Alex Rudyy created QPID-4705:
--------------------------------
Summary: [Java Broker] anonymous users are able to view and update
broker configuration via the web console by default
Key: QPID-4705
URL: https://issues.apache.org/jira/browse/QPID-4705
Project: Qpid
Issue Type: Bug
Components: Java Broker
Affects Versions: 0.20, 0.18, 0.22
Reporter: Alex Rudyy
Assignee: Alex Rudyy
Priority: Blocker
Fix For: 0.23
In previous releases the default configuration allowed anonymous users to view
and perform a limited set of operations via the new web management interface,
with ability to restrict these via the ACLs. For the 0.22 release, the
broker-level configuration model has been replaced and is now entirely
configurable via the web management interface, exposing additional
configuration for viewing and/or manipulation that was previously either not
exposed via HTTP or only read-only.
Now that functionality such as configuring the used authentication providers,
ports, SSL, etc can done via the web interface it should be authenticated by
default, with anonymous access only being provided where the user explicitly
assigns the anonymous authentication provider to the HTTP(S) port/ports in use.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
