Hi Thanks for the report.
Don’t worry about Jira and such I will do it for you. I will work on a fix and submit 6.1.2 to vote asap. Regards JB Le mer. 10 avr. 2024 à 14:05, Zeissig, Martin <mzeis...@gk-software.com> a écrit : > Hi Vilius > > It's first time for me reporting issues to Apache and I must create > Account for Jira first. May I ask you or anyone else to create an official > ticket? > > I am also not sure if it should better be reported as vulnerability ( > https://www.apache.org/security/#reporting-a-vulnerability). Because all > those updated from 5x to 6x could have a security issue now. > > I wanted to report the issue as friendly hint only. > > Best regards > > Martin > > > -----Ursprüngliche Nachricht----- > Von: Vilius Šumskas <vilius.sums...@rivile.lt> > Gesendet: Mittwoch, 10. April 2024 13:47 > An: users@activemq.apache.org > Betreff: RE: Disabled authentication ActiveMQ Classic Webapps since V6.x > > You should probably create a bug ticket first :) > > -- > Vilius > > -----Original Message----- > From: Zeissig, Martin <mzeis...@gk-software.com> > Sent: Wednesday, April 10, 2024 2:46 PM > To: users@activemq.apache.org > Subject: AW: Disabled authentication ActiveMQ Classic Webapps since V6.x > > Hi Vilius > > Thanks for confirmation. Looking forward to see the fix in next releases ;) > > Best regards > > > -----Ursprüngliche Nachricht----- > Von: Vilius Šumskas <vilius.sums...@rivile.lt> > Gesendet: Mittwoch, 10. April 2024 13:34 > An: users@activemq.apache.org > Betreff: RE: Disabled authentication ActiveMQ Classic Webapps since V6.x > > Hi, > > oh, I remember this. This is exactly what I did in > https://github.com/apache/activemq/commit/c67ada04c77e9379ef25ac62d5ea1fcf20cf8b8f > , and at least /admin endpoint was tested and was properly protected after > that fix. However, I see that configuration went through couple of changes > again since then, and then finally all protection was removed in > https://github.com/apache/activemq/commit/07d469287f419f9f8afe17bc1585073446b520d5 > . Not sure why, maybe something is rewriting paths now? > > Unless my knowledge of Jetty fails on my, I agree that / + static file > types from templates should protect everything. > > -- > Vilius > > -----Original Message----- > From: Zeissig, Martin <mzeis...@gk-software.com> > Sent: Wednesday, April 10, 2024 12:33 PM > To: users@activemq.apache.org > Subject: Disabled authentication ActiveMQ Classic Webapps since V6.x > > Dear Community > > I have updated from ActiveMQ Classic 5.x to 6.1.1. > Since update to 6.1.1 the API (webapps jolokia) is unprotected and can be > accessed without basic authentication: > > Example: > http://localhost:8161/api > > In previous ActiveMQ Classic versions (5.x) the API was protected with > authentication by standard. Now in ActiveMQ Classic versions 6.x the > pathspec is set to *.jsp only which enables unprotected access to all > webapps including the API. > > AMQ Classic 5.x > <bean id="securityConstraintMapping" > class="org.eclipse.jetty.security.ConstraintMapping"> > <property name="constraint" ref="securityConstraint" /> > <property name="pathSpec" > value="/,/api/*,*.jsp,*.html,*.js,*.css,*.png,*.gif,*.ico" /> </bean> > > AMQ Classic 6.x > <bean id="securityConstraintMapping" > class="org.eclipse.jetty.security.ConstraintMapping"> > <property name="constraint" ref="securityConstraint" /> > <property name="pathSpec" value="*.jsp" /> </bean> > > From security perspective it looks to me like a step backward. Was the > change intentional or is this a bug? > > I recommend restricting access to root (/) to fully protect all endpoints. > Lower security can be setup by users manually if needed. > > <bean id="securityConstraintMapping" > class="org.eclipse.jetty.security.ConstraintMapping"> > <property name="constraint" ref="securityConstraint" /> > <property name="pathSpec" value="/" /> </bean> > > > Best regards > > Martin >
