[ https://issues.apache.org/jira/browse/AMQ-9198?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jean-Baptiste Onofré updated AMQ-9198: -------------------------------------- Fix Version/s: (was: 5.18.0) (was: 5.17.4) > Self-customized read-only role for AMQ works but caused admin/security login > gives 403 > -------------------------------------------------------------------------------------- > > Key: AMQ-9198 > URL: https://issues.apache.org/jira/browse/AMQ-9198 > Project: ActiveMQ > Issue Type: Bug > Components: Web Console > Reporter: Wei Guo > Assignee: Jean-Baptiste Onofré > Priority: Critical > Attachments: image-2023-01-16-17-12-33-509.png > > > We added a new customized read-only Constraint with Mapping: > readerSecurityConstraintMapping for read-only permission for AMQ web UI > portal it works for read-only users to show the expected 403 for prohibited > URLs, > but when we switch to the admin user, it gives 403 error : > !image-2023-01-16-17-12-33-509.png! > jetty.xml : > {code:java} > <bean id="readerSecurityConstraint" > class="org.eclipse.jetty.util.security.Constraint"> > <property name="name" value="BASIC" /> > <property name="roles" value="reader" /> > <property name="authenticate" value="true" /> > </bean> > > <bean id="readerSecurityConstraintMapping" > class="org.eclipse.jetty.security.ConstraintMapping"> > <property name="constraint" ref="readerSecurityConstraint" /> > <property name="pathSpec" > value="/index.html,/admin/*.html,/admin/index.jsp,/admin/queues.jsp,/admin/browse.jsp,/admin/queueConsumers.jsp,/admin/topics.jsp,/admin/topicProducers.jsp,/admin/topicSubscribers.jsp,/admin/connections.jsp,/admin/network.jsp,/admin/scheduled.jsp,/admin/queueGraph.jsp,/admin/xml/queues.jsp,/admin/xml/subscribers.jsp"/> > </bean> > <bean id="securityHandler" > class="org.eclipse.jetty.security.ConstraintSecurityHandler"> > <property name="loginService" ref="securityLoginService" /> > <property name="authenticator"> > <bean > class="org.eclipse.jetty.security.authentication.BasicAuthenticator" /> > </property> > <property name="constraintMappings"> > <list> > <ref bean="adminSecurityConstraintMapping" /> > <ref bean="securityConstraintMapping" /> > <ref bean="readerSecurityConstraintMapping" /> > </list> > </property> > <property name="handler" ref="secHandlerCollection" /> > </bean>{code} > ==jetty-realm.properties== > admin: admin, admin > user: user, user > reader: reader,reader > > > -- This message was sent by Atlassian Jira (v8.20.10#820010)