jbonofre opened a new pull request, #2038: URL: https://github.com/apache/activemq/pull/2038
Backport of #2025 to `activemq-5.19.x`. Note: 5.19.x uses `HashLoginService` + `user`/`admin` (singular) roles, so the adapted security mapping wires `jolokiaSecurityConstraintMapping` to the existing `adminSecurityConstraint` (role `admin`). One minor conflict in `invokeStart`'s `depends-on` (adding `inetAccessIncludeLoopbackV6`) was resolved manually. jetty.xml: - Add Referrer-Policy and Permissions-Policy response headers; provide commented-out Strict-Transport-Security for HTTPS deployments. - Wrap the existing HandlerCollection in an InetAccessHandler and restrict access to loopback (127.0.0.1, ::1) by default. Provide commented-out templates for RFC1918 includes and exclude rules. - Tie Server.start() to the loopback include beans via depends-on so the allow-list is fully populated before the server starts. - Add a commented-out ForwardedRequestCustomizer for reverse-proxy setups, with a warning about header spoofing when the proxy does not strip inbound X-Forwarded-* headers. - Restrict the Jolokia endpoint (`/api/jolokia/*`) to the admin role via a dedicated security constraint mapping wired into `securityHandler` before the broader users/admin constraint. jolokia-access.xml: - Restrict Jolokia to HTTP POST to kill GET-based CSRF/SSRF vectors. - Deny destructive and privileged broker operations (terminateJVM, stop, restart, add/removeConnector, add/removeQueue/Topic, durable subscriber lifecycle, runtime limit setters, reloadLog4jProperties). - Deny destination message-data mutation (purge, remove/copy/move messages, sendTextMessage*, pause/resume); browse* remains allowed. - Deny durable subscriber destroy/setSelector and JobScheduler removeJob*. - Deny NetworkConnector Password/RemotePassword attributes and credential setters. - Deny known JMX RCE / introspection surfaces: javax.management.loading MLet, JMImplementation, java.util.logging, java.lang:type=Memory and ClassLoading, plus java.lang:type=Runtime SystemProperties and InputArguments. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] For further information, visit: https://activemq.apache.org/contact
