Dear Community I have updated from ActiveMQ Classic 5.x to 6.1.1. Since update to 6.1.1 the API (webapps jolokia) is unprotected and can be accessed without basic authentication:
Example: http://localhost:8161/api In previous ActiveMQ Classic versions (5.x) the API was protected with authentication by standard. Now in ActiveMQ Classic versions 6.x the pathspec is set to *.jsp only which enables unprotected access to all webapps including the API. AMQ Classic 5.x <bean id="securityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping"> <property name="constraint" ref="securityConstraint" /> <property name="pathSpec" value="/,/api/*,*.jsp,*.html,*.js,*.css,*.png,*.gif,*.ico" /> </bean> AMQ Classic 6.x <bean id="securityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping"> <property name="constraint" ref="securityConstraint" /> <property name="pathSpec" value="*.jsp" /> </bean> >From security perspective it looks to me like a step backward. Was the change >intentional or is this a bug? I recommend restricting access to root (/) to fully protect all endpoints. Lower security can be setup by users manually if needed. <bean id="securityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping"> <property name="constraint" ref="securityConstraint" /> <property name="pathSpec" value="/" /> </bean> Best regards Martin
