[
https://issues.apache.org/jira/browse/QPID-7380?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15464417#comment-15464417
]
Keith Wall commented on QPID-7380:
----------------------------------
Reviewed commit 1758674, changes look reasonable to me.
> [Java Broker] Managed Operations returning potentially confidential
> information should not be permitted by default on insecure connections
> ------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: QPID-7380
> URL: https://issues.apache.org/jira/browse/QPID-7380
> Project: Qpid
> Issue Type: Improvement
> Reporter: Rob Godfrey
> Fix For: qpid-java-6.1
>
>
> Operations such as getting message content or extracting config or message
> data may contain confidential information. As such one would not normally
> wish these operations to be permitted on insecure (non-TLS) connections. We
> should enhance the meta data for managed operations to allow for declaring
> them "secure", we should then change the REST servlet to prevent the
> operation of "secure" operations on insecure connections. To allow those who
> are aware of the risks, but accept them, we should add an attribute to the
> (Http)Port to allow secure operations to be performed on that port even where
> the connection is insecure.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
