H Martin For the tracking, here's the Jira ticket: https://issues.apache.org/jira/browse/AMQ-9477
The fix has been merged. We will move forward with the 6.1.2 release including this. Thanks for the report. Regards JB On Wed, Apr 10, 2024 at 11:32 AM Zeissig, Martin <mzeis...@gk-software.com> wrote: > > Dear Community > > I have updated from ActiveMQ Classic 5.x to 6.1.1. > Since update to 6.1.1 the API (webapps jolokia) is unprotected and can be > accessed without basic authentication: > > Example: > http://localhost:8161/api > > In previous ActiveMQ Classic versions (5.x) the API was protected with > authentication by standard. Now in ActiveMQ Classic versions 6.x the pathspec > is set to *.jsp only which enables unprotected access to all webapps > including the API. > > AMQ Classic 5.x > <bean id="securityConstraintMapping" > class="org.eclipse.jetty.security.ConstraintMapping"> > <property name="constraint" ref="securityConstraint" /> > <property name="pathSpec" > value="/,/api/*,*.jsp,*.html,*.js,*.css,*.png,*.gif,*.ico" /> > </bean> > > AMQ Classic 6.x > <bean id="securityConstraintMapping" > class="org.eclipse.jetty.security.ConstraintMapping"> > <property name="constraint" ref="securityConstraint" /> > <property name="pathSpec" value="*.jsp" /> > </bean> > > From security perspective it looks to me like a step backward. Was the change > intentional or is this a bug? > > I recommend restricting access to root (/) to fully protect all endpoints. > Lower security can be setup by users manually if needed. > > <bean id="securityConstraintMapping" > class="org.eclipse.jetty.security.ConstraintMapping"> > <property name="constraint" ref="securityConstraint" /> > <property name="pathSpec" value="/" /> > </bean> > > > Best regards > > Martin