You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Wei Guo (Jira)" <ji...@apache.org> on 2023/03/03 08:11:00 UTC

[jira] [Commented] (AMQ-9198) Self-customized read-only role for AMQ works but caused admin/security login gives 403

    [ https://issues.apache.org/jira/browse/AMQ-9198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17696074#comment-17696074 ] 

Wei Guo commented on AMQ-9198:
------------------------------

Hi [~jbonofre]  
Could you please help with what exactly the config we needed to let the only read-only role works? 

Best regards 

> Self-customized read-only role for AMQ works but caused admin/security login gives 403
> --------------------------------------------------------------------------------------
>
>                 Key: AMQ-9198
>                 URL: https://issues.apache.org/jira/browse/AMQ-9198
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Web Console
>            Reporter: Wei Guo
>            Assignee: Jean-Baptiste Onofré
>            Priority: Critical
>         Attachments: image-2023-01-16-17-12-33-509.png
>
>
> We added a new customized  read-only Constraint with Mapping:  readerSecurityConstraintMapping for read-only permission for AMQ web UI portal  it works for read-only users to show the expected 403 for prohibited URLs, 
> but when we switch to the admin user, it gives 403 error :
> !image-2023-01-16-17-12-33-509.png!
> jetty.xml : 
> {code:java}
>     <bean id="readerSecurityConstraint" class="org.eclipse.jetty.util.security.Constraint">
>         <property name="name" value="BASIC" />
>         <property name="roles" value="reader" />
>         <property name="authenticate" value="true" />
>     </bean>
>     
>     <bean id="readerSecurityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
>         <property name="constraint" ref="readerSecurityConstraint" />
>         <property name="pathSpec" value="/index.html,/admin/*.html,/admin/index.jsp,/admin/queues.jsp,/admin/browse.jsp,/admin/queueConsumers.jsp,/admin/topics.jsp,/admin/topicProducers.jsp,/admin/topicSubscribers.jsp,/admin/connections.jsp,/admin/network.jsp,/admin/scheduled.jsp,/admin/queueGraph.jsp,/admin/xml/queues.jsp,/admin/xml/subscribers.jsp"/>
>     </bean> 
>     <bean id="securityHandler" class="org.eclipse.jetty.security.ConstraintSecurityHandler">
>         <property name="loginService" ref="securityLoginService" />
>         <property name="authenticator">
>             <bean class="org.eclipse.jetty.security.authentication.BasicAuthenticator" />
>         </property>
>         <property name="constraintMappings">
>             <list>
>                 <ref bean="adminSecurityConstraintMapping" />
>                 <ref bean="securityConstraintMapping" />
>                 <ref bean="readerSecurityConstraintMapping" />
>             </list>
>         </property>
>         <property name="handler" ref="secHandlerCollection" />
>     </bean>{code}
> ==jetty-realm.properties==
> admin: admin, admin
> user: user, user
> reader: reader,reader
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)