[jira] [Work logged] (ARTEMIS-6037) Refactor handling of cluster credentials

Fri, 01 May 2026 08:38:04 -0700 


     [ 
https://issues.apache.org/jira/browse/ARTEMIS-6037?focusedWorklogId=1018279&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1018279
 ]

ASF GitHub Bot logged work on ARTEMIS-6037:
-------------------------------------------

                Author: ASF GitHub Bot
            Created on: 01/May/26 15:37
            Start Date: 01/May/26 15:37
    Worklog Time Spent: 10m 
      Work Description: jbertram commented on code in PR #6396:
URL: https://github.com/apache/artemis/pull/6396#discussion_r3173838472


##########
artemis-server/src/main/java/org/apache/activemq/artemis/core/server/cluster/ClusterController.java:
##########
@@ -407,11 +407,19 @@ public void handlePacket(Packet packet) {
 
                ClusterConnectMessage msg = (ClusterConnectMessage) packet;
 
-               if (server.getConfiguration().isSecurityEnabled() && 
!clusterConnection.verify(msg.getClusterUser(), msg.getClusterPassword())) {
-                  clusterChannel.send(new ClusterConnectReplyMessage(false));
-               } else {
+               boolean userIsValid = false;
+               try {
+                  server.validateUser(msg.getClusterUser(), 
msg.getClusterPassword(), null, null);
+                  userIsValid = true;
+               } catch (Exception e) {
+                  // cluster user isn't valid

Review Comment:
   The `ClusterController` now uses 
`org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl#validateUser` 
just like all other authentication attempts. This method already logs 
authentication failures via 
`org.apache.activemq.artemis.core.server.ActiveMQServerLogger#securityProblemWhileAuthenticating`.





Issue Time Tracking
-------------------

    Worklog Id:     (was: 1018279)
    Time Spent: 1h 20m  (was: 1h 10m)

> Refactor handling of cluster credentials
> ----------------------------------------
>
>                 Key: ARTEMIS-6037
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-6037
>             Project: Artemis
>          Issue Type: Task
>            Reporter: Justin Bertram
>            Assignee: Justin Bertram
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 1h 20m
>  Remaining Estimate: 0h
>
> To strengthen broker security out-of-the-box we should reject any connection 
> using the default cluster credentials. We already force users to explicitly 
> select a custom username and password when a non-clustered broker instance is 
> created. Additionally, we force them to explicitly select custom cluster 
> credentials when creating a clustered broker instance. However, there are 
> still default values for cluster credentials that we should categorically 
> reject.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to