Hi JB Thank you so much. Very appreciated.
Best regards Martin -----Ursprüngliche Nachricht----- Von: Jean-Baptiste Onofré <j...@nanthrax.net> Gesendet: Donnerstag, 11. April 2024 07:25 An: users@activemq.apache.org Betreff: Re: Disabled authentication ActiveMQ Classic Webapps since V6.x H Martin For the tracking, here's the Jira ticket: https://issues.apache.org/jira/browse/AMQ-9477 The fix has been merged. We will move forward with the 6.1.2 release including this. Thanks for the report. Regards JB On Wed, Apr 10, 2024 at 11:32 AM Zeissig, Martin <mzeis...@gk-software.com> wrote: > > Dear Community > > I have updated from ActiveMQ Classic 5.x to 6.1.1. > Since update to 6.1.1 the API (webapps jolokia) is unprotected and can be > accessed without basic authentication: > > Example: > http://localhost:8161/api > > In previous ActiveMQ Classic versions (5.x) the API was protected with > authentication by standard. Now in ActiveMQ Classic versions 6.x the pathspec > is set to *.jsp only which enables unprotected access to all webapps > including the API. > > AMQ Classic 5.x > <bean id="securityConstraintMapping" > class="org.eclipse.jetty.security.ConstraintMapping"> > <property name="constraint" ref="securityConstraint" /> > <property name="pathSpec" > value="/,/api/*,*.jsp,*.html,*.js,*.css,*.png,*.gif,*.ico" /> </bean> > > AMQ Classic 6.x > <bean id="securityConstraintMapping" > class="org.eclipse.jetty.security.ConstraintMapping"> > <property name="constraint" ref="securityConstraint" /> > <property name="pathSpec" value="*.jsp" /> </bean> > > From security perspective it looks to me like a step backward. Was the change > intentional or is this a bug? > > I recommend restricting access to root (/) to fully protect all endpoints. > Lower security can be setup by users manually if needed. > > <bean id="securityConstraintMapping" > class="org.eclipse.jetty.security.ConstraintMapping"> > <property name="constraint" ref="securityConstraint" /> > <property name="pathSpec" value="/" /> </bean> > > > Best regards > > Martin
