This is an automated email from the ASF dual-hosted git repository.
cshannon pushed a commit to branch activemq-5.19.x
in repository https://gitbox.apache.org/repos/asf/activemq.git
The following commit(s) were added to refs/heads/activemq-5.19.x by this push:
new 1eda6a164f Restrict full web console URI to admins role (#2074) (#2091)
1eda6a164f is described below
commit 1eda6a164f38b6eb1a90ffb1462a95cd9ad121e9
Author: Christopher L. Shannon <[email protected]>
AuthorDate: Mon Jun 8 11:59:13 2026 -0400
Restrict full web console URI to admins role (#2074) (#2091)
Change the admin security constraint mapping from *.action to /admin/*
so the entire web console (including read-only pages) requires the
admins role, not just action endpoints. Add comments to each constraint
mapping explaining its scope, and remove duplicate Referrer-Policy and
Permissions-Policy rewrite rules left over from earlier edits.
(cherry picked from commit 085efea55270aca20f2158c0a91a0f4a9fe497f4)
Co-authored-by: JB Onofré <[email protected]>
---
assembly/src/release/conf/jetty.xml | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/assembly/src/release/conf/jetty.xml
b/assembly/src/release/conf/jetty.xml
index fd3fb72f52..6a83220538 100644
--- a/assembly/src/release/conf/jetty.xml
+++ b/assembly/src/release/conf/jetty.xml
@@ -68,14 +68,27 @@
<!-- set authenticate=false to disable login -->
<property name="authenticate" value="true" />
</bean>
+ <!--
+ Catch-all mapping: any request not matched by a more specific
+ constraint below requires authentication as a user or admin.
+ -->
<bean id="securityConstraintMapping"
class="org.eclipse.jetty.security.ConstraintMapping">
<property name="constraint" ref="securityConstraint" />
<property name="pathSpec"
value="/,/api/*,*.jsp,*.html,*.js,*.css,*.png,*.gif,*.ico" />
</bean>
+ <!--
+ Web console (/admin/*) is restricted to the admins role. This covers
+ the full console UI, not just the *.action endpoints, so read-only
+ pages (queue listings, message browsing, etc.) also require admin.
+ -->
<bean id="adminSecurityConstraintMapping"
class="org.eclipse.jetty.security.ConstraintMapping">
<property name="constraint" ref="adminSecurityConstraint" />
- <property name="pathSpec" value="*.action" />
+ <property name="pathSpec" value="/admin/*" />
</bean>
+ <!--
+ Jolokia JMX bridge exposes broker management operations over HTTP;
+ restrict to the admins role to prevent privilege escalation via JMX.
+ -->
<bean id="jolokiaSecurityConstraintMapping"
class="org.eclipse.jetty.security.ConstraintMapping">
<property name="constraint" ref="adminSecurityConstraint" />
<property name="pathSpec" value="/api/jolokia/*" />
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact
