activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dejan Bosanac <>
Subject Re: Disabling CSRF protection
Date Wed, 14 Nov 2012 11:24:17 GMT
There's no way to turn it off. I think we should make delete get you
back to the overview of the queue, so there's no need for workaround.
Can you raise a Jira for this?

Also, you can install the web console as a temporary workaround.

Dejan Bosanac
Red Hat, Inc.
FuseSource is now part of Red Hat
Twitter: @dejanb
ActiveMQ in Action:

On Wed, Nov 14, 2012 at 10:49 AM, Tobb <> wrote:
> Hi,
> We recently upgraded from AMQ 5.3.0 to AMQ 5.6.0. In version 5.6.0, CSRF
> protection has been added to the AMQ web console. As far as I understand,
> this is done through the server generating a secret key on each request to
> view a message/queue, which is in turn used to validate the requests. This
> leads to some usability issues with the AMQ web console:
> 1. If a user clicks back in the browser, then no actions can be made, since
> you then return to a cached page, with a stale secret key.
> 2. Say you have a dead-letter queue with 19 messages, and you want to delete
> 15 of them. Since deleting a message from the overview of a queue throws you
> back to the overview of all the queues, this could be tedious work. In
> 5.3.0, we went around this by holding ctrl in while clicking delete, so the
> redirect to the all queues overview happened in a new tab. This is no longer
> possible, since you can't make mulitple requests with the same secret key.
> Due to this, and the fact that the AMQ console is located on an intranet and
> we no real need for CSRF protection, I would like to disable it altogether.
> But is this possible?
> (I have tried to get the console to enforce a reload of the page when the
> user clicks the back-button, but can't get it to work..)
> -Tobb
> --
> View this message in context:
> Sent from the ActiveMQ - User mailing list archive at

View raw message