On 6/2/07, Tom Samplonius <[EMAIL PROTECTED]> wrote:
How much more work needs to occur to get Stomp protocol support to a usable state?
Huh? :) Its very useable right now
The biggest issue is lack of any authentication support for Stomp, so anyone with access to the Stomp port can get and send anything. I can't imagine that anyone is using Stomp in production yet.
Stomp has always supported authentication (on the CONNECT) which plugs into the underlying message brokers security & authentication mechanism.
But is anyone working on this? I've looked into the JAAS stuff, and the Stomp code in ActiveMQ. It would take me a week to figure out how to wrap Stomp with JAAS, as I have never worked with JAAS before. I assume the original author of the Stomp support probably skipped authentication. Does anyone have any patches? Or any insight on how to fix this? I really want usable Stomp support in ActiveMQ.
Just use the JAAS plugin in ActiveMQ and you're good to go; the Stomp code uses whatever security plugin you're using
The Web Console has similar issues. There is no easy way to password protect it. But if you password protect JMX access, it will break the Web Console.
Thats more of a JMX thing really; you can enable security on JMX. The web console is also a WAR; so you can use the normal servlet security stuff too
I assume that everyone that uses ActiveMQ in production today, is using just OpenWire and JMX, and not the Web Console or Stomp. Is that the case? Or, are users not aware of the default-open security configuration of ActiveMQ?
I know lots of folks using both the Web Console and Stomp in production with security -- James ------- http://macstrac.blogspot.com/
