activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Davies <rajdav...@gmail.com>
Subject Re: ActiveMQ.Advisory.Connection messages includes username and password
Date Wed, 29 Jul 2009 05:23:34 GMT

On 28 Jul 2009, at 22:56, <Mats.Henrikson@sungard.com> <Mats.Henrikson@sungard.com

 > wrote:

> I've been working on setting up an ActiveMQ 5.2 broker and coding
> clients for it for the last few weeks, and now I need to be notified
> when somebody logs in. I was hoping I could use the topic
> ActiveMQ.Advisory.Connection for that, so I set up a consumer on it  
> and
> tried logging in using another client and just printing the messages  
> to
> the console to see what I get.
>
> I was extremely surprised to see that connection messages to the topic
> ActiveMQ.Advisory.Connection includes the entire ConnectionInfo object
> for the connection, which includes the username and password!
>
> I have been following the Security page
> (http://activemq.apache.org/security.html), which specifically states
> that "full access rights should always be given to the  
> ActiveMQ.Advisory
> destinations" which obviously includes read access. Nowhere on the
> Security page does it warn you that ActiveMQ will helpfully distribute
> the clients usernames and passwords around to all the other clients  
> for
> you. This seems to happen for both the SimpleAuthenticationPlugin as
> well as the JaasAuthenticationPlugin.
>
> I haven't dug around in the code yet, I was hoping that somebody would
> quickly come back to me on the forum and let me know that I have  
> missed
> some option somewhere on the docs that turns this off. Thoughts?
>
> Regards,
>
> Mats
>


Crickey!!!
This is tracked by http://issues.apache.org/activemq/browse/AMQ-2335 -  
I don't think there's a work around without extending an existing  
AuthenticationBroker (same package as AuthenticationPlugins) to copy  
the ConnectionInfo - remove the username/password from the copy and  
pass the copy through the BrokerFilter chain (super.addConnection());

cheers,

Rob

Rob Davies
I work here: http://fusesource.com
My Blog: http://rajdavies.blogspot.com/
I'm writing this: http://www.manning.com/snyder/





Mime
View raw message