I'm not familiar with this tool so I'm not sure exactly where this capture/interception is happening, but my guess is that it's happening in memory before the request hits the SSL layer and is encrypted. Furthermore, it looks like basic authentication [1] is being used here which uses a simple encoding scheme using Base64 but to my knowledge does not support encryption of the credentials. At this point I'm not sure there's anything the web console can do about this.
Can you provide more details about where exactly you're seeing this? I'm not familiar with Azure Entra ID either. Does it use Oauth? Justin [1] https://en.wikipedia.org/wiki/Basic_access_authentication On Mon, Feb 24, 2025 at 4:40 AM Shirley Mwombe <smwo...@gmail.com> wrote: > Hi @All/Justin, > > I have deployed ActiveMQ Artemis 2.34.0 in my prod environment, but this > has been flagged by auditors for exposing web console credentials (mostly > concerned with password) when the web browser request payload is captured > by burpsuite or browser developer tools. See sample screenshot below. > > [image: amqscreenshot.png] > > Is there a way I can set up artemis web application to encrypt the > credentials before placing them in the request payload and sending in > plain-text? > Alternatively is there a way to configure Artemis to use federated > identity like Azure Entra ID or authentication redirect to Azure? Instead > of using basic authentication of username and password? > > Kindly note ssl is already configured but this is only encrypting the > traffic in transit, but at web browser the traffic is visible. > > Regards, > Shirley > Platform Engineer > >
