Uploaded image for project: 'ActiveMQ Classic'
  1. ActiveMQ Classic
  2. AMQ-8522

Everybody granted full privileges on /api/* in jetty.xml

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 5.16.4
    • 5.17.0, 5.16.5
    • Web Console
    • None

    Description

      Everybody granted full privileges on /api/* in jetty.xml

      Before fixing AMQ-5388, the ContstraintMapping for the "user" role contained the path part "/api/*", thus binding any API call to the "user" role.

      With the fix for AMQ-5388 the path part "/api/*" was removed. This has the effect that a request to "/api/message/..." or "/api/jolokia/..." is allowed to everybody.

      IMHO the path part "/api/*" should be added back to the ContstraintMapping mapping.

      Attachments

        Issue Links

          is caused by

          Bug - A problem which impairs or prevents the functions of the product. AMQ-5388 User Role Granted Full Privileges in jetty.xml

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Activity

            People

              jbonofre Jean-Baptiste Onofré
              clanger Carsten Langer
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 40m
                  40m