[
https://issues.apache.org/jira/browse/ARTEMIS-5894?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18057833#comment-18057833
]
ASF subversion and git services commented on ARTEMIS-5894:
----------------------------------------------------------
Commit 0ea4b18a4df8402823a203766d197c0c190c7f5d in artemis's branch
refs/heads/main from Domenico Francesco Bruscino
[ https://gitbox.apache.org/repos/asf?p=artemis.git;h=0ea4b18a4d ]
ARTEMIS-5894 Fix RBAC address mismatch between canInvoke and invoke
The canInvoke method received operation names with parameter signatures
(e.g., "deleteAddress(java.lang.String)"), while invoke received them
without signatures (e.g., "deleteAddress"). This caused the RBAC address
built by canInvoke to differ from the one built by invoke, leading to
permission check mismatches that prevented the console from properly
hiding unauthorized menu items.
This fix normalizes operation names by stripping parameter signatures
before building RBAC addresses in both canInvoke and invoke. Also changes
null operation checks to require VIEW instead of EDIT permission,
allowing users to see MBeans they have view access to.
> The web console shows menu items for unauthorized operations
> ------------------------------------------------------------
>
> Key: ARTEMIS-5894
> URL: https://issues.apache.org/jira/browse/ARTEMIS-5894
> Project: Artemis
> Issue Type: Bug
> Environment: When utilizing ArtemisRbacMBeanServerBuilder for
> Role-Based Access Control (RBAC) on management operations, the web console
> fails to hide menu items for unauthorized actions.
> For instance, a user without the amq role can still see the "Delete Address"
> menu item, even when the following security configuration is applied to
> restrict access:
> {code:java}
> <security-setting match="mops.broker.deleteAddress">
> <permission type="edit" roles="amq"/>
> </security-setting>
> {code}
> The web console should dynamically filter the user interface. If a user lacks
> the required permission for a specific management operation (e.g.,
> deleteAddress), the corresponding menu item should be hidden from their view.
> Reporter: Domenico Francesco Bruscino
> Assignee: Domenico Francesco Bruscino
> Priority: Major
> Labels: pull-request-available
> Time Spent: 40m
> Remaining Estimate: 0h
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
