Skip to content

Restrict full web console URI to admins role#2074

Merged
cshannon merged 1 commit into
apache:mainfrom
jbonofre:webconsole-admin-restriction
Jun 8, 2026
Merged

Restrict full web console URI to admins role#2074
cshannon merged 1 commit into
apache:mainfrom
jbonofre:webconsole-admin-restriction

Conversation

@jbonofre

@jbonofre jbonofre commented Jun 4, 2026

Copy link
Copy Markdown
Member

Restrict the full web console URI (/admin/*) to the admins role instead of only *.action endpoints, add comments documenting each constraint mapping, and remove a duplicated pair of Referrer-Policy and Permissions-Policy rewrite rules in assembly/src/release/conf/jetty.xml.

Change the admin security constraint mapping from *.action to /admin/*
so the entire web console (including read-only pages) requires the
admins role, not just action endpoints. Add comments to each constraint
mapping explaining its scope, and remove duplicate Referrer-Policy and
Permissions-Policy rewrite rules left over from earlier edits.
@cshannon
cshannon merged commit 085efea into apache:main Jun 8, 2026
9 of 10 checks passed
cshannon added a commit that referenced this pull request Jun 8, 2026
Change the admin security constraint mapping from *.action to /admin/*
so the entire web console (including read-only pages) requires the
admins role, not just action endpoints. Add comments to each constraint
mapping explaining its scope, and remove duplicate Referrer-Policy and
Permissions-Policy rewrite rules left over from earlier edits.

(cherry picked from commit 085efea)

Co-authored-by: JB Onofré <jbonofre@apache.org>
cshannon added a commit that referenced this pull request Jun 8, 2026
Change the admin security constraint mapping from *.action to /admin/*
so the entire web console (including read-only pages) requires the
admins role, not just action endpoints. Add comments to each constraint
mapping explaining its scope, and remove duplicate Referrer-Policy and
Permissions-Policy rewrite rules left over from earlier edits.

(cherry picked from commit 085efea)

Co-authored-by: JB Onofré <jbonofre@apache.org>
epearson-tt pushed a commit to epearson-tt/activemq that referenced this pull request Jul 16, 2026
…2074) (apache#2090)

Change the admin security constraint mapping from *.action to /admin/*
so the entire web console (including read-only pages) requires the
admins role, not just action endpoints. Add comments to each constraint
mapping explaining its scope, and remove duplicate Referrer-Policy and
Permissions-Policy rewrite rules left over from earlier edits.

Backport adaptation for the 6.0.x-TT.x branch: upstream apache#2074 also defines a
jolokiaSecurityConstraintMapping bean (restricting /api/jolokia/* to admins),
but 6.0.x's securityHandler wires only adminSecurityConstraintMapping and
securityConstraintMapping. The Jolokia constraint wiring comes from the
separate Jolokia-access hardening (CVE-2026-34197/40466 family), which is not
present on this branch and is outside the scope of CVE-2026-49877. The
unreferenced bean was therefore omitted to avoid dead configuration; the
CVE-2026-49877 fix -- restricting the full /admin/* console to the admins
role -- is applied in full.

(cherry picked from commit 085efea)

Co-authored-by: JB Onofré <jbonofre@apache.org>
(cherry picked from commit be70a7e)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants