This is an automated email from the ASF dual-hosted git repository.

rcordier pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/james-project.git

commit 40d3ab812abcb391ce78d76ea531204ba2980014
Author: Rene Cordier <[email protected]>
AuthorDate: Fri Apr 10 15:32:24 2026 +0700

    JAMES-4201 Webadmin documentation for password.readonly and 
password.nodelete
---
 .../servers/partials/configure/webadmin.adoc       | 64 +++++++++++++++++++++-
 .../sample-configuration/webadmin.properties       | 14 ++++-
 .../sample-configuration/webadmin.properties       | 14 ++++-
 .../sample-configuration/webadmin.properties       | 14 ++++-
 .../sample-configuration/webadmin.properties       | 14 ++++-
 .../sample-configuration/webadmin.properties       | 14 ++++-
 .../sample-configuration/webadmin.properties       | 14 ++++-
 .../sample-configuration/webadmin.properties       | 16 +++++-
 8 files changed, 153 insertions(+), 11 deletions(-)

diff --git a/docs/modules/servers/partials/configure/webadmin.adoc 
b/docs/modules/servers/partials/configure/webadmin.adoc
index 819691de2d..e2566a59c3 100644
--- a/docs/modules/servers/partials/configure/webadmin.adoc
+++ b/docs/modules/servers/partials/configure/webadmin.adoc
@@ -8,8 +8,8 @@ The web administration supports for now the CRUD operations on:
 - Performing cassandra migrations [small]*_(only for Distributed James Server 
that uses cassandra as backend)_*
 - And much more, as described in the following sections.
 
-*WARNING*: This API allows authentication only via the use of JWT. If not
-configured with JWT, an administrator should ensure an attacker can not
+*WARNING*: This API supports authentication via JWT or static passwords. If not
+configured with either, an administrator should ensure an attacker cannot
 use this API.
 
 By the way, some endpoints are not filtered by authentication. Those endpoints 
are not related to data stored in James,
@@ -41,7 +41,7 @@ to get some examples and hints.
 
 | password
 | Uses a configured static value for authentication. It relies on the Password 
header.
-It supports several passwords, configured as a coma separated list.
+It supports several passwords, configured as a comma separated list.
 
 ....
 password=secretA,secretB,secretC
@@ -62,6 +62,54 @@ Password: secretD
 
 As well as request without the password header.
 
+| password.readonly
+| Configures passwords that only allow read operations (GET requests).
+These passwords can view data but cannot modify it.
+Multiple passwords can be configured as a comma-separated list.
+
+....
+password.readonly=aaa,bbb
+....
+
+Requests with these passwords will be allowed for:
+
+....
+GET /domains
+GET /users
+....
+
+But denied for:
+
+....
+POST /domains
+DELETE /users
+PUT /mailboxes
+....
+
+| password.nodelete
+| Configures passwords that allow all operations except DELETE.
+These passwords can read and create/modify data but cannot delete.
+Multiple passwords can be configured as a comma-separated list.
+
+....
+password.nodelete=ccc,ddd
+....
+
+Requests with these passwords will be allowed for:
+
+....
+GET /domains
+POST /users
+PUT /mailboxes
+....
++
+But denied for:
++
+....
+DELETE /domains
+DELETE /users
+....
+
 | jwt.enable
 | Allow JSON Web Token as an authentication mechanism (default: false)
 
@@ -98,6 +146,16 @@ 
xref:{pages-path}/customization/webadmin-routes.adoc[creating you own webadmin r
 
 |===
 
+*Note on HTTP status codes:*
+
+- `401 Unauthorized` is returned when:
+  - No password header is provided
+  - The password is not recognized (not in any of the configured lists)
+
+- `403 Forbidden` is returned when:
+  - The password is valid but the HTTP method is not allowed for that password 
type
+  - For example, using a readonly password for a POST request
+
 == Generating a JWT key pair
 
