ActiveMQ
  1. ActiveMQ
  2. AMQ-4124

Disable sample web application from out of the box broker

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 5.7.0
    • Fix Version/s: 5.8.0
    • Component/s: Broker
    • Labels:
      None

      Description

      The out of the box broker you can start with bin/activemq includes a sample web application. We should disable this web app as people dont want to run this in the production broker. Instead we should have instructions to startup the broker with a activemq-demo.xml file that has the sample instead.

      See nabble
      http://activemq.2283324.n4.nabble.com/DISCUSS-ActiveMQ-out-of-the-box-Should-not-include-the-demos-tp4658044.html

        Activity

        Hide
        Gary Tully added a comment -

        CVE-2012-6092

        Show
        Gary Tully added a comment - CVE-2012-6092
        Hide
        Gary Tully added a comment -

        probably no need for the demo shortcut, it is no harm to expose the xbean:url format as a means of providing an alternative configuration file and there are a bunch of other configuration files that folks may want to use. It keeps the scripts simpler.

        Show
        Gary Tully added a comment - probably no need for the demo shortcut, it is no harm to expose the xbean:url format as a means of providing an alternative configuration file and there are a bunch of other configuration files that folks may want to use. It keeps the scripts simpler.
        Hide
        Claus Ibsen added a comment -

        Currently you do, which has been documented in the user-guide that is included in the distro

        ./bin/activemq console xbean:conf/activemq-demo.xml
        

        So what if we make that easier by having a "demo" as shorthand for that, have a demo command, that runs the broker with demos enabled so you can do

        ./bin/activemq demo
        

        Which runs it in demo mode. And I think you can run with console enabled also

        ./bin/activemq console demo
        
        Show
        Claus Ibsen added a comment - Currently you do, which has been documented in the user-guide that is included in the distro ./bin/activemq console xbean:conf/activemq-demo.xml So what if we make that easier by having a "demo" as shorthand for that, have a demo command, that runs the broker with demos enabled so you can do ./bin/activemq demo Which runs it in demo mode. And I think you can run with console enabled also ./bin/activemq console demo
        Hide
        Gary Tully added a comment - - edited

        just a thought on this, it may be better to simply restrict the jetty endpoint to the loopback address by default. So that any vulnerability in the demos or any webapp is not visible by default.
        Having the samples enabled out of the box makes for a nice simple intro to messaging and the features of the broker. Once you have localhost access to the machine.

        but I agree, they should not be enabled for production. Maybe the loopback address for jetty is a separate issue.

        Show
        Gary Tully added a comment - - edited just a thought on this, it may be better to simply restrict the jetty endpoint to the loopback address by default. So that any vulnerability in the demos or any webapp is not visible by default. Having the samples enabled out of the box makes for a nice simple intro to messaging and the features of the broker. Once you have localhost access to the machine. but I agree, they should not be enabled for production. Maybe the loopback address for jetty is a separate issue.

          People

          • Assignee:
            Claus Ibsen
            Reporter:
            Claus Ibsen
          • Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development