1272:
-----------------------------

I am the author of the patch mentioned. It worked for me (the patch was against apache-activemq-4.2-20070510.230653-54
snapshot). Without the patch applied, SecurityException's were already visible in the debug
log, however the were silently dropped (there is a try/catch block somewhere in the connection
handler that handles this. It then creates an ExceptionResponse which is passed to the handler
in onStompConnect, where the response isn't checked anymore). If these were not visbile, I
guess something else is wrong with the authentication setup.

I'm using the simple authenticator btw, but this shouldn't matter.

> Stomp protocol does not correctly check authentication (security hole)
> ----------------------------------------------------------------------
>
>                 Key: AMQ-1272
>                 URL: https://issues.apache.org/activemq/browse/AMQ-1272
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Broker
>    Affects Versions: 5.0.0
>         Environment: 4.2-SNAPSHOT
>            Reporter: Tom Samplonius
>            Priority: Blocker
>             Fix For: 4.1.2, 5.0.0
>
>
> ActiveMQ does not correctly validate the username and password of Stomp clients.  A security
exception is generated, but ignored, leaving the client connected, and with full and unrestricted
access to ActiveMQ.
> Further description, and a partial patch:
> http://www.nabble.com/Getting-Stomp-support-to-a-usable-state...-tf3858629s2354.html#a11060452

> BTW, while the patch in the above post, is crude, however, leaving unauthenticated users
connected with full-access makes ActiveMQ and Stomp pretty unusable.  So please apply the
path, rather than do nothing.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message