activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Justin Reock (JIRA)" <j...@apache.org>
Subject [jira] [Created] (AMQ-5388) User Role Granted Full Privileges in jetty.xml
Date Fri, 10 Oct 2014 21:25:34 GMT
Justin Reock created AMQ-5388:
---------------------------------

             Summary: User Role Granted Full Privileges in jetty.xml
                 Key: AMQ-5388
                 URL: https://issues.apache.org/jira/browse/AMQ-5388
             Project: ActiveMQ
          Issue Type: Bug
          Components: webconsole
    Affects Versions: 5.9.0
         Environment: Any
            Reporter: Justin Reock
            Priority: Minor


The default ConstraintMapping for the "user" role grants privileges to /admin/*, which supersedes
the *.action constraint that is supposed to be granted only to the admin role.

The current pathspec for the user role reads:
<property name="pathSpec" value="/api/*,/admin/*,*.jsp" />

By granting access to /admin/*, that in turn grants access to all of the *.action URLs, essentially
nullifying the attempt to restrict *.action URLs to only the admin role.

To repeat, just log in as the default "user/user" account to the web console and add or delete
destinations.

Workaround is to change the pathSpec to:

<property name="pathSpec" value="/,*.jsp,*.css" />

Which allows access to the console but disallows access to the *.action URLs.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message