Carsten Langer created AMQ-8522:
-----------------------------------
Summary: Everybody granted full privileges on /api/* in jetty.xml
Key: AMQ-8522
URL: https://issues.apache.org/jira/browse/AMQ-8522
Project: ActiveMQ
Issue Type: Bug
Components: Web Console
Affects Versions: 5.16.4
Reporter: Carsten Langer
Everybody granted full privileges on {{/api/*}} in jetty.xml
Before fixing AMQ-5388, the ContstraintMapping for the "user" role contained
the path part {{{}"/api/*"{}}}, thus binding any API call to the "user" role.
With the fix for AMQ-5388 the path part {{"/api/*"}} was removed. This has the
effect that a request to {{"/api/message/..."}} or {{"/api/jolokia/..."}} is
allowed to everybody.
IMHO the path part {{"/api/*"}} should be added back to the ContstraintMapping
mapping.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
