Hi

We can consider a bug.

The reason of the change is because Jetty 11 doesn’t handle the patterns
the same way as Jetty 9.

So what we had as security constraint in Jetty 9 doesn’t work in Jetty 11.
Jetty 11 doesn’t allow wildcard matching the same way.

I will fix that by securing the root context.

Regards
JB

Le mer. 10 avr. 2024 à 13:33, Vilius Šumskas <vilius.sums...@rivile.lt> a
écrit :

> Hi,
>
> oh, I remember this. This is exactly what I did in
> https://github.com/apache/activemq/commit/c67ada04c77e9379ef25ac62d5ea1fcf20cf8b8f
> , and at least /admin endpoint was tested and was properly protected after
> that fix. However, I see that configuration went through couple of changes
> again since then, and then finally all protection was removed in
> https://github.com/apache/activemq/commit/07d469287f419f9f8afe17bc1585073446b520d5
> . Not sure why, maybe something is rewriting paths now?
>
> Unless my knowledge of Jetty fails on my, I agree that / + static file
> types from templates should protect everything.
>
> --
>     Vilius
>
> -----Original Message-----
> From: Zeissig, Martin <mzeis...@gk-software.com>
> Sent: Wednesday, April 10, 2024 12:33 PM
> To: users@activemq.apache.org
> Subject: Disabled authentication ActiveMQ Classic Webapps since V6.x
>
> Dear Community
>
> I have updated from ActiveMQ Classic 5.x to 6.1.1.
> Since update to 6.1.1 the API (webapps jolokia) is unprotected and can be
> accessed without basic authentication:
>
> Example:
> http://localhost:8161/api
>
> In previous ActiveMQ Classic versions (5.x) the API was protected with
> authentication by standard. Now in ActiveMQ Classic versions 6.x the
> pathspec is set to *.jsp only which enables unprotected access to all
> webapps including the API.
>
> AMQ Classic 5.x
> <bean id="securityConstraintMapping"
> class="org.eclipse.jetty.security.ConstraintMapping">
>   <property name="constraint" ref="securityConstraint" />
>   <property name="pathSpec"
> value="/,/api/*,*.jsp,*.html,*.js,*.css,*.png,*.gif,*.ico" /> </bean>
>
> AMQ Classic 6.x
> <bean id="securityConstraintMapping"
> class="org.eclipse.jetty.security.ConstraintMapping">
>   <property name="constraint" ref="securityConstraint" />
>   <property name="pathSpec" value="*.jsp" /> </bean>
>
> From security perspective it looks to me like a step backward. Was the
> change intentional or is this a bug?
>
> I recommend restricting access to root (/) to fully protect all endpoints.
> Lower security can be setup by users manually if needed.
>
> <bean id="securityConstraintMapping"
> class="org.eclipse.jetty.security.ConstraintMapping">
>   <property name="constraint" ref="securityConstraint" />
>   <property name="pathSpec" value="/" /> </bean>
>
>
> Best regards
>
> Martin
>

Reply via email to