You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@activemq.apache.org by "Jean-Baptiste Onofré (Jira)" <ji...@apache.org> on 2022/03/06 06:48:00 UTC

[jira] [Resolved] (AMQ-8522) Everybody granted full privileges on /api/* in jetty.xml

     [ https://issues.apache.org/jira/browse/AMQ-8522?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jean-Baptiste Onofré resolved AMQ-8522.
---------------------------------------
    Resolution: Fixed

> Everybody granted full privileges on /api/* in jetty.xml
> --------------------------------------------------------
>
>                 Key: AMQ-8522
>                 URL: https://issues.apache.org/jira/browse/AMQ-8522
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Web Console
>    Affects Versions: 5.16.4
>            Reporter: Carsten Langer
>            Assignee: Jean-Baptiste Onofré
>            Priority: Major
>             Fix For: 5.17.0, 5.16.5
>
>          Time Spent: 40m
>  Remaining Estimate: 0h
>
> Everybody granted full privileges on {{/api/*}} in jetty.xml
> Before fixing AMQ-5388, the ContstraintMapping for the "user" role contained the path part {{{}"/api/*"{}}}, thus binding any API call to the "user" role.
> With the fix for AMQ-5388 the path part {{"/api/*"}} was removed. This has the effect that a request to {{"/api/message/..."}} or {{"/api/jolokia/..."}} is allowed to everybody.
> IMHO the path part {{"/api/*"}} should be added back to the ContstraintMapping mapping.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)