On 8 April 2013 18:17, Justin Ross <[email protected]> wrote: > These are all improvements, even the first one. No doubt it's an > important security enhancement, but it's not a regression,
Some might argue there is a regression or sorts as you couldnt previously do things like change the SSL, authentication, ACL, etc settings that you can now. > and it > seems reasonable to release note that you should enable acls if you > wish to use the web console. I'd be more inclined to accept it if the > change were small, but it isn't. > > For what its worth, the changes really are quite 'small'. Much of the diff is simply moving code that would have otherwise had to be needlesly duplicated into a utility class and so isn't actually all that great of a change. It's hard for me to reconcile these changes with the goals for a > second release candidate. I hope you can tell that I ordinarily try > to be very flexible, but this doesn't make sense. > > Honest question: if you have a compelling reason to introduce these > changes into a stable stream before 0.24, should we have a distinct > branch for that purpose? > I'm a little unclear on what you mean here, is it a '0.22.1' release or simply putting the changes on a branch before introducing them to 0.22? If the latter, its worth mentioning these changes compose basically the entire set of difference in the Java tree between trunk and 0.22 RC1 currently, so that has already occured in a way. > > Justin > > On Mon, Apr 8, 2013 at 9:45 AM, Oleksandr Rudyy <[email protected]> wrote: > > Hi Justin, > > > > Could you please approve the inclusion of the following into 0.22: > > > > JIRA: QPID-4705 > > Revision: http://svn.apache.org/r1465590 > > Description: > > It fixes the potential security hole with an access to the web management > > console and rest interfaces. Without the fix if ACL is not configured (by > > default no ACL is configured) it is possible to access the web management > > console anonymously and do any configuration changes including password > > change, configure authentication providers etc. The commit in revision > > r1465590 <http://svn.apache.org/r1465590> stops this from happening by > > adding functionality to check whether the request is authenticated or > > authorised and send the redirect to the login page (for web management > > console) or send the error status codes (401,403) for rest requests. The > > changes are isolated to the http management plugin and do not affect the > > broker core functionality. > > > > > > JIRA: QPID-4725 <https://issues.apache.org/jira/browse/QPID-4725> > > Revision: http://svn.apache.org/r1465457 > > Description: Enhances the web management console to display a principal > > associated with a connection on connection and virtualhost tabs. The > > changes are isolated to web console UI and of low risk. > > > > > > JIRA: QPID-4726 <https://issues.apache.org/jira/browse/QPID-4726> > > Revision: http://svn.apache.org/r1465459 > > Description: Improves SASL support for AMQP 1.0 client. The changes > affect > > only 1.0 AMQP functionality and of low risk. > > > > Kind Regards, > > Alex > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
