jbonofre opened a new pull request, #2074: URL: https://github.com/apache/activemq/pull/2074
## Summary - Change the admin security constraint in `assembly/src/release/conf/jetty.xml` from `*.action` to `/admin/*` so the entire web console (including read-only pages like queue listings and message browsing) requires the `admins` role, not just the action endpoints. - Add comments to each constraint mapping (`/`, `/admin/*`, `/api/jolokia/*`) explaining its scope and intent. - Remove a duplicated pair of `Referrer-Policy` and `Permissions-Policy` rewrite rules that were already declared earlier in the rule list. ## Test plan - [ ] Start the broker with the default `jetty.xml` and confirm `/admin/` prompts for credentials and only accepts users in the `admins` role. - [ ] Confirm `/api/jolokia/*` still requires admin. - [ ] Confirm response headers still include `Referrer-Policy` and `Permissions-Policy` (now declared once). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] For further information, visit: https://activemq.apache.org/contact
