[jira] [Commented] (AMQ-9198) Self-customized read-only role for AMQ works but caused admin/security login gives 403
[ https://issues.apache.org/jira/browse/AMQ-9198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17700021#comment-17700021 ] Jean-Baptiste Onofré commented on AMQ-9198: --- Please, contact me by email or on Slack. We can't use Jira for tuning configuration. > Self-customized read-only role for AMQ works but caused admin/security login > gives 403 > -- > > Key: AMQ-9198 > URL: https://issues.apache.org/jira/browse/AMQ-9198 > Project: ActiveMQ > Issue Type: Bug > Components: Web Console >Reporter: Wei Guo >Assignee: Jean-Baptiste Onofré >Priority: Critical > Attachments: image-2023-01-16-17-12-33-509.png > > > We added a new customized read-only Constraint with Mapping: > readerSecurityConstraintMapping for read-only permission for AMQ web UI > portal it works for read-only users to show the expected 403 for prohibited > URLs, > but when we switch to the admin user, it gives 403 error : > !image-2023-01-16-17-12-33-509.png! > jetty.xml : > {code:java} > class="org.eclipse.jetty.util.security.Constraint"> > > > > > > class="org.eclipse.jetty.security.ConstraintMapping"> > > value="/index.html,/admin/*.html,/admin/index.jsp,/admin/queues.jsp,/admin/browse.jsp,/admin/queueConsumers.jsp,/admin/topics.jsp,/admin/topicProducers.jsp,/admin/topicSubscribers.jsp,/admin/connections.jsp,/admin/network.jsp,/admin/scheduled.jsp,/admin/queueGraph.jsp,/admin/xml/queues.jsp,/admin/xml/subscribers.jsp"/> > > class="org.eclipse.jetty.security.ConstraintSecurityHandler"> > > > class="org.eclipse.jetty.security.authentication.BasicAuthenticator" /> > > > > > > > > > > {code} > ==jetty-realm.properties== > admin: admin, admin > user: user, user > reader: reader,reader > > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (AMQ-9198) Self-customized read-only role for AMQ works but caused admin/security login gives 403
[ https://issues.apache.org/jira/browse/AMQ-9198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17700019#comment-17700019 ] Wei Guo commented on AMQ-9198: -- Dear [~jbonofre] The default configuration doesn't match your needs. --> yes, it doesn't meet the actual requirement of customers, the below access URLs are the fine-grained access list that can be configured for read-only purposes, from my test if we introduce the read-only role from jetty.xml, it will make admin user access malfunction. /index.html,/admin/*.html,/admin/index.jsp,/admin/queues.jsp,/admin/browse.jsp,/admin/queueConsumers.jsp,/admin/topics.jsp,/admin/topicProducers.jsp,/admin/topicSubscribers.jsp,/admin/connections.jsp,/admin/network.jsp,/admin/scheduled.jsp,/admin/queueGraph.jsp,/admin/xml/queues.jsp,/admin/xml/subscribers.jsp Do you want only read-only (so disable admin access) ? --> actually we want both admin and read-only access available, hopefully, the read-only access could be configured independently for specific users/groups, this would let some users can only do some basic reading operations. Best regards > Self-customized read-only role for AMQ works but caused admin/security login > gives 403 > -- > > Key: AMQ-9198 > URL: https://issues.apache.org/jira/browse/AMQ-9198 > Project: ActiveMQ > Issue Type: Bug > Components: Web Console >Reporter: Wei Guo >Assignee: Jean-Baptiste Onofré >Priority: Critical > Attachments: image-2023-01-16-17-12-33-509.png > > > We added a new customized read-only Constraint with Mapping: > readerSecurityConstraintMapping for read-only permission for AMQ web UI > portal it works for read-only users to show the expected 403 for prohibited > URLs, > but