Even better would be to just disable "<import resource="jetty.xml"/>" in activemq.xml by default. Anyone who wants the web console etc can enable it if they want it.
Colm. On Tue, Mar 24, 2020 at 5:28 PM Colm O hEigeartaigh <[email protected]> wrote: > Hi JB, > > > You mean the admin REST API right ? Not the rest/http transport connector ? >> > > Yes, what we ship in "webapps/api". > > Colm. > > > >> >> Regards >> JB >> >> > Le 24 mars 2020 à 17:46, Colm O hEigeartaigh <[email protected]> a >> écrit : >> > >> > Hi all, >> > >> > I wanted to start a discussion on whether it might be a good idea to >> > disable the REST API for the AMQ 5.16.0 distribution. >> > >> > It makes me a bit uneasy that this is enabled by default. It is secured >> > using the same basic auth approach as the web console. The problem here >> is >> > that the API (correctly) lacks XSRF protection. However if the admin >> user >> > browsed to /api and the browser then saves the creds, then it would be >> > trivial to implement a XSRF style attack on the API. Instead, it's >> better >> > to secure a REST API with a token. >> > >> > As it's a feature that's probably not widely used, it would be better to >> > disable it by default IMO. >> > >> > Thoughts? >> > >> > Colm. >> >>
