Reputation: 27455
I'm writing a test application using ActiveMQ embedded broker
on the same machine. I tried to configure it as follows:
activemq.xml
:
<amq:broker useJmx="false" persistent="false">
<amq:transportConnectors>
<amq:transportConnector uri="tcp://localhost:61616" />
</amq:transportConnectors>
</amq:broker>
<amq:simpleAuthenticationPlugin >
<amq:users>
<amq:authenticationUser username="system" password="manager"
groups="users,admins" />
</amq:users>
</amq:simpleAuthenticationPlugin>
Tomcat's context.xml
: !!The Password is deliberately incorrect!!
<Resource name="jms/ConnectionFactory" auth="Container" userName="userssname" password="passwords"
type="org.apache.activemq.ActiveMQConnectionFactory" description="JMS Connection Factory"
factory="org.apache.activemq.jndi.JNDIReferenceFactory" brokerURL="tcp://localhost:61616"
brokerName="LocalActiveMQBroker" />
But, when I try to perform injection I can easily create a ConnectionFactory
object and send/receive messages even with incorrect password. How can I deny this?
Upvotes: 3
Views: 1857
Reputation: 548
I believe that you need to add authorization entries for queues and topics as well.
Example authorization plugin configuration:
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry queue=">" write="admins,publishers" read="admins,consumers" admin="admins" />
<authorizationEntry topic=">" write="admins,publishers" read="admins,consumers" admin="admins" />
<authorizationEntry topic="ActiveMQ.Advisory.>" read="everyone" write="everyone" admin="everyone"/>
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
Upvotes: 3