This is an automated email from the ASF dual-hosted git repository. rcordier pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/james-project.git
commit 40d3ab812abcb391ce78d76ea531204ba2980014 Author: Rene Cordier <[email protected]> AuthorDate: Fri Apr 10 15:32:24 2026 +0700 JAMES-4201 Webadmin documentation for password.readonly and password.nodelete --- .../servers/partials/configure/webadmin.adoc | 64 +++++++++++++++++++++- .../sample-configuration/webadmin.properties | 14 ++++- .../sample-configuration/webadmin.properties | 14 ++++- .../sample-configuration/webadmin.properties | 14 ++++- .../sample-configuration/webadmin.properties | 14 ++++- .../sample-configuration/webadmin.properties | 14 ++++- .../sample-configuration/webadmin.properties | 14 ++++- .../sample-configuration/webadmin.properties | 16 +++++- 8 files changed, 153 insertions(+), 11 deletions(-) diff --git a/docs/modules/servers/partials/configure/webadmin.adoc b/docs/modules/servers/partials/configure/webadmin.adoc index 819691de2d..e2566a59c3 100644 --- a/docs/modules/servers/partials/configure/webadmin.adoc +++ b/docs/modules/servers/partials/configure/webadmin.adoc @@ -8,8 +8,8 @@ The web administration supports for now the CRUD operations on: - Performing cassandra migrations [small]*_(only for Distributed James Server that uses cassandra as backend)_* - And much more, as described in the following sections. -*WARNING*: This API allows authentication only via the use of JWT. If not -configured with JWT, an administrator should ensure an attacker can not +*WARNING*: This API supports authentication via JWT or static passwords. If not +configured with either, an administrator should ensure an attacker cannot use this API. By the way, some endpoints are not filtered by authentication. Those endpoints are not related to data stored in James, @@ -41,7 +41,7 @@ to get some examples and hints. | password | Uses a configured static value for authentication. It relies on the Password header. -It supports several passwords, configured as a coma separated list. +It supports several passwords, configured as a comma separated list. .... password=secretA,secretB,secretC @@ -62,6 +62,54 @@ Password: secretD As well as request without the password header. +| password.readonly +| Configures passwords that only allow read operations (GET requests). +These passwords can view data but cannot modify it. +Multiple passwords can be configured as a comma-separated list. + +.... +password.readonly=aaa,bbb +.... + +Requests with these passwords will be allowed for: + +.... +GET /domains +GET /users +.... + +But denied for: + +.... +POST /domains +DELETE /users +PUT /mailboxes +.... + +| password.nodelete +| Configures passwords that allow all operations except DELETE. +These passwords can read and create/modify data but cannot delete. +Multiple passwords can be configured as a comma-separated list. + +.... +password.nodelete=ccc,ddd +.... + +Requests with these passwords will be allowed for: + +.... +GET /domains +POST /users +PUT /mailboxes +.... ++ +But denied for: ++ +.... +DELETE /domains +DELETE /users +.... + | jwt.enable | Allow JSON Web Token as an authentication mechanism (default: false) @@ -98,6 +146,16 @@ xref:{pages-path}/customization/webadmin-routes.adoc[creating you own webadmin r |=== +*Note on HTTP status codes:* + +- `401 Unauthorized` is returned when: + - No password header is provided + - The password is not recognized (not in any of the configured lists) + +- `403 Forbidden` is returned when: + - The password is valid but the HTTP method is not allowed for that password type + - For example, using a readonly password for a POST request + == Generating a JWT key pair The {server-name} enforces the use of RSA-SHA-256. diff --git a/server/apps/distributed-app/sample-configuration/webadmin.properties b/server/apps/distributed-app/sample-configuration/webadmin.properties index b97c71829c..7376656fce 100644 --- a/server/apps/distributed-app/sample-configuration/webadmin.properties +++ b/server/apps/distributed-app/sample-configuration/webadmin.properties @@ -52,4 +52,16 @@ https.enabled=false # List of fully qualified class names that should be exposed over webadmin # in addition to your product default routes. Routes needs to be located # within the classpath or in the ./extensions-jars folder. -#extensions.routes= \ No newline at end of file +#extensions.routes= + +# Password authentication settings +# Configure one or more passwords (comma separated) for WebAdmin authentication +#password=secret1,secret2 + +# Read-only passwords - only allow GET requests +# These passwords can only perform read operations +#password.readonly=aaa,bbb + +# No-delete passwords - allow all operations except DELETE +# These passwords can perform read and write operations but not delete +#password.nodelete=ccc,ddd \ No newline at end of file diff --git a/server/apps/distributed-pop3-app/sample-configuration/webadmin.properties b/server/apps/distributed-pop3-app/sample-configuration/webadmin.properties index b97c71829c..7376656fce 100644 --- a/server/apps/distributed-pop3-app/sample-configuration/webadmin.properties +++ b/server/apps/distributed-pop3-app/sample-configuration/webadmin.properties @@ -52,4 +52,16 @@ https.enabled=false # List of fully qualified class names that should be exposed over webadmin # in addition to your product default routes. Routes needs to be located # within the classpath or in the ./extensions-jars folder. -#extensions.routes= \ No newline at end of file +#extensions.routes= + +# Password authentication settings +# Configure one or more passwords (comma separated) for WebAdmin authentication +#password=secret1,secret2 + +# Read-only passwords - only allow GET requests +# These passwords can only perform read operations +#password.readonly=aaa,bbb + +# No-delete passwords - allow all operations except DELETE +# These passwords can perform read and write operations but not delete +#password.nodelete=ccc,ddd \ No newline at end of file diff --git a/server/apps/jpa-app/sample-configuration/webadmin.properties b/server/apps/jpa-app/sample-configuration/webadmin.properties index 5dc74740c5..e21c89b0bc 100644 --- a/server/apps/jpa-app/sample-configuration/webadmin.properties +++ b/server/apps/jpa-app/sample-configuration/webadmin.properties @@ -46,4 +46,16 @@ https.enabled=false # List of fully qualified class names that should be exposed over webadmin # in addition to your product default routes. Routes needs to be located # within the classpath or in the ./extensions-jars folder. -#extensions.routes= \ No newline at end of file +#extensions.routes= + +# Password authentication settings +# Configure one or more passwords (comma separated) for WebAdmin authentication +#password=secret1,secret2 + +# Read-only passwords - only allow GET requests +# These passwords can only perform read operations +#password.readonly=aaa,bbb + +# No-delete passwords - allow all operations except DELETE +# These passwords can perform read and write operations but not delete +#password.nodelete=ccc,ddd \ No newline at end of file diff --git a/server/apps/jpa-smtp-app/sample-configuration/webadmin.properties b/server/apps/jpa-smtp-app/sample-configuration/webadmin.properties index 5dc74740c5..e21c89b0bc 100644 --- a/server/apps/jpa-smtp-app/sample-configuration/webadmin.properties +++ b/server/apps/jpa-smtp-app/sample-configuration/webadmin.properties @@ -46,4 +46,16 @@ https.enabled=false # List of fully qualified class names that should be exposed over webadmin # in addition to your product default routes. Routes needs to be located # within the classpath or in the ./extensions-jars folder. -#extensions.routes= \ No newline at end of file +#extensions.routes= + +# Password authentication settings +# Configure one or more passwords (comma separated) for WebAdmin authentication +#password=secret1,secret2 + +# Read-only passwords - only allow GET requests +# These passwords can only perform read operations +#password.readonly=aaa,bbb + +# No-delete passwords - allow all operations except DELETE +# These passwords can perform read and write operations but not delete +#password.nodelete=ccc,ddd \ No newline at end of file diff --git a/server/apps/memory-app/sample-configuration/webadmin.properties b/server/apps/memory-app/sample-configuration/webadmin.properties index 3449eedc92..a9eb36a813 100644 --- a/server/apps/memory-app/sample-configuration/webadmin.properties +++ b/server/apps/memory-app/sample-configuration/webadmin.properties @@ -53,4 +53,16 @@ https.enabled=false # List of fully qualified class names that should be exposed over webadmin # in addition to your product default routes. Routes needs to be located # within the classpath or in the ./extensions-jars folder. -#extensions.routes= \ No newline at end of file +#extensions.routes= + +# Password authentication settings +# Configure one or more passwords (comma separated) for WebAdmin authentication +#password=secret1,secret2 + +# Read-only passwords - only allow GET requests +# These passwords can only perform read operations +#password.readonly=aaa,bbb + +# No-delete passwords - allow all operations except DELETE +# These passwords can perform read and write operations but not delete +#password.nodelete=ccc,ddd \ No newline at end of file diff --git a/server/apps/postgres-app/sample-configuration/webadmin.properties b/server/apps/postgres-app/sample-configuration/webadmin.properties index 5dc74740c5..e21c89b0bc 100644 --- a/server/apps/postgres-app/sample-configuration/webadmin.properties +++ b/server/apps/postgres-app/sample-configuration/webadmin.properties @@ -46,4 +46,16 @@ https.enabled=false # List of fully qualified class names that should be exposed over webadmin # in addition to your product default routes. Routes needs to be located # within the classpath or in the ./extensions-jars folder. -#extensions.routes= \ No newline at end of file +#extensions.routes= + +# Password authentication settings +# Configure one or more passwords (comma separated) for WebAdmin authentication +#password=secret1,secret2 + +# Read-only passwords - only allow GET requests +# These passwords can only perform read operations +#password.readonly=aaa,bbb + +# No-delete passwords - allow all operations except DELETE +# These passwords can perform read and write operations but not delete +#password.nodelete=ccc,ddd \ No newline at end of file diff --git a/server/apps/scaling-pulsar-smtp/sample-configuration/webadmin.properties b/server/apps/scaling-pulsar-smtp/sample-configuration/webadmin.properties index d042dd1525..5a494e0e59 100644 --- a/server/apps/scaling-pulsar-smtp/sample-configuration/webadmin.properties +++ b/server/apps/scaling-pulsar-smtp/sample-configuration/webadmin.properties @@ -1,4 +1,4 @@ -m# Licensed to the Apache Software Foundation (ASF) under one +# Licensed to the Apache Software Foundation (ASF) under one # or more contributor license agreements. See the NOTICE file # distributed with this work for additional information # regarding copyright ownership. The ASF licenses this file @@ -46,4 +46,16 @@ https.enabled=false # List of fully qualified class names that should be exposed over webadmin # in addition to your product default routes. Routes needs to be located # within the classpath or in the ./extensions-jars folder. -#extensions.routes= \ No newline at end of file +#extensions.routes= + +# Password authentication settings +# Configure one or more passwords (comma separated) for WebAdmin authentication +#password=secret1,secret2 + +# Read-only passwords - only allow GET requests +# These passwords can only perform read operations +#password.readonly=aaa,bbb + +# No-delete passwords - allow all operations except DELETE +# These passwords can perform read and write operations but not delete +#password.nodelete=ccc,ddd \ No newline at end of file --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
