[ https://issues.apache.org/jira/browse/QPID-4705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13627726#comment-13627726 ]
Justin Ross commented on QPID-4705: ----------------------------------- Reviewed by Robbie. Approved for 0.22. > [Java Broker] anonymous users are able to view and update broker > configuration via the web console by default > ------------------------------------------------------------------------------------------------------------- > > Key: QPID-4705 > URL: https://issues.apache.org/jira/browse/QPID-4705 > Project: Qpid > Issue Type: Bug > Components: Java Broker > Affects Versions: 0.18, 0.20, 0.22 > Reporter: Alex Rudyy > Assignee: Robbie Gemmell > Priority: Blocker > Fix For: 0.23 > > > In previous releases the default configuration allowed anonymous users to > view and perform a limited set of operations via the new web management > interface, with ability to restrict these via the ACLs. For the 0.22 release, > the broker-level configuration model has been replaced and is now entirely > configurable via the web management interface, exposing additional > configuration for viewing and/or manipulation that was previously either not > exposed via HTTP or only read-only. > Now that functionality such as configuring the used authentication providers, > ports, SSL, etc can done via the web interface it should be authenticated by > default, with anonymous access only being provided where the user explicitly > assigns the anonymous authentication provider to the HTTP(S) port/ports in > use. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org