[
https://issues.apache.org/jira/browse/AMQ-8522?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17501887#comment-17501887
]
ASF subversion and git services commented on AMQ-8522:
------------------------------------------------------
Commit 538d86fbff201da6d4bdac825398ad7073f4b50b in activemq's branch
refs/heads/activemq-5.16.x from Jean-Baptiste Onofré
[ https://gitbox.apache.org/repos/asf?p=activemq.git;h=538d86f ]
[AMQ-8522] Secure /api path on the web console
(cherry picked from commit a74fe37582dc7cabc77828fda9642f580f4cf857)
> Everybody granted full privileges on /api/* in jetty.xml
> --------------------------------------------------------
>
> Key: AMQ-8522
> URL: https://issues.apache.org/jira/browse/AMQ-8522
> Project: ActiveMQ
> Issue Type: Bug
> Components: Web Console
> Affects Versions: 5.16.4
> Reporter: Carsten Langer
> Assignee: Jean-Baptiste Onofré
> Priority: Major
> Fix For: 5.17.0, 5.16.5
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> Everybody granted full privileges on {{/api/*}} in jetty.xml
> Before fixing AMQ-5388, the ContstraintMapping for the "user" role contained
> the path part {{{}"/api/*"{}}}, thus binding any API call to the "user" role.
> With the fix for AMQ-5388 the path part {{"/api/*"}} was removed. This has
> the effect that a request to {{"/api/message/..."}} or {{"/api/jolokia/..."}}
> is allowed to everybody.
> IMHO the path part {{"/api/*"}} should be added back to the
> ContstraintMapping mapping.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
