[ https://issues.apache.org/jira/browse/AMQ-4567?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13673192#comment-13673192 ]
Torsten Mielke commented on AMQ-4567: ------------------------------------- Hi Christian, Yes, I think we should enhance it. Using the authorization plugin we can fine tune what operations a user is allowed to invoke. There are admin rights to be given to users for creating/destroying destinations. If JMX access to the broker was only done by JMX tools like jconsole, this bug would be less relevant. But the AMQ web console uses JMX for creating/deleting destinations and IIRC subscriptions as well. Right now its impossible to secure the web console in a way that certain users cannot invoke these administrative functions but have read access in general to the console. > JMX operations on broker bypass authorization plugin > ----------------------------------------------------- > > Key: AMQ-4567 > URL: https://issues.apache.org/jira/browse/AMQ-4567 > Project: ActiveMQ > Issue Type: Bug > Components: Broker > Affects Versions: 5.8.0 > Reporter: Torsten Mielke > Labels: authorization > > When securing the broker using authentication and authorization, any JMX > operations on the broker completely bypass the authorization plugin. > So anyone can modify the broker bypassing the security checks. Also, because > of this its not possible to define a read only user for the web console. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira