[jira] [Commented] (AMQ-9198) Self-customized read-only role for AMQ works but caused admin/security login gives 403
[
https://issues.apache.org/jira/browse/AMQ-9198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17700021#comment-17700021
]
Jean-Baptiste Onofré commented on AMQ-9198:
---
Please, contact me by email or on Slack. We can't use Jira for tuning
configuration.
> Self-customized read-only role for AMQ works but caused admin/security login
> gives 403
> --
>
> Key: AMQ-9198
> URL: https://issues.apache.org/jira/browse/AMQ-9198
> Project: ActiveMQ
> Issue Type: Bug
> Components: Web Console
>Reporter: Wei Guo
>Assignee: Jean-Baptiste Onofré
>Priority: Critical
> Attachments: image-2023-01-16-17-12-33-509.png
>
>
> We added a new customized read-only Constraint with Mapping:
> readerSecurityConstraintMapping for read-only permission for AMQ web UI
> portal it works for read-only users to show the expected 403 for prohibited
> URLs,
> but when we switch to the admin user, it gives 403 error :
> !image-2023-01-16-17-12-33-509.png!
> jetty.xml :
> {code:java}
> class="org.eclipse.jetty.util.security.Constraint">
>
>
>
>
>
> class="org.eclipse.jetty.security.ConstraintMapping">
>
> value="/index.html,/admin/*.html,/admin/index.jsp,/admin/queues.jsp,/admin/browse.jsp,/admin/queueConsumers.jsp,/admin/topics.jsp,/admin/topicProducers.jsp,/admin/topicSubscribers.jsp,/admin/connections.jsp,/admin/network.jsp,/admin/scheduled.jsp,/admin/queueGraph.jsp,/admin/xml/queues.jsp,/admin/xml/subscribers.jsp"/>
>
> class="org.eclipse.jetty.security.ConstraintSecurityHandler">
>
>
> class="org.eclipse.jetty.security.authentication.BasicAuthenticator" />
>
>
>
>
>
>
>
>
>
> {code}
> ==jetty-realm.properties==
> admin: admin, admin
> user: user, user
> reader: reader,reader
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (AMQ-9198) Self-customized read-only role for AMQ works but caused admin/security login gives 403
[
https://issues.apache.org/jira/browse/AMQ-9198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17700019#comment-17700019
]
Wei Guo commented on AMQ-9198:
--
Dear [~jbonofre]
The default configuration doesn't match your needs.
--> yes, it doesn't meet the actual requirement of customers, the below access
URLs are the fine-grained access list that can be configured for read-only
purposes, from my test if we introduce the read-only role from jetty.xml, it
will make admin user access malfunction.
/index.html,/admin/*.html,/admin/index.jsp,/admin/queues.jsp,/admin/browse.jsp,/admin/queueConsumers.jsp,/admin/topics.jsp,/admin/topicProducers.jsp,/admin/topicSubscribers.jsp,/admin/connections.jsp,/admin/network.jsp,/admin/scheduled.jsp,/admin/queueGraph.jsp,/admin/xml/queues.jsp,/admin/xml/subscribers.jsp
Do you want only read-only (so disable admin access) ?
--> actually we want both admin and read-only access available, hopefully, the
read-only access could be configured independently for specific users/groups,
this would let some users can only do some basic reading operations.
Best regards
> Self-customized read-only role for AMQ works but caused admin/security login
> gives 403
> --
>
> Key: AMQ-9198
> URL: https://issues.apache.org/jira/browse/AMQ-9198
> Project: ActiveMQ
> Issue Type: Bug
> Components: Web Console
>Reporter: Wei Guo
>Assignee: Jean-Baptiste Onofré
>Priority: Critical
> Attachments: image-2023-01-16-17-12-33-509.png
>
>
> We added a new customized read-only Constraint with Mapping:
> readerSecurityConstraintMapping for read-only permission for AMQ web UI
> portal it works for read-only users to show the expected 403 for prohibited
> URLs,
> but when we switch to the admin user, it gives 403 error :
> !image-2023-01-16-17-12-33-509.png!
> jetty.xml :
> {code:java}
> class="org.eclipse.jetty.util.security.Constraint">
>
>
>
>
>
> class="org.eclipse.jetty.security.ConstraintMapping">
>
> value="/index.html,/admin/*.html,/admin/index.jsp,/admin/queues.jsp,/admin/browse.jsp,/admin/queueConsumers.jsp,/admin/topics.jsp,/admin/topicProducers.jsp,/admin/topicSubscribers.jsp,/admin/connections.jsp,/admin/network.jsp,/admin/scheduled.jsp,/admin/queueGraph.jsp,/admin/xml/queues.jsp,/admin/xml/subscribers.jsp"/>
>
> class="org.eclipse.jetty.security.ConstraintSecurityHandler">
>
>
> class="org.eclipse.jetty.security.authentication.BasicAuthenticator" />
>
>
>
>
>
>
>
>
>
> {code}
> ==jetty-realm.properties==
> admin: admin, admin
> user: user, user
> reader: reader,reader
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (AMQ-9198) Self-customized read-only role for AMQ works but caused admin/security login gives 403
[
https://issues.apache.org/jira/browse/AMQ-9198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17696200#comment-17696200
]
Jean-Baptiste Onofré commented on AMQ-9198:
---
Hey [~wguo]
The default configuration doesn't match your needs ?
Do you want only read-only (so disable admin access) ?
> Self-customized read-only role for AMQ works but caused admin/security login
> gives 403
> --
>
> Key: AMQ-9198
> URL: https://issues.apache.org/jira/browse/AMQ-9198
> Project: ActiveMQ
> Issue Type: Bug
> Components: Web Console
>Reporter: Wei Guo
>Assignee: Jean-Baptiste Onofré
>Priority: Critical
> Attachments: image-2023-01-16-17-12-33-509.png
>
>
> We added a new customized read-only Constraint with Mapping:
> readerSecurityConstraintMapping for read-only permission for AMQ web UI
> portal it works for read-only users to show the expected 403 for prohibited
> URLs,
> but when we switch to the admin user, it gives 403 error :
> !image-2023-01-16-17-12-33-509.png!
> jetty.xml :
> {code:java}
> class="org.eclipse.jetty.util.security.Constraint">
>
>
>
>
>
> class="org.eclipse.jetty.security.ConstraintMapping">
>
> value="/index.html,/admin/*.html,/admin/index.jsp,/admin/queues.jsp,/admin/browse.jsp,/admin/queueConsumers.jsp,/admin/topics.jsp,/admin/topicProducers.jsp,/admin/topicSubscribers.jsp,/admin/connections.jsp,/admin/network.jsp,/admin/scheduled.jsp,/admin/queueGraph.jsp,/admin/xml/queues.jsp,/admin/xml/subscribers.jsp"/>
>
> class="org.eclipse.jetty.security.ConstraintSecurityHandler">
>
>
> class="org.eclipse.jetty.security.authentication.BasicAuthenticator" />
>
>
>
>
>
>
>
>
>
> {code}
> ==jetty-realm.properties==
> admin: admin, admin
> user: user, user
> reader: reader,reader
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (AMQ-9198) Self-customized read-only role for AMQ works but caused admin/security login gives 403
[
https://issues.apache.org/jira/browse/AMQ-9198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17696074#comment-17696074
]
Wei Guo commented on AMQ-9198:
--
Hi [~jbonofre]
Could you please help with what exactly the config we needed to let the only
read-only role works?
Best regards
> Self-customized read-only role for AMQ works but caused admin/security login
> gives 403
> --
>
> Key: AMQ-9198
> URL: https://issues.apache.org/jira/browse/AMQ-9198
> Project: ActiveMQ
> Issue Type: Bug
> Components: Web Console
>Reporter: Wei Guo
>Assignee: Jean-Baptiste Onofré
>Priority: Critical
> Attachments: image-2023-01-16-17-12-33-509.png
>
>
> We added a new customized read-only Constraint with Mapping:
> readerSecurityConstraintMapping for read-only permission for AMQ web UI
> portal it works for read-only users to show the expected 403 for prohibited
> URLs,
> but when we switch to the admin user, it gives 403 error :
> !image-2023-01-16-17-12-33-509.png!
