Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-10823

[Hawtio] Direct url gives an access to Hawtio without authentication [7.3.1]

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • fuse-7.3.1
    • fuse-7.3.1, fuse-7.4-GA
    • Hawtio
    • None
    • % %
    • Hide

      1. Open Hawtio;
      2. Type "http://localhost:8181/hawtio/users" into URL bar (make sure you are logged out);
      3. It will pass you to the Hawtio page;

      I believe, there are more URLs which can pass you without authentication. I will investigate it.

      Show
      1. Open Hawtio; 2. Type "http://localhost:8181/hawtio/users" into URL bar (make sure you are logged out); 3. It will pass you to the Hawtio page; I believe, there are more URLs which can pass you without authentication. I will investigate it.
    • Fuse 7.4 Sprint 47 - Bug Fix

      The issue is also presented in Red Hat Fuse (7.3.1.fuse-731003)

      The url http://localhost:8181/hawtio/users allows to get access to Hawtio with limited functionality, of course.

      Other urls like http://localhost:8181/hawtio/osgi, http://localhost:8181/hawtio/auth etc. are fixed in ENTESB-10468 and ENTESB-7967 and do not allow to get access.

      List of URLs which can pass:

      The URL - http://localhost:8181/hawtio/user gives the following result

            jnethert@redhat.com James Netherton
            jsolovjo Juri Solovjov
            Juri Solovjov Juri Solovjov
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: