activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From vasantha.rap...@gmail.com
Subject How to restrict http options method on port 61614
Date Thu, 11 Apr 2019 03:55:31 GMT

> 
> Hi,
> 
> We are using activemq 5.14 in our application and the recent Internal Vulnerability Assessment
shows that http-options-method-enabled on port 61614.
> 
> curl "http://XX.xX.xxx.xxx:61614/" -X OPTIONS -v * About to connect() to XX.xX.xxx.xxx
port 61614 (#0) * Trying XX.xX.xxx.xxx... connected * Connected to XX.xX.xxx.xxx (XX.xX.xxx.xxx)
port 61614 (#0) > OPTIONS / HTTP/1.1 > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu)
libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2 > Host: XX.xX.xxx.xxx:61614
> Accept: */* > < HTTP/1.1 200 OK < Date: Thu, 11 Apr 2019 02:02:48 GMT < Allow:
GET, HEAD, TRACE, OPTIONS < Content-Length: 0 < Server: Jetty
> I have researched on this and found
> that active mq uses emdedded jetty and tried adding the security constraint in jetty.xml
as below.
> 
> <bean id="httpMethodSecurityConstraint" class="org.eclipse.jetty.util.security.Constraint">
<property name="name" value="Restricted" /> <!--<property name="roles" value="admin"
/> --> <!-- set
> authenticate=false to disable login --> <property name="authenticate" value="true"
/> </bean>
> <bean id="httpMethodSecurityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
<property name="constraint”
> ref="httpMethodSecurityConstraint" /> <property name="method" value="OPTIONS" />
<property name="pathSpec" value="/*" /> </bean>
> <bean id="securityHandler" class="org.eclipse.jetty.security.ConstraintSecurityHandler">
>  <property name="loginService" ref="securityLoginService" /> <property name="authenticator">
<bean class="org.eclipse.jetty.security.authentication.BasicAuthentica
> tor" /> </property> <property name="constraintMappings"> <list>
<ref bean="httpMethodSecurityConstraintMapping" /> </list> </property>
> <property name="handler" ref="secHandlerCollection" /> </bean>
> But, the result of the below still returns http status 200.
> 
> curl "http://XX.xX.xxx.xxx:61614/" -X OPTIONS -v
> 
> Any help with this issue, would be of great help.
> 
> Thank You.
> 
> 
> Sent from my iPhone

Mime
  • Unnamed multipart/alternative (inline, 7-Bit, 0 bytes)
View raw message