> jetty.xml :
> {code:java}
> class="org.eclipse.jetty.util.security.Constraint">
>
>
>
>
>
> class="org.eclipse.jetty.security.ConstraintMapping">
>
> value="/index.html,/admin/*.html,/admin/index.jsp,/admin/queues.jsp,/admin/browse.jsp,/admin/queueConsumers.jsp,/admin/topics.jsp,/admin/topicProducers.jsp,/admin/topicSubscribers.jsp,/admin/connections.jsp,/admin/network.jsp,/admin/scheduled.jsp,/admin/queueGraph.jsp,/admin/xml/queues.jsp,/admin/xml/subscribers.jsp"/>
>
> class="org.eclipse.jetty.security.ConstraintSecurityHandler">
>
>
> class="org.eclipse.jetty.security.authentication.BasicAuthenticator" />
>
>
>
>
>
>
>
>
>
> {code}
> ==jetty-realm.properties==
> admin: admin, admin
> user: user, user
> reader: reader,reader
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (AMQ-9198) Self-customized read-only role for AMQ works but caused admin/security login gives 403
[
https://issues.apache.org/jira/browse/AMQ-9198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17688869#comment-17688869
]
Jean-Baptiste Onofré commented on AMQ-9198:
---
It's normal, admin is restricted to admin role only. So I would suggest to keep
the default configuration I did in {{{}jetty.xml{}}}.
Anyway, it's not an ActiveMQ issue, just Jetty configuration.
> Self-customized read-only role for AMQ works but caused admin/security login
> gives 403
> --
>
> Key: AMQ-9198
> URL: https://issues.apache.org/jira/browse/AMQ-9198
> Project: ActiveMQ
> Issue Type: Bug
> Components: Web Console
>Reporter: Wei Guo
>Assignee: Jean-Baptiste Onofré
>Priority: Critical
> Attachments: image-2023-01-16-17-12-33-509.png
>
>
> We added a new customized read-only Constraint with Mapping:
> readerSecurityConstraintMapping for read-only permission for AMQ web UI
> portal it works for read-only users to show the expected 403 for prohibited
> URLs,
> but when we switch to the admin user, it gives 403 error :
> !image-2023-01-16-17-12-33-509.png!
> jetty.xml :
> {code:java}
> class="org.eclipse.jetty.util.security.Constraint">
>
>
>
>
>
> class="org.eclipse.jetty.security.ConstraintMapping">
>
> value="/index.html,/admin/*.html,/admin/index.jsp,/admin/queues.jsp,/admin/browse.jsp,/admin/queueConsumers.jsp,/admin/topics.jsp,/admin/topicProducers.jsp,/admin/topicSubscribers.jsp,/admin/connections.jsp,/admin/network.jsp,/admin/scheduled.jsp,/admin/queueGraph.jsp,/admin/xml/queues.jsp,/admin/xml/subscribers.jsp"/>
>
> class="org.eclipse.jetty.security.ConstraintSecurityHandler">
>
>
> class="org.eclipse.jetty.security.authentication.BasicAuthenticator" />
>
>
>
>
>
>
>
>
>
> {code}
> ==jetty-realm.properties==
> admin: admin, admin
> user: user, user
> reader: reader,reader
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (AMQ-9198) Self-customized read-only role for AMQ works but caused admin/security login gives 403
[
https://issues.apache.org/jira/browse/AMQ-9198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17688868#comment-17688868
]
Wei Guo commented on AMQ-9198:
--
Hi [~jbonofre] , I tried the above configuration, and it still gives 403 error
The expected behavior is that t"Read" role can only do some reading related
operations, so that is why I filtered out all the read related jsp html pages ,
but after fine-grained control on it , the admin user could not perform admin
permission and gives 403 error.
/index.html,/admin/*.html,/admin/index.jsp,/admin/queues.jsp,/admin/browse.jsp,/admin/queueConsumers.jsp,/admin/topics.jsp,/admin/topicProducers.jsp,/admin/topicSubscribers.jsp,/admin/connections.jsp,/admin/network.jsp,/admin/scheduled.jsp,/admin/queueGraph.jsp,/admin/xml/queues.jsp,/admin/xml/subscribers.jsp
> Self-customized read-only role for AMQ works but caused admin/security login
> gives 403
> --
>
> Key: AMQ-9198
> URL: https://issues.apache.org/jira/browse/AMQ-9198
> Project: ActiveMQ
> Issue Type: Bug
> Components: Web Console
>Reporter: Wei Guo
>Assignee: Jean-Baptiste Onofré
>Priority: Critical
> Attachments: image-2023-01-16-17-12-33-509.png
>
>
> We added a new customized read-only Constraint with Mapping:
> readerSecurityConstraintMapping for read-only permission for AMQ web UI
> portal it works for read-only users to show the expected 403 for prohibited
> URLs,
> but when we switch to the admin user, it gives 403 error :
> !image-2023-01-16-17-12-33-509.png!
> jetty.xml :
> {code:java}
> class="org.eclipse.jetty.util.security.Constraint">
>
>
>
>
>
> class="org.eclipse.jetty.security.ConstraintMapping">
>
> value="/index.html,/admin/*.html,/admin/index.jsp,/admin/queues.jsp,/admin/browse.jsp,/admin/queueConsumers.jsp,/admin/topics.jsp,/admin/topicProducers.jsp,/admin/topicSubscribers.jsp,/admin/connections.jsp,/admin/network.jsp,/admin/scheduled.jsp,/admin/queueGraph.jsp,/admin/xml/queues.jsp,/admin/xml/subscribers.jsp"/>
>
> class="org.eclipse.jetty.security.ConstraintSecurityHandler">
>
>
> class="org.eclipse.jetty.security.authentication.BasicAuthenticator" />
>
>
>
>
>
>
>
>
>
> {code}
> ==jetty-realm.properties==
> admin: admin, admin
> user: user, user
> reader: reader,reader
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (AMQ-9198) Self-customized read-only role for AMQ works but caused admin/security login gives 403
[
https://issues.apache.org/jira/browse/AMQ-9198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17687000#comment-17687000
]
Jean-Baptiste Onofré commented on AMQ-9198:
---
I don't understand your config. Why not just adding {{reader}} role to the
{{securityConstraint}} ?
Something like this:
{code:java}
{code}
The {{securityConstraint}} is already just read-only.
> Self-customized read-only role for AMQ works but caused admin/security login
> gives 403
> --
>
> Key: AMQ-9198
> URL: https://issues.apache.org/jira/browse/AMQ-9198
> Project: ActiveMQ
> Issue Type: Bug
> Components: Web Console
>Reporter: Wei Guo
>Assignee: Jean-Baptiste Onofré
>Priority: Critical
> Fix For: 5.18.0, 5.17.4
>
> Attachments: image-2023-01-16-17-12-33-509.png
>
>
> We added a new customized read-only Constraint with Mapping:
> readerSecurityConstraintMapping for read-only permission for AMQ web UI
> portal it works for read-only users to show the expected 403 for prohibited
> URLs,
> but when we switch to the admin user, it gives 403 error :
> !image-2023-01-16-17-12-33-509.png!
> jetty.xml :
> {code:java}
> class="org.eclipse.jetty.util.security.Constraint">
>
>
>
>
>
> class="org.eclipse.jetty.security.ConstraintMapping">
>
> value="/index.html,/admin/*.html,/admin/index.jsp,/admin/queues.jsp,/admin/browse.jsp,/admin/queueConsumers.jsp,/admin/topics.jsp,/admin/topicProducers.jsp,/admin/topicSubscribers.jsp,/admin/connections.jsp,/admin/network.jsp,/admin/scheduled.jsp,/admin/queueGraph.jsp,/admin/xml/queues.jsp,/admin/xml/subscribers.jsp"/>
>
> class="org.eclipse.jetty.security.ConstraintSecurityHandler">
>
>
> class="org.eclipse.jetty.security.authentication.BasicAuthenticator" />
>
>
>
>
>
>
>
>
>
> {code}
> ==jetty-realm.properties==
> admin: admin, admin
> user: user, user
> reader: reader,reader
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