when we switch to the admin user, it gives 403 error : > !image-2023-01-16-17-12-33-509.png! > jetty.xml : > {code:java} > class="org.eclipse.jetty.util.security.Constraint"> > > > > > > class="org.eclipse.jetty.security.ConstraintMapping"> > > value="/index.html,/admin/*.html,/admin/index.jsp,/admin/queues.jsp,/admin/browse.jsp,/admin/queueConsumers.jsp,/admin/topics.jsp,/admin/topicProducers.jsp,/admin/topicSubscribers.jsp,/admin/connections.jsp,/admin/network.jsp,/admin/scheduled.jsp,/admin/queueGraph.jsp,/admin/xml/queues.jsp,/admin/xml/subscribers.jsp"/> > > class="org.eclipse.jetty.security.ConstraintSecurityHandler"> > > > class="org.eclipse.jetty.security.authentication.BasicAuthenticator" /> > > > > > > > > > > {code} > ==jetty-realm.properties== > admin: admin, admin > user: user, user > reader: reader,reader > > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (AMQ-9198) Self-customized read-only role for AMQ works but caused admin/security login gives 403
[ https://issues.apache.org/jira/browse/AMQ-9198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17696200#comment-17696200 ] Jean-Baptiste Onofré commented on AMQ-9198: --- Hey [~wguo] The default configuration doesn't match your needs ? Do you want only read-only (so disable admin access) ? > Self-customized read-only role for AMQ works but caused admin/security login > gives 403 > -- > > Key: AMQ-9198 > URL: https://issues.apache.org/jira/browse/AMQ-9198 > Project: ActiveMQ > Issue Type: Bug > Components: Web Console >Reporter: Wei Guo >Assignee: Jean-Baptiste Onofré >Priority: Critical > Attachments: image-2023-01-16-17-12-33-509.png > > > We added a new customized read-only Constraint with Mapping: > readerSecurityConstraintMapping for read-only permission for AMQ web UI > portal it works for read-only users to show the expected 403 for prohibited > URLs, > but when we switch to the admin user, it gives 403 error : > !image-2023-01-16-17-12-33-509.png! > jetty.xml : > {code:java} > class="org.eclipse.jetty.util.security.Constraint"> > > > > > > class="org.eclipse.jetty.security.ConstraintMapping"> > > value="/index.html,/admin/*.html,/admin/index.jsp,/admin/queues.jsp,/admin/browse.jsp,/admin/queueConsumers.jsp,/admin/topics.jsp,/admin/topicProducers.jsp,/admin/topicSubscribers.jsp,/admin/connections.jsp,/admin/network.jsp,/admin/scheduled.jsp,/admin/queueGraph.jsp,/admin/xml/queues.jsp,/admin/xml/subscribers.jsp"/> > > class="org.eclipse.jetty.security.ConstraintSecurityHandler"> > > > class="org.eclipse.jetty.security.authentication.BasicAuthenticator" /> > > > > > > > > > > {code} > ==jetty-realm.properties== > admin: admin, admin > user: user, user > reader: reader,reader > > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (AMQ-9198) Self-customized read-only role for AMQ works but caused admin/security login gives 403
[ https://issues.apache.org/jira/browse/AMQ-9198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17696074#comment-17696074 ] Wei Guo commented on AMQ-9198: -- Hi [~jbonofre] Could you please help with what exactly the config we needed to let the only read-only role works? Best regards > Self-customized read-only role for AMQ works but caused admin/security login > gives 403 > -- > > Key: AMQ-9198 > URL: https://issues.apache.org/jira/browse/AMQ-9198 > Project: ActiveMQ > Issue Type: Bug > Components: Web Console >Reporter: Wei Guo >Assignee: Jean-Baptiste Onofré >Priority: Critical > Attachments: image-2023-01-16-17-12-33-509.png > > > We added a new customized read-only Constraint with Mapping: > readerSecurityConstraintMapping for read-only permission for AMQ web UI > portal