You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by Tom Samplonius <to...@samplonius.org> on 2007/06/28 20:27:04 UTC
Being serious about "secure by design" (was Re: About releases and
bugs)
----- "James Strachan" <ja...@gmail.com> wrote:
...
> > Authentication and security should be mandatory, but the
> ActiveMQ.Agent feature doesn't work if auth is enabled.
>
> I'm not aware of any any MOM where authentication and security are
> mandatory out of the box; its usually always something you configure
> using whatever technologies you like.
No James, I think you missed the point: authentication of any kind can't be used at the same time as ActiveMQ.Agenet. ActiveMQ will crash on start.
So ActiveMQ.Agent is completely incompatible with authentication. This is a design flaw. And it does not fit with the "secure by design" philosophy.
> > Neither does the Web Console queueBrowser. These components should
> be move to a sandbox.
>
> Huh?
The Web Console queueBrowser is also incompatible with authentication. If you use authentication, the queueBrowser crashes.
So, in keeping with the "secure by design" philosophy, the Web Console and ActiveMQ.Agent should be moved to a sandbox, until someone fixes them. I think this is a completely reasonable approach.
Tom