Details
-
Bug
-
Resolution: Done
-
Major
-
JBoss A-MQ 6.3
-
None
-
None
Description
If the Stomp connection is attempted with an invalid username/password, the error received by the client also contains the full stack trace which can reveal the details about the code running on the server especially if a custom authentication plugin is being used:
java.lang.SecurityException: User name [guest] or password is invalid. at org.apache.activemq.security.JaasAuthenticationBroker.authenticate(JaasAuthenticationBroker.java:97) at org.apache.activemq.security.JaasAuthenticationBroker.addConnection(JaasAuthenticationBroker.java:68) at org.apache.activemq.broker.BrokerFilter.addConnection(BrokerFilter.java:98) at org.apache.activemq.broker.MutableBrokerFilter.addConnection(MutableBrokerFilter.java:103) at org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:842) at org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection.java:77) at org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:139) at org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:326) at org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:190) at org.apache.activemq.transport.MutexTransport.onCommand(MutexTransport.java:45) at org.apache.activemq.transport.AbstractInactivityMonitor.onCommand(AbstractInactivityMonitor.java:301) at org.apache.activemq.transport.stomp.StompTransportFilter.sendToActiveMQ(StompTransportFilter.java:97) at org.apache.activemq.transport.stomp.ProtocolConverter.sendToActiveMQ(ProtocolConverter.java:202) at org.apache.activemq.transport.stomp.ProtocolConverter.onStompConnect(ProtocolConverter.java:774) at org.apache.activemq.transport.stomp.ProtocolConverter.onStompCommand(ProtocolConverter.java:265) at org.apache.activemq.transport.stomp.StompTransportFilter.onCommand(StompTransportFilter.java:85) at org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83) at org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:214) at org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:196) at java.lang.Thread.run(Thread.java:748) Caused by: javax.security.auth.login.FailedLoginException: login failed at org.apache.karaf.jaas.modules.properties.PropertiesLoginModule.login(PropertiesLoginModule.java:114) at org.apache.karaf.jaas.boot.ProxyLoginModule.login(ProxyLoginModule.java:83) at sun.reflect.GeneratedMethodAccessor47.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:587) at org.apache.activemq.security.JaasAuthenticationBroker.authenticate(JaasAuthenticationBroker.java:92) ... 19 more