it works for read-only users to show the expected 403 for prohibited > URLs, > but when we switch to the admin user, it gives 403 error : > !image-2023-01-16-17-12-33-509.png! > jetty.xml : > {code:java} > class="org.eclipse.jetty.util.security.Constraint"> > > > > > > class="org.eclipse.jetty.security.ConstraintMapping"> > > value="/index.html,/admin/*.html,/admin/index.jsp,/admin/queues.jsp,/admin/browse.jsp,/admin/queueConsumers.jsp,/admin/topics.jsp,/admin/topicProducers.jsp,/admin/topicSubscribers.jsp,/admin/connections.jsp,/admin/network.jsp,/admin/scheduled.jsp,/admin/queueGraph.jsp,/admin/xml/queues.jsp,/admin/xml/subscribers.jsp"/> > > class="org.eclipse.jetty.security.ConstraintSecurityHandler"> > > > class="org.eclipse.jetty.security.authentication.BasicAuthenticator" /> > > > > > > > > > > {code} > ==jetty-realm.properties== > admin: admin, admin > user: user, user > reader: reader,reader > > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (AMQ-9198) Self-customized read-only role for AMQ works but caused admin/security login gives 403
[ https://issues.apache.org/jira/browse/AMQ-9198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17688869#comment-17688869 ] Jean-Baptiste Onofré commented on AMQ-9198: --- It's normal, admin is restricted to admin role only. So I would suggest to keep the default configuration I did in {{{}jetty.xml{}}}. Anyway, it's not an ActiveMQ issue, just Jetty configuration. > Self-customized read-only role for AMQ works but caused admin/security login > gives 403 > -- > > Key: AMQ-9198 > URL: https://issues.apache.org/jira/browse/AMQ-9198 > Project: ActiveMQ > Issue Type: Bug > Components: Web Console >Reporter: Wei Guo >Assignee: Jean-Baptiste Onofré >Priority: Critical > Attachments: image-2023-01-16-17-12-33-509.png > > > We added a new customized read-only Constraint with Mapping: > readerSecurityConstraintMapping for read-only permission for AMQ web UI > portal it works for read-only users to show the expected 403 for prohibited > URLs, > but when we switch to the admin user, it gives 403 error : > !image-2023-01-16-17-12-33-509.png! > jetty.xml : > {code:java} > class="org.eclipse.jetty.util.security.Constraint"> > > > > > > class="org.eclipse.jetty.security.ConstraintMapping"> > > value="/index.html,/admin/*.html,/admin/index.jsp,/admin/queues.jsp,/admin/browse.jsp,/admin/queueConsumers.jsp,/admin/topics.jsp,/admin/topicProducers.jsp,/admin/topicSubscribers.jsp,/admin/connections.jsp,/admin/network.jsp,/admin/scheduled.jsp,/admin/queueGraph.jsp,/admin/xml/queues.jsp,/admin/xml/subscribers.jsp"/> > > class="org.eclipse.jetty.security.ConstraintSecurityHandler"> > > > class="org.eclipse.jetty.security.authentication.BasicAuthenticator" /> > > > > > > > > > > {code} > ==jetty-realm.properties== > admin: admin, admin > user: user, user > reader: reader,reader > > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (AMQ-9198) Self-customized read-only role for AMQ works but caused admin/security login gives 403
[ https://issues.apache.org/jira/browse/AMQ-9198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17688868#comment-17688868 ] Wei Guo commented on AMQ-9198: -- Hi [~jbonofre] , I tried the above configuration, and it still gives 403 error The expected behavior is that t"Read" role can only do some reading related operations, so that is why I filtered out all the read related jsp html pages , but after fine-grained control on it , the admin user could not perform admin permission and gives 403 