Referring to this method, what does it validate against? I assumed it validated against hornetq-users.xml, but I am still able to connect given credentials that are not listed in that file.
it will be done against what's configured on the JAAS at your server:
Security is pluggable.
Retrieving data ...