activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Samplonius <...@samplonius.org>
Subject Re: Getting Stomp support to a usable state...
Date Thu, 07 Jun 2007 01:35:58 GMT

----- "James Strachan" <james.strachan@gmail.com> wrote:
> On 6/2/07, Tom Samplonius <tom@samplonius.org> wrote:
> >
> >   How much more work needs to occur to get Stomp protocol support to
> a usable state?
> 
> Huh? :) Its very useable right now
> 
> 
> > The biggest issue is lack of any authentication support for Stomp,
> so anyone with access to the Stomp port can get and send anything.  I
> can't imagine that anyone is using Stomp in production yet.
> 
> Stomp has always supported authentication (on the CONNECT) which
> plugs
> into the underlying message brokers security & authentication
> mechanism.

  Actually, it appears that the username and password are ignored.  I fought with JAAS for
about four hours before decided to try to read the code, and the comments say that the password
is ignored.  There appears to be no way to get a config that doesn't 
check the password.  From ProtocolConvertor.java:

        // allow anyone to login for now
        String login = (String)headers.get(Stomp.Headers.Connect.LOGIN);
        String passcode = (String)headers.get(Stomp.Headers.Connect.PASSCODE);
        String clientId = (String)headers.get(Stomp.Headers.Connect.CLIENT_ID);

There is no indication there is any attempt to validate the username and password via any
sort of auth plugin.  I assume based on the "for now" comment, that someone is working on
this.

  Interestingly, I check StompConnect, and it has very similar code to ActiveMQ, and it appears
to actually pass the username and password over to JMS.  I suppose using StompConnect in front
of ActiveMQ would result in a working configuration, but would be, frankly, bizarre.


> >   But is anyone working on this?  I've looked into the JAAS stuff,
> and the Stomp code in ActiveMQ.  It would take me a week to figure out
> how to wrap Stomp with JAAS, as I have never worked with JAAS before. 
> I assume the original author of the Stomp support probably skipped
> authentication.  Does anyone have any patches?  Or any insight on how
> to fix this?  I really want usable Stomp support in ActiveMQ.
> 
> 
> Just use the JAAS plugin in ActiveMQ and you're good to go; the Stomp
> code uses whatever security plugin you're using
 
  Have you actually tried this?  I've setup JAAS, and it all appears good, but it is a bit
concerning when you change the password on a consume, and it still works...


> >   The Web Console has similar issues.  There is no easy way to
> password protect it.  But if you password protect JMX access, it will
> break the Web Console.
> 
> Thats more of a JMX thing really; you can enable security on JMX. The
> web console is also a WAR; so you can use the normal servlet security
> stuff too

  I imagine so.  JMX is a pain in general.

 
> >   I assume that everyone that uses ActiveMQ in production today, is
> using just OpenWire and JMX, and not the Web Console or Stomp.  Is
> that the case?  Or, are users not aware of the default-open security
> configuration of ActiveMQ?
> 
> I know lots of folks using both the Web Console and Stomp in
> production with security

  By all means, tell me how.  Web Console can be protected with servlet security, which is
fine.

  But I assume I'm correct, that the only way to protect JMX, is to the use the Sun JMX connector?
 I documented how I did it, on the JMX page on the Wiki.

  And ActiveMQ does ship in a completely wide-open configuration.  That is definitely a throw-back
to an previous time.  I'd post a activemq.xml with everything locked down, for inclusion in
the next release, if I could figure it out.


> -- 
> James
> -------
> http://macstrac.blogspot.com/

Tom

Mime
View raw message