Qpid
  1. Qpid
  2. QPID-4705

[Java Broker] restrict access to web management interfaces to authenticated and authorised users only

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: 0.18, 0.20, 0.22
    • Fix Version/s: 0.22
    • Component/s: Java Broker
    • Labels:
      None

      Description

      In previous releases the default configuration allowed anonymous users to view and perform a limited set of operations via the new web management interface, with ability to restrict these via the ACLs. For the 0.22 release, the broker-level configuration model has been replaced and is now entirely configurable via the web management interface, exposing additional configuration for viewing and/or manipulation that was previously either not exposed via HTTP or only read-only.

      Now that functionality such as configuring the used authentication providers, ports, SSL, etc can done via the web interface it should be authenticated by default, with anonymous access only being provided where the user explicitly assigns the anonymous authentication provider to the HTTP(S) port/ports in use.

        Activity

        Alex Rudyy created issue -
        Alex Rudyy made changes -
        Field Original Value New Value
        Status Open [ 1 ] In Progress [ 3 ]
        Alex Rudyy made changes -
        Status In Progress [ 3 ] Ready To Review [ 10006 ]
        Hide
        Alex Rudyy added a comment -

        Robbie,
        Could you please review the changes made in a revision http://svn.apache.org/r1465590 ?

        Show
        Alex Rudyy added a comment - Robbie, Could you please review the changes made in a revision http://svn.apache.org/r1465590 ?
        Alex Rudyy made changes -
        Assignee Alex Rudyy [ alex.rufous ] Robbie Gemmell [ gemmellr ]
        Hide
        Robbie Gemmell added a comment - - edited

        Changes look good to me. Agreed that we should request these for inclusion in 0.22.

        Show
        Robbie Gemmell added a comment - - edited Changes look good to me. Agreed that we should request these for inclusion in 0.22.
        Robbie Gemmell made changes -
        Status Ready To Review [ 10006 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        Hide
        Justin Ross added a comment -

        Reviewed by Robbie. Approved for 0.22.

        Show
        Justin Ross added a comment - Reviewed by Robbie. Approved for 0.22.
        Robbie Gemmell made changes -
        Summary [Java Broker] anonymous users are able to view and update broker configuration via the web console by default [Java Broker] restrict access to web management interfaces to authenticated and authorised users only
        Hide
        Robbie Gemmell added a comment -

        r1465590 merged to 0.22 branch via: http://svn.apache.org/r1469865

        Show
        Robbie Gemmell added a comment - r1465590 merged to 0.22 branch via: http://svn.apache.org/r1469865
        Robbie Gemmell made changes -
        Fix Version/s 0.22 [ 12324272 ]
        Fix Version/s 0.23 [ 12324273 ]
        Rob Godfrey made changes -
        Status Resolved [ 5 ] Closed [ 6 ]
        Transition Time In Source Status Execution Times Last Executer Last Execution Date
        Open Open In Progress In Progress
        3d 2h 3m 1 Alex Rudyy 08/Apr/13 12:18
        In Progress In Progress Reviewable Reviewable
        7s 1 Alex Rudyy 08/Apr/13 12:19
        Reviewable Reviewable Resolved Resolved
        16m 23s 1 Robbie Gemmell 08/Apr/13 12:35
        Resolved Resolved Closed Closed
        674d 8h 31m 1 Rob Godfrey 11/Feb/15 20:07

          People

          • Assignee:
            Robbie Gemmell
            Reporter:
            Alex Rudyy
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development