activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Davies <>
Subject Re: ActiveMQ.Advisory.Connection messages includes username and password
Date Wed, 29 Jul 2009 05:23:34 GMT

On 28 Jul 2009, at 22:56, <> <

 > wrote:

> I've been working on setting up an ActiveMQ 5.2 broker and coding
> clients for it for the last few weeks, and now I need to be notified
> when somebody logs in. I was hoping I could use the topic
> ActiveMQ.Advisory.Connection for that, so I set up a consumer on it  
> and
> tried logging in using another client and just printing the messages  
> to
> the console to see what I get.
> I was extremely surprised to see that connection messages to the topic
> ActiveMQ.Advisory.Connection includes the entire ConnectionInfo object
> for the connection, which includes the username and password!
> I have been following the Security page
> (, which specifically states
> that "full access rights should always be given to the  
> ActiveMQ.Advisory
> destinations" which obviously includes read access. Nowhere on the
> Security page does it warn you that ActiveMQ will helpfully distribute
> the clients usernames and passwords around to all the other clients  
> for
> you. This seems to happen for both the SimpleAuthenticationPlugin as
> well as the JaasAuthenticationPlugin.
> I haven't dug around in the code yet, I was hoping that somebody would
> quickly come back to me on the forum and let me know that I have  
> missed
> some option somewhere on the docs that turns this off. Thoughts?
> Regards,
> Mats

This is tracked by -  
I don't think there's a work around without extending an existing  
AuthenticationBroker (same package as AuthenticationPlugins) to copy  
the ConnectionInfo - remove the username/password from the copy and  
pass the copy through the BrokerFilter chain (super.addConnection());



Rob Davies
I work here:
My Blog:
I'm writing this:

View raw message