Uploaded image for project: 'JBoss A-MQ'
  1. JBoss A-MQ
  2. ENTMQ-1615

ReadOnly user is able create new destination by using web console GET URL

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Major Major
    • None
    • JBoss A-MQ 6.1
    • jmx
    • None
    • Hide

      https://issues.apache.org/jira/browse/AMQ-4567 fixed a related problem in version 5.9.

      I added a additional SecurityConstraint in jetty.xml for createDestination like below
      ~~~~~~~~~
      <bean id="adminSecurityConstraint1" class="org.eclipse.jetty.security.ConstraintMapping">
      <property name="constraint" ref="adminSecurityConstraint" />
      <property name="pathSpec" value="/admin/createDestination.action/*" />
      </bean>
      ~~~~~~~~
      By using the above configuration read-only user are not allowed to create new destination by using the create button, however by using the GET URL its possible.

      Show
      https://issues.apache.org/jira/browse/AMQ-4567 fixed a related problem in version 5.9. I added a additional SecurityConstraint in jetty.xml for createDestination like below ~~~~~~~~~ <bean id="adminSecurityConstraint1" class="org.eclipse.jetty.security.ConstraintMapping"> <property name="constraint" ref="adminSecurityConstraint" /> <property name="pathSpec" value="/admin/createDestination.action/*" /> </bean> ~~~~~~~~ By using the above configuration read-only user are not allowed to create new destination by using the create button, however by using the GET URL its possible.

      ReadOnly user is able create new destination by using the below GET URL, using standalone A-MQ 6.1 distribution:

      http://localhost:8161/admin/browse.jsp?JMSDestination=<any queue name>

            Unassigned Unassigned
            rhn-support-abelkour Mohamed Amine Belkoura
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: