[AMQ-5388] User Role Granted Full Privileges in jetty.xml - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: 5.9.0
Fix Version/s: 5.15.16, 5.16.4, 5.17.0
Component/s: Web Console
Labels:
Environment:

Any

Description

The default ConstraintMapping for the "user" role grants privileges to /admin/*, which supersedes the *.action constraint that is supposed to be granted only to the admin role.

The current pathspec for the user role reads:
<property name="pathSpec" value="/api/,/admin/,*.jsp" />

By granting access to /admin/*, that in turn grants access to all of the *.action URLs, essentially nullifying the attempt to restrict *.action URLs to only the admin role.

To repeat, just log in as the default "user/user" account to the web console and add or delete destinations.

Workaround is to change the pathSpec to:

Which allows access to the console but disallows access to the *.action URLs.

Attachments

Issue Links

causes

AMQ-8522 Everybody granted full privileges on /api/* in jetty.xml

Resolved

Activity

People

Assignee:: Jean-Baptiste Onofré

Reporter:: Justin Reock

Votes:: 2 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 10/Oct/14 21:25

Updated:: 03/Mar/22 16:00

Resolved:: 19/Jan/22 16:49