This is an automated email from the ASF dual-hosted git repository.
cshannon pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq.git
The following commit(s) were added to refs/heads/main by this push:
new 085efea552 Restrict full web console URI to admins role (#2074)
085efea552 is described below
commit 085efea55270aca20f2158c0a91a0f4a9fe497f4
Author: JB Onofré <[email protected]>
AuthorDate: Mon Jun 8 17:50:52 2026 +0200
Restrict full web console URI to admins role (#2074)
Change the admin security constraint mapping from *.action to /admin/*
so the entire web console (including read-only pages) requires the
admins role, not just action endpoints. Add comments to each constraint
mapping explaining its scope, and remove duplicate Referrer-Policy and
Permissions-Policy rewrite rules left over from earlier edits.
---
assembly/src/release/conf/jetty.xml | 25 ++++++++++++++-----------
1 file changed, 14 insertions(+), 11 deletions(-)
diff --git a/assembly/src/release/conf/jetty.xml
b/assembly/src/release/conf/jetty.xml
index 025783845c..fdc922c688 100644
--- a/assembly/src/release/conf/jetty.xml
+++ b/assembly/src/release/conf/jetty.xml
@@ -74,14 +74,27 @@
<!-- set authenticate=false to disable login -->
<property name="authenticate" value="true" />
</bean>
+ <!--
+ Catch-all mapping: any request not matched by a more specific
+ constraint below requires authentication as a user or admin.
+ -->
<bean id="securityConstraintMapping"
class="org.eclipse.jetty.security.ConstraintMapping">
<property name="constraint" ref="securityConstraint" />
<property name="pathSpec" value="/" />
</bean>
+ <!--
+ Web console (/admin/*) is restricted to the admins role. This covers
+ the full console UI, not just the *.action endpoints, so read-only
+ pages (queue listings, message browsing, etc.) also require admin.
+ -->
<bean id="adminSecurityConstraintMapping"
class="org.eclipse.jetty.security.ConstraintMapping">
<property name="constraint" ref="adminSecurityConstraint" />
- <property name="pathSpec" value="*.action" />
+ <property name="pathSpec" value="/admin/*" />
</bean>
+ <!--
+ Jolokia JMX bridge exposes broker management operations over HTTP;
+ restrict to the admins role to prevent privilege escalation via JMX.
+ -->
<bean id="jolokiaSecurityConstraintMapping"
class="org.eclipse.jetty.security.ConstraintMapping">
<property name="constraint" ref="adminSecurityConstraint" />
<property name="pathSpec" value="/api/jolokia/*" />
@@ -141,16 +154,6 @@
<property name="name" value="Content-Security-Policy"/>
<property name="value" value="style-src-elem 'self'
'unsafe-inline'; style-src 'self'; img-src 'self' data:; script-src-elem
'self'; default-src 'none'; object-src 'none'; frame-ancestors 'none'; base-uri
'none';" />
</bean>
- <bean id="header"
class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
- <property name="pattern" value="*"/>
- <property name="name" value="Referrer-Policy"/>
- <property name="value" value="no-referrer"/>
- </bean>
- <bean id="header"
class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
- <property name="pattern" value="*"/>
- <property name="name" value="Permissions-Policy"/>
- <property name="value" value="accelerometer=(), camera=(),
geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(),
usb=()"/>
- </bean>
<!-- Uncomment when serving the console over HTTPS only -->
<!--
<bean id="header"
class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact
