[
https://issues.apache.org/jira/browse/AMQ-9198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17687000#comment-17687000
]
Jean-Baptiste Onofré commented on AMQ-9198:
-------------------------------------------
I don't understand your config. Why not just adding {{reader}} role to the
{{securityConstraint}} ?
Something like this:
{code:java}
<bean id="securityConstraint"
class="org.eclipse.jetty.util.security.Constraint">
<property name="name" value="BASIC" />
<property name="roles" value="user,admin,reader" />
<!-- set authenticate=false to disable login -->
<property name="authenticate" value="true" />
</bean> {code}
The {{securityConstraint}} is already just read-only.
> Self-customized read-only role for AMQ works but caused admin/security login
> gives 403
> --------------------------------------------------------------------------------------
>
> Key: AMQ-9198
> URL: https://issues.apache.org/jira/browse/AMQ-9198
> Project: ActiveMQ
> Issue Type: Bug
> Components: Web Console
> Reporter: Wei Guo
> Assignee: Jean-Baptiste Onofré
> Priority: Critical
> Fix For: 5.18.0, 5.17.4
>
> Attachments: image-2023-01-16-17-12-33-509.png
>
>
> We added a new customized read-only Constraint with Mapping:
> readerSecurityConstraintMapping for read-only permission for AMQ web UI
> portal it works for read-only users to show the expected 403 for prohibited
> URLs,
> but when we switch to the admin user, it gives 403 error :
> !image-2023-01-16-17-12-33-509.png!
> jetty.xml :
> {code:java}
> <bean id="readerSecurityConstraint"
> class="org.eclipse.jetty.util.security.Constraint">
> <property name="name" value="BASIC" />
> <property name="roles" value="reader" />
> <property name="authenticate" value="true" />
> </bean>
>
> <bean id="readerSecurityConstraintMapping"
> class="org.eclipse.jetty.security.ConstraintMapping">
> <property name="constraint" ref="readerSecurityConstraint" />
> <property name="pathSpec"
> value="/index.html,/admin/*.html,/admin/index.jsp,/admin/queues.jsp,/admin/browse.jsp,/admin/queueConsumers.jsp,/admin/topics.jsp,/admin/topicProducers.jsp,/admin/topicSubscribers.jsp,/admin/connections.jsp,/admin/network.jsp,/admin/scheduled.jsp,/admin/queueGraph.jsp,/admin/xml/queues.jsp,/admin/xml/subscribers.jsp"/>
> </bean>
> <bean id="securityHandler"
> class="org.eclipse.jetty.security.ConstraintSecurityHandler">
> <property name="loginService" ref="securityLoginService" />
> <property name="authenticator">
> <bean
> class="org.eclipse.jetty.security.authentication.BasicAuthenticator" />
> </property>
> <property name="constraintMappings">
> <list>
> <ref bean="adminSecurityConstraintMapping" />
> <ref bean="securityConstraintMapping" />
> <ref bean="readerSecurityConstraintMapping" />
> </list>
> </property>
> <property name="handler" ref="secHandlerCollection" />
> </bean>{code}
> ==jetty-realm.properties==
> admin: admin, admin
> user: user, user
> reader: reader,reader
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
