activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Samplonius <...@samplonius.org>
Subject Being serious about "secure by design" (was Re: About releases and bugs)
Date Thu, 28 Jun 2007 18:27:04 GMT

----- "James Strachan" <james.strachan@gmail.com> wrote:

...

> > Authentication and security should be mandatory, but the
> ActiveMQ.Agent feature doesn't work if auth is enabled.
> 
> I'm not aware of any any MOM where authentication and security are
> mandatory out of the box; its usually always something you configure
> using whatever technologies you like.

  No James, I think you missed the point:  authentication of any kind can't be used at the
same time as ActiveMQ.Agenet.  ActiveMQ will crash on start.

  So ActiveMQ.Agent is completely incompatible with authentication.  This is a design flaw.
 And it does not fit with the "secure by design" philosophy.


> > Neither does the Web Console queueBrowser.  These components should
> be move to a sandbox.
> 
> Huh?

  The Web Console queueBrowser is also incompatible with authentication.  If you use authentication,
the queueBrowser crashes.


  So, in keeping with the "secure by design" philosophy, the Web Console and ActiveMQ.Agent
should be moved to a sandbox, until someone fixes them.  I think this is a completely reasonable
approach.


Tom



Mime
View raw message