Hi We can consider a bug.
The reason of the change is because Jetty 11 doesn’t handle the patterns the same way as Jetty 9. So what we had as security constraint in Jetty 9 doesn’t work in Jetty 11. Jetty 11 doesn’t allow wildcard matching the same way. I will fix that by securing the root context. Regards JB Le mer. 10 avr. 2024 à 13:33, Vilius Šumskas <vilius.sums...@rivile.lt> a écrit : > Hi, > > oh, I remember this. This is exactly what I did in > https://github.com/apache/activemq/commit/c67ada04c77e9379ef25ac62d5ea1fcf20cf8b8f > , and at least /admin endpoint was tested and was properly protected after > that fix. However, I see that configuration went through couple of changes > again since then, and then finally all protection was removed in > https://github.com/apache/activemq/commit/07d469287f419f9f8afe17bc1585073446b520d5 > . Not sure why, maybe something is rewriting paths now? > > Unless my knowledge of Jetty fails on my, I agree that / + static file > types from templates should protect everything. > > -- > Vilius > > -----Original Message----- > From: Zeissig, Martin <mzeis...@gk-software.com> > Sent: Wednesday, April 10, 2024 12:33 PM > To: users@activemq.apache.org > Subject: Disabled authentication ActiveMQ Classic Webapps since V6.x > > Dear Community > > I have updated from ActiveMQ Classic 5.x to 6.1.1. > Since update to 6.1.1 the API (webapps jolokia) is unprotected and can be > accessed without basic authentication: > > Example: > http://localhost:8161/api > > In previous ActiveMQ Classic versions (5.x) the API was protected with > authentication by standard. Now in ActiveMQ Classic versions 6.x the > pathspec is set to *.jsp only which enables unprotected access to all > webapps including the API. > > AMQ Classic 5.x > <bean id="securityConstraintMapping" > class="org.eclipse.jetty.security.ConstraintMapping"> > <property name="constraint" ref="securityConstraint" /> > <property name="pathSpec" > value="/,/api/*,*.jsp,*.html,*.js,*.css,*.png,*.gif,*.ico" /> </bean> > > AMQ Classic 6.x > <bean id="securityConstraintMapping" > class="org.eclipse.jetty.security.ConstraintMapping"> > <property name="constraint" ref="securityConstraint" /> > <property name="pathSpec" value="*.jsp" /> </bean> > > From security perspective it looks to me like a step backward. Was the > change intentional or is this a bug? > > I recommend restricting access to root (/) to fully protect all endpoints. > Lower security can be setup by users manually if needed. > > <bean id="securityConstraintMapping" > class="org.eclipse.jetty.security.ConstraintMapping"> > <property name="constraint" ref="securityConstraint" /> > <property name="pathSpec" value="/" /> </bean> > > > Best regards > > Martin >
