Hi, I'm trying to modify ActiveMQ so it can handle SSL connections and authorize access to different queues based on client IDs. I've been looking at your "JMSXUserID support" ( http://incubator.apache.org/activemq/jmsxuserid.html) to see if it could be used for authentication once the connection has been established.
From what I see, using the BrokerService.setPopulateJMSXUserID(true);
causes the BrokerService to use a UserIDBroker, which in turn uses the ConnectionContext to retreive the userID.
The problem I see is that the connection context is set in AbstractConnection.processMessage, which uses the producerId received from the message, which has been send by the producer (and is not validated by the server). This, to me, means that if the producer manages to guess a correct producerId, it will have impersonated another producer. Is this true? Thanks in advance, Sepand
