activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dejan Bosanac (JIRA)" <>
Subject [jira] Updated: (AMQ-1272) Stomp protocol does not correctly check authentication (security hole)
Date Sun, 16 Dec 2007 20:13:26 GMT


Dejan Bosanac updated AMQ-1272:

    Attachment: stomp-auth.patch

I've refactored a ProtocolConverter, StompTest and added a few tests to make all this work.

Here's a list of things that has been done:

- added xbean resources to set up a test broker with configured authentication
- modified existing tests to connect with system/manager user so that they have right privileges
- modified protocolconverter.onStompConnect to send "error" frame on connect attempt with
wrong credentials
- modified protocolConverter.createResponseHandler to send "error" frame on security exception
on any other command
- added test cases to assert proper behavior on connect, send and subscribe

> Stomp protocol does not correctly check authentication (security hole)
> ----------------------------------------------------------------------
>                 Key: AMQ-1272
>                 URL:
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Broker
>    Affects Versions: 5.0.0
>         Environment: 4.2-SNAPSHOT
>            Reporter: Tom Samplonius
>             Fix For: 5.1.0
>         Attachments: stomp-auth.patch, stomp.diff
> ActiveMQ does not correctly validate the username and password of Stomp clients.  A security
exception is generated, but ignored, leaving the client connected, and with full and unrestricted
access to ActiveMQ.
> Further description, and a partial patch:

> BTW, while the patch in the above post, is crude, however, leaving unauthenticated users
connected with full-access makes ActiveMQ and Stomp pretty unusable.  So please apply the
path, rather than do nothing.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message