RE: Disabled authentication ActiveMQ Classic Webapps since V6.x

[Vilius Šumskas]

You should probably create a bug ticket first :)

-- 
    Vilius

-----Original Message-----
From: Zeissig, Martin <mzeis...@gk-software.com> 
Sent: Wednesday, April 10, 2024 2:46 PM
To: users@activemq.apache.org
Subject: AW: Disabled authentication ActiveMQ Classic Webapps since V6.x

Hi Vilius

Thanks for confirmation. Looking forward to see the fix in next releases ;)

Best regards


-----Ursprüngliche Nachricht-----
Von: Vilius Šumskas <vilius.sums...@rivile.lt> 
Gesendet: Mittwoch, 10. April 2024 13:34
An: users@activemq.apache.org
Betreff: RE: Disabled authentication ActiveMQ Classic Webapps since V6.x

Hi,

oh, I remember this. This is exactly what I did in 
https://github.com/apache/activemq/commit/c67ada04c77e9379ef25ac62d5ea1fcf20cf8b8f
 , and at least /admin endpoint was tested and was properly protected after 
that fix. However, I see that configuration went through couple of changes 
again since then, and then finally all protection was removed in 
https://github.com/apache/activemq/commit/07d469287f419f9f8afe17bc1585073446b520d5
 . Not sure why, maybe something is rewriting paths now?

Unless my knowledge of Jetty fails on my, I agree that / + static file types 
from templates should protect everything.

-- 
    Vilius

-----Original Message-----
From: Zeissig, Martin <mzeis...@gk-software.com> 
Sent: Wednesday, April 10, 2024 12:33 PM
To: users@activemq.apache.org
Subject: Disabled authentication ActiveMQ Classic Webapps since V6.x

Dear Community

I have updated from ActiveMQ Classic 5.x to 6.1.1.
Since update to 6.1.1 the API (webapps jolokia) is unprotected and can be 
accessed without basic authentication:

Example:
http://localhost:8161/api

In previous ActiveMQ Classic versions (5.x) the API was protected with 
authentication by standard. Now in ActiveMQ Classic versions 6.x the pathspec 
is set to *.jsp only which enables unprotected access to all webapps including 
the API.

AMQ Classic 5.x
<bean id="securityConstraintMapping" 
class="org.eclipse.jetty.security.ConstraintMapping">
  <property name="constraint" ref="securityConstraint" />
  <property name="pathSpec" 
value="/,/api/*,*.jsp,*.html,*.js,*.css,*.png,*.gif,*.ico" /> </bean>

AMQ Classic 6.x
<bean id="securityConstraintMapping" 
class="org.eclipse.jetty.security.ConstraintMapping">
  <property name="constraint" ref="securityConstraint" />
  <property name="pathSpec" value="*.jsp" /> </bean>

From security perspective it looks to me like a step backward. Was the change 
intentional or is this a bug?

I recommend restricting access to root (/) to fully protect all endpoints. 
Lower security can be setup by users manually if needed.

<bean id="securityConstraintMapping" 
class="org.eclipse.jetty.security.ConstraintMapping">
  <property name="constraint" ref="securityConstraint" />
  <property name="pathSpec" value="/" /> </bean>


Best regards

Martin