You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by va...@gmail.com on 2019/04/11 03:55:31 UTC

How to restrict http options method on port 61614

> 
> Hi,
> 
> We are using activemq 5.14 in our application and the recent Internal Vulnerability Assessment shows that http-options-method-enabled on port 61614.
> 
> curl "http://XX.xX.xxx.xxx:61614/" -X OPTIONS -v * About to connect() to XX.xX.xxx.xxx port 61614 (#0) * Trying XX.xX.xxx.xxx... connected * Connected to XX.xX.xxx.xxx (XX.xX.xxx.xxx) port 61614 (#0) > OPTIONS / HTTP/1.1 > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2 > Host: XX.xX.xxx.xxx:61614 > Accept: */* > < HTTP/1.1 200 OK < Date: Thu, 11 Apr 2019 02:02:48 GMT < Allow: GET, HEAD, TRACE, OPTIONS < Content-Length: 0 < Server: Jetty
> I have researched on this and found
> that active mq uses emdedded jetty and tried adding the security constraint in jetty.xml as below.
> 
> <bean id="httpMethodSecurityConstraint" class="org.eclipse.jetty.util.security.Constraint"> <property name="name" value="Restricted" /> <!--<property name="roles" value="admin" /> --> <!-- set
> authenticate=false to disable login --> <property name="authenticate" value="true" /> </bean>
> <bean id="httpMethodSecurityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping"> <property name="constraint”
> ref="httpMethodSecurityConstraint" /> <property name="method" value="OPTIONS" /> <property name="pathSpec" value="/*" /> </bean>
> <bean id="securityHandler" class="org.eclipse.jetty.security.ConstraintSecurityHandler">
>  <property name="loginService" ref="securityLoginService" /> <property name="authenticator"> <bean class="org.eclipse.jetty.security.authentication.BasicAuthentica
> tor" /> </property> <property name="constraintMappings"> <list> <ref bean="httpMethodSecurityConstraintMapping" /> </list> </property>
> <property name="handler" ref="secHandlerCollection" /> </bean>
> But, the result of the below still returns http status 200.
> 
> curl "http://XX.xX.xxx.xxx:61614/" -X OPTIONS -v
> 
> Any help with this issue, would be of great help.
> 
> Thank You.
> 
> 
> Sent from my iPhone