[
https://issues.apache.org/activemq/browse/AMQ-1272?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_39469
]
Pieter commented on AMQ-1272:
-----------------------------
I am the author of the patch mentioned. It worked for me (the patch was against
apache-activemq-4.2-20070510.230653-54 snapshot). Without the patch applied,
SecurityException's were already visible in the debug log, however the were
silently dropped (there is a try/catch block somewhere in the connection
handler that handles this. It then creates an ExceptionResponse which is passed
to the handler in onStompConnect, where the response isn't checked anymore). If
these were not visbile, I guess something else is wrong with the authentication
setup.
I'm using the simple authenticator btw, but this shouldn't matter.
> Stomp protocol does not correctly check authentication (security hole)
> ----------------------------------------------------------------------
>
> Key: AMQ-1272
> URL: https://issues.apache.org/activemq/browse/AMQ-1272
> Project: ActiveMQ
> Issue Type: Bug
> Components: Broker
> Affects Versions: 5.0.0
> Environment: 4.2-SNAPSHOT
> Reporter: Tom Samplonius
> Priority: Blocker
> Fix For: 4.1.2, 5.0.0
>
>
> ActiveMQ does not correctly validate the username and password of Stomp
> clients. A security exception is generated, but ignored, leaving the client
> connected, and with full and unrestricted access to ActiveMQ.
> Further description, and a partial patch:
> http://www.nabble.com/Getting-Stomp-support-to-a-usable-state...-tf3858629s2354.html#a11060452
>
> BTW, while the patch in the above post, is crude, however, leaving
> unauthenticated users connected with full-access makes ActiveMQ and Stomp
> pretty unusable. So please apply the path, rather than do nothing.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
