lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Apache ActiveMQ

Apache Software Foundationmiddleware3 credentials

Credentials3 documented
01

JAAS User Password

apache-activemq / jaas-user-password

ActiveMQ Classic provides pluggable security and commonly uses JAAS for authentication. ActiveMQ documents the PropertiesLoginModule with users.properties and groups.properties files for username/password and group mapping.

user definedsecretusername/password

Looks like

pattern
pattern

ActiveMQ users.properties username=password entry; context identifies ActiveMQ JAAS users

^[^#=\r\n]+\s*=\s*[^\r\n]+$

Location

config file
users.properties, groups.properties, login.config, activemq.xml

JAAS user/password and group files referenced by ActiveMQ broker configuration

environment
ACTIVEMQ_USER, ACTIVEMQ_PASSWORD, ACTIVEMQ_ADMIN_LOGIN, ACTIVEMQ_ADMIN_PASSWORD
secret store

Kubernetes Secrets, Docker secrets, cloud secret managers, and deployment vaults

source code

broker configs, Docker Compose files, tests, and committed examples

logs

broker authentication failures, startup logs, and CI output

public interface
OpenWire 61616, web console

ActiveMQ broker and management login surfaces

Notes

ActiveMQ credentials may protect broker destinations, JMX, and web console access depending on configuration.

02

Anonymous Access Configuration

apache-activemq / anonymous-access

ActiveMQ can allow anonymous access by setting anonymousAccessAllowed. The documentation states that clients connecting without username and password are assigned a default anonymous username and group unless changed.

user definedcontext dependentother

Looks like

pattern
pattern

ActiveMQ configuration allowing clients without credentials

anonymousAccessAllowed\s*=\s*["']?true["']?

Location

config file
activemq.xml

broker authentication plugin configuration

source code

committed broker configs, Helm charts, and Docker Compose files

image

container images or VM images containing permissive broker config

Notes

Anonymous access is not a credential, but it creates passwordless broker access and should be triaged with network exposure and destination ACLs.

03

Web Console Password

apache-activemq / web-console-password

ActiveMQ deployments often protect the web console with web application or JAAS credentials separate from broker clients. These credentials are stored in deployment-specific configuration.

user definedsecretusername/password

Location

config file

jetty-realm.properties, web console config, login.config, and activemq.xml

public interface
ActiveMQ web console

browser-based broker management interface

secret store

deployment vaults, container secrets, and CI/CD variables

source code

committed web console realm files and examples

logs

web console authentication logs and startup output

Notes

Do not model admin/admin or other example credentials as universal defaults unless a specific package or image source states they ship that way.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.