[
https://issues.apache.org/jira/browse/AMQ-4567?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13697684#comment-13697684
]
Dejan Bosanac commented on AMQ-4567:
------------------------------------
With svn revision 1498875 I implemented read-only setup for the web console.
You can login with user/user and then you'll be able to look at all the pages,
but you'll be forbidden to make any actions. The similar setup can be made in
karaf environment as well.
I think this is what most people want. After a bit of research it looks like
crossing various security realms is pretty hard problem to overcome. For
example, going from web to jmx to broker. For JMX we can get principal, but
only if JMX is secured and that doesn't solve web console problem as we only
use single principal to connect to the broker no matter who is using it. And in
embedded mode we just go and use API directly.
I think we need to keep JMX access administration only and secured. But we can
allow people read-only access to the web console and that should cover most use
cases.
> JMX operations on broker bypass authorization plugin
> -----------------------------------------------------
>
> Key: AMQ-4567
> URL: https://issues.apache.org/jira/browse/AMQ-4567
> Project: ActiveMQ
> Issue Type: Bug
> Components: Broker
> Affects Versions: 5.8.0
> Reporter: Torsten Mielke
> Labels: authorization
>
> When securing the broker using authentication and authorization, any JMX
> operations on the broker completely bypass the authorization plugin.
> So anyone can modify the broker bypassing the security checks. Also, because
> of this its not possible to define a read only user for the web console.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
