Details
-
Bug
-
Status: Resolved
-
Critical
-
Resolution: Not A Problem
-
None
-
None
-
None
Description
We added a new customized read-only Constraint with Mapping: readerSecurityConstraintMapping for read-only permission for AMQ web UI portal it works for read-only users to show the expected 403 for prohibited URLs,
but when we switch to the admin user, it gives 403 error :
jetty.xml :
<bean id="readerSecurityConstraint" class="org.eclipse.jetty.util.security.Constraint"> <property name="name" value="BASIC" /> <property name="roles" value="reader" /> <property name="authenticate" value="true" /> </bean> <bean id="readerSecurityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping"> <property name="constraint" ref="readerSecurityConstraint" /> <property name="pathSpec" value="/index.html,/admin/*.html,/admin/index.jsp,/admin/queues.jsp,/admin/browse.jsp,/admin/queueConsumers.jsp,/admin/topics.jsp,/admin/topicProducers.jsp,/admin/topicSubscribers.jsp,/admin/connections.jsp,/admin/network.jsp,/admin/scheduled.jsp,/admin/queueGraph.jsp,/admin/xml/queues.jsp,/admin/xml/subscribers.jsp"/> </bean> <bean id="securityHandler" class="org.eclipse.jetty.security.ConstraintSecurityHandler"> <property name="loginService" ref="securityLoginService" /> <property name="authenticator"> <bean class="org.eclipse.jetty.security.authentication.BasicAuthenticator" /> </property> <property name="constraintMappings"> <list> <ref bean="adminSecurityConstraintMapping" /> <ref bean="securityConstraintMapping" /> <ref bean="readerSecurityConstraintMapping" /> </list> </property> <property name="handler" ref="secHandlerCollection" /> </bean>
==jetty-realm.properties==
admin: admin, admin
user: user, user
reader: reader,reader
