You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@activemq.apache.org by "Christian Posta (JIRA)" <ji...@apache.org> on 2013/06/03 16:41:20 UTC

[jira] [Commented] (AMQ-4567) JMX operations on broker bypass authorization plugin

    [ https://issues.apache.org/jira/browse/AMQ-4567?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13673160#comment-13673160 ] 

Christian Posta commented on AMQ-4567:
--------------------------------------

I suppose the original idea was for read/write access to JMX to be a admin-priviledged function... Should we enhance that to enforce authn authz at the jmx level with the thought users might be using JMX?
                
>  JMX operations on broker bypass authorization plugin
> -----------------------------------------------------
>
>                 Key: AMQ-4567
>                 URL: https://issues.apache.org/jira/browse/AMQ-4567
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Broker
>    Affects Versions: 5.8.0
>            Reporter: Torsten Mielke
>              Labels: authorization
>
> When securing the broker using authentication and authorization, any JMX operations on the broker completely bypass the authorization plugin.
> So anyone can modify the broker bypassing the security checks. Also, because of this its not possible to define a read only user for the web console.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira