[
https://issues.apache.org/jira/browse/QPID-4705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13627726#comment-13627726
]
Justin Ross commented on QPID-4705:
-----------------------------------
Reviewed by Robbie. Approved for 0.22.
> [Java Broker] anonymous users are able to view and update broker
> configuration via the web console by default
> -------------------------------------------------------------------------------------------------------------
>
> Key: QPID-4705
> URL: https://issues.apache.org/jira/browse/QPID-4705
> Project: Qpid
> Issue Type: Bug
> Components: Java Broker
> Affects Versions: 0.18, 0.20, 0.22
> Reporter: Alex Rudyy
> Assignee: Robbie Gemmell
> Priority: Blocker
> Fix For: 0.23
>
>
> In previous releases the default configuration allowed anonymous users to
> view and perform a limited set of operations via the new web management
> interface, with ability to restrict these via the ACLs. For the 0.22 release,
> the broker-level configuration model has been replaced and is now entirely
> configurable via the web management interface, exposing additional
> configuration for viewing and/or manipulation that was previously either not
> exposed via HTTP or only read-only.
> Now that functionality such as configuring the used authentication providers,
> ports, SSL, etc can done via the web interface it should be authenticated by
> default, with anonymous access only being provided where the user explicitly
> assigns the anonymous authentication provider to the HTTP(S) port/ports in
> use.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
