This is an automated email from the ASF dual-hosted git repository.
robbie pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq-artemis.git
The following commit(s) were added to refs/heads/main by this push:
new 5233ba6b80 ARTEMIS-5559 clarify Jolokia ignore-scheme in docs/config
5233ba6b80 is described below
commit 5233ba6b8001105a722cdbd375b44e46355fcdf5
Author: Justin Bertram <jbert...@apache.org>
AuthorDate: Tue Jul 1 15:05:43 2025 -0500
ARTEMIS-5559 clarify Jolokia ignore-scheme in docs/config
---
.../artemis/cli/commands/etc/jolokia-access.xml | 6 +++++
docs/user-manual/management-console.adoc | 27 +++++++++++++++++++---
.../servers/linuxUpgradeETC/jolokia-access.xml | 6 +++++
.../servers/windowsUpgradeETC/jolokia-access.xml | 6 +++++
4 files changed, 42 insertions(+), 3 deletions(-)
diff --git
a/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/jolokia-access.xml
b/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/jolokia-access.xml
index 8847c8e5b0..e3a2641f63 100644
---
a/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/jolokia-access.xml
+++
b/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/jolokia-access.xml
@@ -26,6 +26,12 @@ under the License.
<!-- Allow cross-origin access from the origins that match the
following pattern ... -->
<allow-origin>*://${http.host}*</allow-origin>
+ <!-- Any request with an Origin header using the HTTPS scheme which is
ultimately received by Jolokia via HTTP
+ is discarded by default since it is deemed insecure. If you use a
TLS proxy that transforms secure requests
+ to insecure requests (e.g. in a Kubernetes environment) then
consider changing the proxy to preserve HTTPS
+ and switching the embedded web server to HTTPS. If that isn’t
feasible then you can accept the risk by
+ uncommenting the following element: -->
+ <!--ignore-scheme/-->
<!-- Options from this point on are auto-generated by Create.java from
the Artemis CLI -->
${jolokia.options}
diff --git a/docs/user-manual/management-console.adoc
b/docs/user-manual/management-console.adoc
index aa882f5222..c578340171 100644
--- a/docs/user-manual/management-console.adoc
+++ b/docs/user-manual/management-console.adoc
@@ -18,9 +18,30 @@ image::images/console-login.png[ActiveMQ Artemis Console
Login]
== Security
-That Jolokia JMX-HTTP bridge is secured via a policy file in the broker
configuration directory: 'etc/jolokia-access.xml'.
-The contents of that file should be modified as described in the
https://jolokia.org/features/security.html[Jolokia Security Guide].
-By default the console is locked down to 'localhost', pay particular attention
to the 'CORS' restrictions when exposing the console web endpoint over the
network.
+The management console communicates with the broker via HTTP(S).
+The broker uses the https://jolokia.org/[Jolokia JMX-HTTP bridge] to convert
the contents of these HTTP requests into a JMX operations and then returns the
results.
+
+Security for Jolokia is configured via `etc/jolokia-access.xml`.
+You can read more about the contents of this file in the
https://jolokia.org/reference/html/manual/security.html[Jolokia Security Guide].
+By default the console is locked down to `localhost`.
+Pay particular attention to the `<cors>` restrictions when exposing the
console web endpoint over the network.
+
+[NOTE]
+====
+Any request with an `Origin` header using the HTTPS scheme which is ultimately
received by Jolokia via HTTP is discarded by default since it is deemed
insecure.
+If you use a TLS proxy that transforms secure requests to insecure requests
(e.g. in a Kubernetes environment) then consider changing the proxy to preserve
HTTPS and switching the embedded web server to HTTPS.
+If that isn’t feasible then you can accept the risk by specifying following
element
+[,xml]
+----
+<cors>
+ ...
+ <ignore-scheme/>
+ ...
+</cors>
+----
+====
+
+Problems with Jolokia security are often observed as the ability to login to
the console, but the console is blank.
== Console
diff --git
a/tests/smoke-tests/src/main/filtered-resources/servers/linuxUpgradeETC/jolokia-access.xml
b/tests/smoke-tests/src/main/filtered-resources/servers/linuxUpgradeETC/jolokia-access.xml
index cdc12d81f6..ea0767f7fe 100644
---
a/tests/smoke-tests/src/main/filtered-resources/servers/linuxUpgradeETC/jolokia-access.xml
+++
b/tests/smoke-tests/src/main/filtered-resources/servers/linuxUpgradeETC/jolokia-access.xml
@@ -26,6 +26,12 @@ under the License.
<!-- Allow cross-origin access from the origins that match the
following pattern ... -->
<allow-origin>*://localhost*</allow-origin>
+ <!-- Any request with an Origin header using the HTTPS scheme which is
ultimately received by Jolokia via HTTP
+ is discarded by default since it is deemed insecure. If you use a
TLS proxy that transforms secure requests
+ to insecure requests (e.g. in a Kubernetes environment) then
consider changing the proxy to preserve HTTPS
+ and switching the embedded web server to HTTPS. If that isn’t
feasible then you can accept the risk by
+ uncommenting the following element: -->
+ <!--ignore-scheme/-->
<!-- Options from this point on are auto-generated by Create.java from
the Artemis CLI -->
<!-- Check for the proper origin on the server side, too -->
diff --git
a/tests/smoke-tests/src/main/filtered-resources/servers/windowsUpgradeETC/jolokia-access.xml
b/tests/smoke-tests/src/main/filtered-resources/servers/windowsUpgradeETC/jolokia-access.xml
index cdc12d81f6..ea0767f7fe 100644
---
a/tests/smoke-tests/src/main/filtered-resources/servers/windowsUpgradeETC/jolokia-access.xml
+++
b/tests/smoke-tests/src/main/filtered-resources/servers/windowsUpgradeETC/jolokia-access.xml
@@ -26,6 +26,12 @@ under the License.
<!-- Allow cross-origin access from the origins that match the
following pattern ... -->
<allow-origin>*://localhost*</allow-origin>
+ <!-- Any request with an Origin header using the HTTPS scheme which is
ultimately received by Jolokia via HTTP
+ is discarded by default since it is deemed insecure. If you use a
TLS proxy that transforms secure requests
+ to insecure requests (e.g. in a Kubernetes environment) then
consider changing the proxy to preserve HTTPS
+ and switching the embedded web server to HTTPS. If that isn’t
feasible then you can accept the risk by
+ uncommenting the following element: -->
+ <!--ignore-scheme/-->
<!-- Options from this point on are auto-generated by Create.java from
the Artemis CLI -->
<!-- Check for the proper origin on the server side, too -->
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@activemq.apache.org
For additional commands, e-mail: commits-h...@activemq.apache.org
For further information, visit: https://activemq.apache.org/contact
