Rob Godfrey created QPID-7380:
---------------------------------
Summary: [Java Broker] Managed Operations returning potentially
confidential information should not be permitted by default on insecure
connections
Key: QPID-7380
URL: https://issues.apache.org/jira/browse/QPID-7380
Project: Qpid
Issue Type: Improvement
Reporter: Rob Godfrey
Fix For: qpid-java-6.1
Operations such as getting message content or extracting config or message data
may contain confidential information. As such one would not normally wish
these operations to be permitted on insecure (non-TLS) connections. We should
enhance the meta data for managed operations to allow for declaring them
"secure", we should then change the REST servlet to prevent the operation of
"secure" operations on insecure connections. To allow those who are aware of
the risks, but accept them, we should add an attribute to the (Http)Port to
allow secure operations to be performed on that port even where the connection
is insecure.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
