Apache ActiveMQ
Apache Software Foundationmiddleware3 credentials
JAAS User Password
apache-activemq / jaas-user-password
ActiveMQ Classic provides pluggable security and commonly uses JAAS for authentication. ActiveMQ documents the PropertiesLoginModule with users.properties and groups.properties files for username/password and group mapping.
Looks like
pattern^[^#=\r\n]+\s*=\s*[^\r\n]+$Location
users.properties, groups.properties, login.config, activemq.xmlJAAS user/password and group files referenced by ActiveMQ broker configuration
ACTIVEMQ_USER, ACTIVEMQ_PASSWORD, ACTIVEMQ_ADMIN_LOGIN, ACTIVEMQ_ADMIN_PASSWORDKubernetes Secrets, Docker secrets, cloud secret managers, and deployment vaults
broker configs, Docker Compose files, tests, and committed examples
broker authentication failures, startup logs, and CI output
OpenWire 61616, web consoleActiveMQ broker and management login surfaces
Notes
ActiveMQ credentials may protect broker destinations, JMX, and web console access depending on configuration.
Anonymous Access Configuration
apache-activemq / anonymous-access
ActiveMQ can allow anonymous access by setting anonymousAccessAllowed. The documentation states that clients connecting without username and password are assigned a default anonymous username and group unless changed.
Looks like
patternanonymousAccessAllowed\s*=\s*["']?true["']?Location
activemq.xmlbroker authentication plugin configuration
committed broker configs, Helm charts, and Docker Compose files
container images or VM images containing permissive broker config
Notes
Anonymous access is not a credential, but it creates passwordless broker access and should be triaged with network exposure and destination ACLs.
Web Console Password
apache-activemq / web-console-password
ActiveMQ deployments often protect the web console with web application or JAAS credentials separate from broker clients. These credentials are stored in deployment-specific configuration.
Location
jetty-realm.properties, web console config, login.config, and activemq.xml
ActiveMQ web consolebrowser-based broker management interface
deployment vaults, container secrets, and CI/CD variables
committed web console realm files and examples
web console authentication logs and startup output
Notes
Do not model admin/admin or other example credentials as universal defaults unless a specific package or image source states they ship that way.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.