activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tobb <torbjor...@gmail.com>
Subject Disabling CSRF protection
Date Wed, 14 Nov 2012 09:49:36 GMT
Hi,

We recently upgraded from AMQ 5.3.0 to AMQ 5.6.0. In version 5.6.0, CSRF
protection has been added to the AMQ web console. As far as I understand,
this is done through the server generating a secret key on each request to
view a message/queue, which is in turn used to validate the requests. This
leads to some usability issues with the AMQ web console:

1. If a user clicks back in the browser, then no actions can be made, since
you then return to a cached page, with a stale secret key.
2. Say you have a dead-letter queue with 19 messages, and you want to delete
15 of them. Since deleting a message from the overview of a queue throws you
back to the overview of all the queues, this could be tedious work. In
5.3.0, we went around this by holding ctrl in while clicking delete, so the
redirect to the all queues overview happened in a new tab. This is no longer
possible, since you can't make mulitple requests with the same secret key.

Due to this, and the fact that the AMQ console is located on an intranet and
we no real need for CSRF protection, I would like to disable it altogether.
But is this possible?

(I have tried to get the console to enforce a reload of the page when the
user clicks the back-button, but can't get it to work..)

-Tobb



--
View this message in context: http://activemq.2283324.n4.nabble.com/Disabling-CSRF-protection-tp4659303.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Mime
View raw message