You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@qpid.apache.org by "Rob Godfrey (JIRA)" <ji...@apache.org> on 2016/08/05 10:24:20 UTC

[jira] [Created] (QPID-7380) [Java Broker] Managed Operations returning potentially confidential information should not be permitted by default on insecure connections

Rob Godfrey created QPID-7380:
---------------------------------

             Summary: [Java Broker] Managed Operations returning potentially confidential information should not be permitted by default on insecure connections
                 Key: QPID-7380
                 URL: https://issues.apache.org/jira/browse/QPID-7380
             Project: Qpid
          Issue Type: Improvement
            Reporter: Rob Godfrey
             Fix For: qpid-java-6.1


Operations such as getting message content or extracting config or message data may contain confidential information.  As such one would not normally wish these operations to be permitted on insecure (non-TLS) connections.  We should enhance the meta data for managed operations to allow for declaring them "secure", we should then change the REST servlet to prevent the operation of "secure" operations on insecure connections.  To allow those who are aware of the risks, but accept them, we should add an attribute to the (Http)Port to allow secure operations to be performed on that port even where the connection is insecure.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org