----- "James Strachan" <[EMAIL PROTECTED]> wrote: ... > Just use the JAAS plugin in ActiveMQ and you're good to go; the Stomp > code uses whatever security plugin you're using
As has been discussed, this is broken, and has been since 4.1.1 or earlier. Is there any sort of roadmap to the ActiveMQ internals, so I can take a stab at fixing this without having to start from scratch? All of the wire protocols tie back to some sort of core, where auth is evaluated. And that is supposed to flow back to the wire protocol again. And the ActiveMQ core just depends on the protocol to do the right thing. If the auth failed, it will still take successive commands. ... > I know lots of folks using both the Web Console and Stomp in > production with security But I don't know how this could be possible, unless people just haven't tried with a mis-spelled password. And there isn't a release version of ActiveMQ that doesn't lose Stomp messages one way or another. So I have to assume that they production sites are using snapshots too. But Stomp support is as buggy as hell in ActiveMQ. It seems that the ActiveMQ project operates in some sort of twilight mode. Most projects would have issued a security advisory. Doesn't the Apache Foundation require its projects to issue security advisories for serious security problems? Doesn't the "Apache Way" include, "security as a mandatory feature"? If no one can fix Stomp, that's fine, but it should be at least be disabled on default configuration. > > -- > James > ------- > http://macstrac.blogspot.com/
