[
https://issues.apache.org/jira/browse/AMQNET-415?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jim Gomes updated AMQNET-415:
-----------------------------
Description:
If the ActiveMQ broker has been secured to enforce login credentials, the NMS
client will continually attempt to authenticate against it if it is using the
failover protocol.
Steps to Reproduce:
----------------------
1. Configure the broker to require login credentials for connections.
2. Configure the NMS client to use failover mode.
3. Configure the NMS client with incorrect login credentials.
4. Attempt to connect the NMS client to the server.
Results:
----------------------
The client reattempts login continuously without backing off, and has a
significant impact on the performance of the server.
Expected:
----------------------
The client should exponentially back off in the same manner as it does when
attempting to reconnect to a down server.
Notes:
----------------------
This was experienced using the OpenWire client, but a similar bug may exist in
the STOMP client's failover code.
The broker may also want to protect itself against this, as this is an easy
attack vector for a DDoS. Just a couple of clients attempting to login with
invalid credentials can dramatically impact the server's performance, not just
the broker.
was:
If the ActiveMQ broker has been secured to enforce login credentials, the NMS
client will continually attempt to authenticate against it if it is using the
failover protocol.
Steps to Reproduce:
----------------------
1. Configure the broker to require login credentials for connections.
2. Configure the NMS client to use failover mode.
3. Configure the NMS client with incorrect login credentials.
4. Attempt to connect the NMS client to the server.
Results:
----------------------
The client reattempts login continuously without backing off, and has a
significant impact on the performance of the server.
Expected:
----------------------
The client should exponentially back off in the same manner as it does when
attempting to reconnect to a down server.
Notes:
----------------------
This was experienced using the OpenWire client, but a similar bug may exist in
the STOMP client's failover code.
> Client overloads server with wrong credentials when using failover
> ------------------------------------------------------------------
>
> Key: AMQNET-415
> URL: https://issues.apache.org/jira/browse/AMQNET-415
> Project: ActiveMQ .Net
> Issue Type: Bug
> Components: ActiveMQ, NMS
> Affects Versions: 1.5.6
> Environment: ActiveMQ Broker 5.6.0
> Reporter: Jim Gomes
> Assignee: Jim Gomes
> Priority: Minor
> Labels: authentication, failover
> Fix For: 1.5.7
>
>
> If the ActiveMQ broker has been secured to enforce login credentials, the NMS
> client will continually attempt to authenticate against it if it is using the
> failover protocol.
> Steps to Reproduce:
> ----------------------
> 1. Configure the broker to require login credentials for connections.
> 2. Configure the NMS client to use failover mode.
> 3. Configure the NMS client with incorrect login credentials.
> 4. Attempt to connect the NMS client to the server.
> Results:
> ----------------------
> The client reattempts login continuously without backing off, and has a
> significant impact on the performance of the server.
> Expected:
> ----------------------
> The client should exponentially back off in the same manner as it does when
> attempting to reconnect to a down server.
> Notes:
> ----------------------
> This was experienced using the OpenWire client, but a similar bug may exist
> in the STOMP client's failover code.
> The broker may also want to protect itself against this, as this is an easy
> attack vector for a DDoS. Just a couple of clients attempting to login with
> invalid credentials can dramatically impact the server's performance, not
> just the broker.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
