I've been working on setting up an ActiveMQ 5.2 broker and coding clients for it for the last few weeks, and now I need to be notified when somebody logs in. I was hoping I could use the topic ActiveMQ.Advisory.Connection for that, so I set up a consumer on it and tried logging in using another client and just printing the messages to the console to see what I get.
I was extremely surprised to see that connection messages to the topic ActiveMQ.Advisory.Connection includes the entire ConnectionInfo object for the connection, which includes the username and password! I have been following the Security page (http://activemq.apache.org/security.html), which specifically states that "full access rights should always be given to the ActiveMQ.Advisory destinations" which obviously includes read access. Nowhere on the Security page does it warn you that ActiveMQ will helpfully distribute the clients usernames and passwords around to all the other clients for you. This seems to happen for both the SimpleAuthenticationPlugin as well as the JaasAuthenticationPlugin. I haven't dug around in the code yet, I was hoping that somebody would quickly come back to me on the forum and let me know that I have missed some option somewhere on the docs that turns this off. Thoughts? Regards, Mats
