On 28 Jul 2009, at 22:56, <mats.henrik...@sungard.com> <mats.henrik...@sungard.com
> wrote:
I've been working on setting up an ActiveMQ 5.2 broker and coding
clients for it for the last few weeks, and now I need to be notified
when somebody logs in. I was hoping I could use the topic
ActiveMQ.Advisory.Connection for that, so I set up a consumer on it
and
tried logging in using another client and just printing the messages
to
the console to see what I get.
I was extremely surprised to see that connection messages to the topic
ActiveMQ.Advisory.Connection includes the entire ConnectionInfo object
for the connection, which includes the username and password!
I have been following the Security page
(http://activemq.apache.org/security.html), which specifically states
that "full access rights should always be given to the
ActiveMQ.Advisory
destinations" which obviously includes read access. Nowhere on the
Security page does it warn you that ActiveMQ will helpfully distribute
the clients usernames and passwords around to all the other clients
for
you. This seems to happen for both the SimpleAuthenticationPlugin as
well as the JaasAuthenticationPlugin.
I haven't dug around in the code yet, I was hoping that somebody would
quickly come back to me on the forum and let me know that I have
missed
some option somewhere on the docs that turns this off. Thoughts?
Regards,
Mats
Crickey!!!
This is tracked by http://issues.apache.org/activemq/browse/AMQ-2335 -
I don't think there's a work around without extending an existing
AuthenticationBroker (same package as AuthenticationPlugins) to copy
the ConnectionInfo - remove the username/password from the copy and
pass the copy through the BrokerFilter chain (super.addConnection());
cheers,
Rob
Rob Davies
I work here: http://fusesource.com
My Blog: http://rajdavies.blogspot.com/
I'm writing this: http://www.manning.com/snyder/