 The {server-name} enforces the use of RSA-SHA-256.
diff --git 
a/server/apps/distributed-app/sample-configuration/webadmin.properties 
b/server/apps/distributed-app/sample-configuration/webadmin.properties
index b97c71829c..7376656fce 100644
--- a/server/apps/distributed-app/sample-configuration/webadmin.properties
+++ b/server/apps/distributed-app/sample-configuration/webadmin.properties
@@ -52,4 +52,16 @@ https.enabled=false
 # List of fully qualified class names that should be exposed over webadmin
 # in addition to your product default routes. Routes needs to be located
 # within the classpath or in the ./extensions-jars folder.
-#extensions.routes=
\ No newline at end of file
+#extensions.routes=
+
+# Password authentication settings
+# Configure one or more passwords (comma separated) for WebAdmin authentication
+#password=secret1,secret2
+
+# Read-only passwords - only allow GET requests
+# These passwords can only perform read operations
+#password.readonly=aaa,bbb
+
+# No-delete passwords - allow all operations except DELETE
+# These passwords can perform read and write operations but not delete
+#password.nodelete=ccc,ddd
\ No newline at end of file
diff --git 
a/server/apps/distributed-pop3-app/sample-configuration/webadmin.properties 
b/server/apps/distributed-pop3-app/sample-configuration/webadmin.properties
index b97c71829c..7376656fce 100644
--- a/server/apps/distributed-pop3-app/sample-configuration/webadmin.properties
+++ b/server/apps/distributed-pop3-app/sample-configuration/webadmin.properties
@@ -52,4 +52,16 @@ https.enabled=false
 # List of fully qualified class names that should be exposed over webadmin
 # in addition to your product default routes. Routes needs to be located
 # within the classpath or in the ./extensions-jars folder.
-#extensions.routes=
\ No newline at end of file
+#extensions.routes=
+
+# Password authentication settings
+# Configure one or more passwords (comma separated) for WebAdmin authentication
+#password=secret1,secret2
+
+# Read-only passwords - only allow GET requests
+# These passwords can only perform read operations
+#password.readonly=aaa,bbb
+
+# No-delete passwords - allow all operations except DELETE
+# These passwords can perform read and write operations but not delete
+#password.nodelete=ccc,ddd
\ No newline at end of file
diff --git a/server/apps/jpa-app/sample-configuration/webadmin.properties 
b/server/apps/jpa-app/sample-configuration/webadmin.properties
index 5dc74740c5..e21c89b0bc 100644
--- a/server/apps/jpa-app/sample-configuration/webadmin.properties
+++ b/server/apps/jpa-app/sample-configuration/webadmin.properties
@@ -46,4 +46,16 @@ https.enabled=false
 # List of fully qualified class names that should be exposed over webadmin
 # in addition to your product default routes. Routes needs to be located
 # within the classpath or in the ./extensions-jars folder.
-#extensions.routes=
\ No newline at end of file
+#extensions.routes=
+
+# Password authentication settings
+# Configure one or more passwords (comma separated) for WebAdmin authentication
+#password=secret1,secret2
+
+# Read-only passwords - only allow GET requests
+# These passwords can only perform read operations
+#password.readonly=aaa,bbb
+
+# No-delete passwords - allow all operations except DELETE
+# These passwords can perform read and write operations but not delete
+#password.nodelete=ccc,ddd
\ No newline at end of file
diff --git a/server/apps/jpa-smtp-app/sample-configuration/webadmin.properties 
b/server/apps/jpa-smtp-app/sample-configuration/webadmin.properties
index 5dc74740c5..e21c89b0bc 100644
--- a/server/apps/jpa-smtp-app/sample-configuration/webadmin.properties
+++ b/server/apps/jpa-smtp-app/sample-configuration/webadmin.properties
@@ -46,4 +46,16 @@ https.enabled=false
 # List of fully qualified class names that should be exposed over webadmin
 # in addition to your product default routes. Routes needs to be located
 # within the classpath or in the ./extensions-jars folder.
-#extensions.routes=
\ No newline at end of file
+#extensions.routes=
+
+# Password authentication settings
