[ https://issues.apache.org/jira/browse/AMQ-5388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17478810#comment-17478810 ]
ASF subversion and git services commented on AMQ-5388: ------------------------------------------------------ Commit c67ada04c77e9379ef25ac62d5ea1fcf20cf8b8f in activemq's branch refs/heads/main from Vilius Šumskas [ https://gitbox.apache.org/repos/asf?p=activemq.git;h=c67ada0 ] https://issues.apache.org/jira/browse/AMQ-5388 Fix user permissions in web console > User Role Granted Full Privileges in jetty.xml > ---------------------------------------------- > > Key: AMQ-5388 > URL: https://issues.apache.org/jira/browse/AMQ-5388 > Project: ActiveMQ > Issue Type: Bug > Components: Web Console > Affects Versions: 5.9.0 > Environment: Any > Reporter: Justin Reock > Assignee: Jean-Baptiste Onofré > Priority: Minor > Labels: jetty, security, web-console > Fix For: 5.17.0, 5.16.4 > > > The default ConstraintMapping for the "user" role grants privileges to > /admin/*, which supersedes the *.action constraint that is supposed to be > granted only to the admin role. > The current pathspec for the user role reads: > <property name="pathSpec" value="/api/*,/admin/*,*.jsp" /> > By granting access to /admin/*, that in turn grants access to all of the > *.action URLs, essentially nullifying the attempt to restrict *.action URLs > to only the admin role. > To repeat, just log in as the default "user/user" account to the web console > and add or delete destinations. > Workaround is to change the pathSpec to: > <property name="pathSpec" value="/,*.jsp,*.css" /> > Which allows access to the console but disallows access to the *.action URLs. -- This message was sent by Atlassian Jira (v8.20.1#820001)