error. /index.html,/admin/*.html,/admin/index.jsp,/admin/queues.jsp,/admin/browse.jsp,/admin/queueConsumers.jsp,/admin/topics.jsp,/admin/topicProducers.jsp,/admin/topicSubscribers.jsp,/admin/connections.jsp,/admin/network.jsp,/admin/scheduled.jsp,/admin/queueGraph.jsp,/admin/xml/queues.jsp,/admin/xml/subscribers.jsp > Self-customized read-only role for AMQ works but caused admin/security login > gives 403 > -- > > Key: AMQ-9198 > URL: https://issues.apache.org/jira/browse/AMQ-9198 > Project: ActiveMQ > Issue Type: Bug > Components: Web Console >Reporter: Wei Guo >Assignee: Jean-Baptiste Onofré >Priority: Critical > Attachments: image-2023-01-16-17-12-33-509.png > > > We added a new customized read-only Constraint with Mapping: > readerSecurityConstraintMapping for read-only permission for AMQ web UI > portal it works for read-only users to show the expected 403 for prohibited > URLs, > but when we switch to the admin user, it gives 403 error : > !image-2023-01-16-17-12-33-509.png! > jetty.xml : > {code:java} > class="org.eclipse.jetty.util.security.Constraint"> > > > > > > class="org.eclipse.jetty.security.ConstraintMapping"> > > value="/index.html,/admin/*.html,/admin/index.jsp,/admin/queues.jsp,/admin/browse.jsp,/admin/queueConsumers.jsp,/admin/topics.jsp,/admin/topicProducers.jsp,/admin/topicSubscribers.jsp,/admin/connections.jsp,/admin/network.jsp,/admin/scheduled.jsp,/admin/queueGraph.jsp,/admin/xml/queues.jsp,/admin/xml/subscribers.jsp"/> > > class="org.eclipse.jetty.security.ConstraintSecurityHandler"> > > > class="org.eclipse.jetty.security.authentication.BasicAuthenticator" /> > > > > > > > > > > {code} > ==jetty-realm.properties== > admin: admin, admin > user: user, user > reader: reader,reader > > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (AMQ-9198) Self-customized read-only role for AMQ works but caused admin/security login gives 403
[ https://issues.apache.org/jira/browse/AMQ-9198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17687000#comment-17687000 ] Jean-Baptiste Onofré commented on AMQ-9198: --- I don't understand your config. Why not just adding {{reader}} role to the {{securityConstraint}} ? Something like this: {code:java} {code} The {{securityConstraint}} is already just read-only. > Self-customized read-only role for AMQ works but caused admin/security login > gives 403 > -- > > Key: AMQ-9198 > URL: https://issues.apache.org/jira/browse/AMQ-9198 > Project: ActiveMQ > Issue Type: Bug > Components: Web Console >Reporter: Wei Guo >Assignee: Jean-Baptiste Onofré >Priority: Critical > Fix For: 5.18.0, 5.17.4 > > Attachments: image-2023-01-16-17-12-33-509.png > > > We added a new customized read-only Constraint with Mapping: > readerSecurityConstraintMapping for read-only permission for AMQ web UI > portal it works for read-only users to show the expected 403 for prohibited > URLs, > but when we switch to the admin user, it gives 403 error : > !image-2023-01-16-17-12-33-509.png! > jetty.xml : > {code:java} > class="org.eclipse.jetty.util.security.Constraint"> > > > > > > class="org.eclipse.jetty.security.ConstraintMapping"> > > value="/index.html,/admin/*.html,/admin/index.jsp,/admin/queues.jsp,/admin/browse.jsp,/admin/queueConsumers.jsp,/admin/topics.jsp,/admin/topicProducers.jsp,/admin/topicSubscribers.jsp,/admin/connections.jsp,/admin/network.jsp,/admin/scheduled.jsp,/admin/queueGraph.jsp,/admin/xml/queues.jsp,/admin/xml/subscribers.jsp"/> > > class="org.eclipse.jetty.security.ConstraintSecurityHandler"> > > > class="org.eclipse.jetty.security.authentication.BasicAuthenticator" /> > > > > > > > > > > {code} > ==jetty-realm.properties== > admin: admin, admin > user: user, user > reader: reader,reader > > > -- This message was sent by Atlassian Jira (v8.20.10#820010)