+# Configure one or more passwords (comma separated) for WebAdmin authentication
+#password=secret1,secret2
+
+# Read-only passwords - only allow GET requests
+# These passwords can only perform read operations
+#password.readonly=aaa,bbb
+
+# No-delete passwords - allow all operations except DELETE
+# These passwords can perform read and write operations but not delete
+#password.nodelete=ccc,ddd
\ No newline at end of file
diff --git a/server/apps/memory-app/sample-configuration/webadmin.properties 
b/server/apps/memory-app/sample-configuration/webadmin.properties
index 3449eedc92..a9eb36a813 100644
--- a/server/apps/memory-app/sample-configuration/webadmin.properties
+++ b/server/apps/memory-app/sample-configuration/webadmin.properties
@@ -53,4 +53,16 @@ https.enabled=false
 # List of fully qualified class names that should be exposed over webadmin
 # in addition to your product default routes. Routes needs to be located
 # within the classpath or in the ./extensions-jars folder.
-#extensions.routes=
\ No newline at end of file
+#extensions.routes=
+
+# Password authentication settings
+# Configure one or more passwords (comma separated) for WebAdmin authentication
+#password=secret1,secret2
+
+# Read-only passwords - only allow GET requests
+# These passwords can only perform read operations
+#password.readonly=aaa,bbb
+
+# No-delete passwords - allow all operations except DELETE
+# These passwords can perform read and write operations but not delete
+#password.nodelete=ccc,ddd
\ No newline at end of file
diff --git a/server/apps/postgres-app/sample-configuration/webadmin.properties 
b/server/apps/postgres-app/sample-configuration/webadmin.properties
index 5dc74740c5..e21c89b0bc 100644
--- a/server/apps/postgres-app/sample-configuration/webadmin.properties
+++ b/server/apps/postgres-app/sample-configuration/webadmin.properties
@@ -46,4 +46,16 @@ https.enabled=false
 # List of fully qualified class names that should be exposed over webadmin
 # in addition to your product default routes. Routes needs to be located
 # within the classpath or in the ./extensions-jars folder.
-#extensions.routes=
\ No newline at end of file
+#extensions.routes=
+
+# Password authentication settings
+# Configure one or more passwords (comma separated) for WebAdmin authentication
+#password=secret1,secret2
+
+# Read-only passwords - only allow GET requests
+# These passwords can only perform read operations
+#password.readonly=aaa,bbb
+
+# No-delete passwords - allow all operations except DELETE
+# These passwords can perform read and write operations but not delete
+#password.nodelete=ccc,ddd
\ No newline at end of file
diff --git 
a/server/apps/scaling-pulsar-smtp/sample-configuration/webadmin.properties 
b/server/apps/scaling-pulsar-smtp/sample-configuration/webadmin.properties
index d042dd1525..5a494e0e59 100644
--- a/server/apps/scaling-pulsar-smtp/sample-configuration/webadmin.properties
+++ b/server/apps/scaling-pulsar-smtp/sample-configuration/webadmin.properties
@@ -1,4 +1,4 @@
-m#  Licensed to the Apache Software Foundation (ASF) under one
+#  Licensed to the Apache Software Foundation (ASF) under one
 #  or more contributor license agreements.  See the NOTICE file
 #  distributed with this work for additional information
 #  regarding copyright ownership.  The ASF licenses this file
@@ -46,4 +46,16 @@ https.enabled=false
 # List of fully qualified class names that should be exposed over webadmin
 # in addition to your product default routes. Routes needs to be located
 # within the classpath or in the ./extensions-jars folder.
-#extensions.routes=
\ No newline at end of file
+#extensions.routes=
+
+# Password authentication settings
+# Configure one or more passwords (comma separated) for WebAdmin authentication
+#password=secret1,secret2
+
+# Read-only passwords - only allow GET requests
+# These passwords can only perform read operations
+#password.readonly=aaa,bbb
+
+# No-delete passwords - allow all operations except DELETE
+# These passwords can perform read and write operations but not delete
+#password.nodelete=ccc,ddd
\ No newline at end of file


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to