I'm looking to use ActiveMQ as a transport to my applications API as an alternative to using raw sockets. As I'm only using JMS as a transport layer, I don't think it's appropriate to use the ActiveMQ security, but I still need users to be authenticated.
I had a look at the response/request pattern in the docs, and wonder if the following logic is the right one to use: # Client creates a temporaryqueue for responses (reponseQueue) # Client sends a message to the servers standard "login" queue, with replyTo() = responseQueue # Server checks the "login" queue for the new message # Server creates its own temporaryqueue for this users requests (requestQueue) # Server sends a message with a random string (salt) to responseQueue, with replyTo() = requestQueue # Client calculates the MD5 hash of password + salt, and sends a message with user and md5hash to requestQueue # Server authenticates the MD5 hash, and sends an ack message to responseQueue stating authentication OK or failed # if OK, Client should then send all messages to requestQueue and Server treats all messages on that queue as authenticated Does this make sense? or is there any way for unauthenticated users to spoof the requestQueue or listen in on responseQueue? /Steve -- View this message in context: http://www.nabble.com/Authentication-pattern-with-JMS--tf3642791s2354.html#a10173547 Sent from the ActiveMQ - User mailing list archive at Nabble.com.
