Referring to this method, what does it validate against? I assumed it validated against hornetq-users.xml, but I am still able to connect given credentials that are not listed in that file.
it will be done against what's configured on the JAAS at your server:
http://docs.jboss.org/hornetq/2.2.5.Final/user-manual/en/html/security.html
Security is pluggable.