These are all improvements, even the first one. No doubt it's an important security enhancement, but it's not a regression, and it seems reasonable to release note that you should enable acls if you wish to use the web console. I'd be more inclined to accept it if the change were small, but it isn't.
It's hard for me to reconcile these changes with the goals for a second release candidate. I hope you can tell that I ordinarily try to be very flexible, but this doesn't make sense. Honest question: if you have a compelling reason to introduce these changes into a stable stream before 0.24, should we have a distinct branch for that purpose? Justin On Mon, Apr 8, 2013 at 9:45 AM, Oleksandr Rudyy <[email protected]> wrote: > Hi Justin, > > Could you please approve the inclusion of the following into 0.22: > > JIRA: QPID-4705 > Revision: http://svn.apache.org/r1465590 > Description: > It fixes the potential security hole with an access to the web management > console and rest interfaces. Without the fix if ACL is not configured (by > default no ACL is configured) it is possible to access the web management > console anonymously and do any configuration changes including password > change, configure authentication providers etc. The commit in revision > r1465590 <http://svn.apache.org/r1465590> stops this from happening by > adding functionality to check whether the request is authenticated or > authorised and send the redirect to the login page (for web management > console) or send the error status codes (401,403) for rest requests. The > changes are isolated to the http management plugin and do not affect the > broker core functionality. > > > JIRA: QPID-4725 <https://issues.apache.org/jira/browse/QPID-4725> > Revision: http://svn.apache.org/r1465457 > Description: Enhances the web management console to display a principal > associated with a connection on connection and virtualhost tabs. The > changes are isolated to web console UI and of low risk. > > > JIRA: QPID-4726 <https://issues.apache.org/jira/browse/QPID-4726> > Revision: http://svn.apache.org/r1465459 > Description: Improves SASL support for AMQP 1.0 client. The changes affect > only 1.0 AMQP functionality and of low risk. > > Kind Regards, > Alex --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
