activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Timothy Bish (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMQ-1985) ActiveMQ Security - grant privileges on ActiveMQ.Advisory.> by default
Date Fri, 02 Mar 2012 22:23:59 GMT

    [ https://issues.apache.org/jira/browse/AMQ-1985?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13221308#comment-13221308
] 

Timothy Bish commented on AMQ-1985:
-----------------------------------

This is the intended behavior.  Leaving the advisory message destinations open by default
would create a security hole open to dos exploit through resource usage.  Its important to
understand the various options of the security scheme.  Some additional documentation was
added on this recently.
                
> ActiveMQ Security - grant privileges on ActiveMQ.Advisory.> by default
> ----------------------------------------------------------------------
>
>                 Key: AMQ-1985
>                 URL: https://issues.apache.org/jira/browse/AMQ-1985
>             Project: ActiveMQ
>          Issue Type: Improvement
>          Components: Broker, Documentation
>    Affects Versions: 5.1.0
>            Reporter: Clayton McCarl
>            Priority: Minor
>             Fix For: 5.x
>
>
> from http://activemq.apache.org/security.html - Note that full access rights should always
be given to the ActiveMQ.Advisory destinations, else your client will receive an exception
stating it does not have access rights to these series of destinations.
> <authorizationEntry topic="ActiveMQ.Advisory.>" read="guests,users" write="guests,users"
admin="guests,users"/>
> Can this be assumed behind the scenes?  This was troubling as a new user adding security
(especially before this was properly documented on Sept 15, 2008).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message