I'm writing a test application using ActiveMQ embedded broker on the same machine. I tried to configure it as follows:
activemq.xml:
<amq:broker useJmx="false" persistent="false">
<amq:transportConnectors>
<amq:transportConnector uri="tcp://localhost:61616" />
</amq:transportConnectors>
</amq:broker>
<amq:simpleAuthenticationPlugin >
<amq:users>
<amq:authenticationUser username="system" password="manager"
groups="users,admins" />
</amq:users>
</amq:simpleAuthenticationPlugin>
Tomcat's context.xml: !!The Password is deliberately incorrect!!
<Resource name="jms/ConnectionFactory" auth="Container" userName="userssname" password="passwords"
type="org.apache.activemq.ActiveMQConnectionFactory" description="JMS Connection Factory"
factory="org.apache.activemq.jndi.JNDIReferenceFactory" brokerURL="tcp://localhost:61616"
brokerName="LocalActiveMQBroker" />
But, when I try to perform injection I can easily create a ConnectionFactory object and send/receive messages even with incorrect password. How can I deny this?
I believe that you need to add authorization entries for queues and topics as well.
Example authorization plugin configuration:
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry queue=">" write="admins,publishers" read="admins,consumers" admin="admins" />
<authorizationEntry topic=">" write="admins,publishers" read="admins,consumers" admin="admins" />
<authorizationEntry topic="ActiveMQ.Advisory.>" read="everyone" write="everyone" admin="everyone"/>
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With