Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-10823

[Hawtio] Direct url gives an access to Hawtio without authentication [7.3.1]

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Blocker
    • fuse-7.3.1
    • fuse-7.3.1, fuse-7.4-GA
    • Hawtio
    • None
    • % %
    • Hide

      1. Open Hawtio;
      2. Type "http://localhost:8181/hawtio/users" into URL bar (make sure you are logged out);
      3. It will pass you to the Hawtio page;

      I believe, there are more URLs which can pass you without authentication. I will investigate it.

      Show
      1. Open Hawtio; 2. Type "http://localhost:8181/hawtio/users" into URL bar (make sure you are logged out); 3. It will pass you to the Hawtio page; I believe, there are more URLs which can pass you without authentication. I will investigate it.
    • Fuse 7.4 Sprint 47 - Bug Fix

    Description

      The issue is also presented in Red Hat Fuse (7.3.1.fuse-731003)

      The url http://localhost:8181/hawtio/users allows to get access to Hawtio with limited functionality, of course.

      Other urls like http://localhost:8181/hawtio/osgi, http://localhost:8181/hawtio/auth etc. are fixed in ENTESB-10468 and ENTESB-7967 and do not allow to get access.

      List of URLs which can pass:

      The URL - http://localhost:8181/hawtio/user gives the following result

      Attachments

        Issue Links

          blocks

          Task - Represents a small unit of work that is not end-user facing. ENTESB-10681 Build Fuse 7.3.1.CR1

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          clones

          Bug - A problem that impairs or prevents the functions of the product. ENTESB-10798 [Hawtio] Direct url gives an access to Hawtio without authentication

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is related to

          Bug - A problem that impairs or prevents the functions of the product. ENTESB-10468 [Hawtio] Direct url gives an access to Hawtio without authentication

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. ENTESB-7967 Hawtio: direct url passes to the hawtio page without authentication

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              jnethert@redhat.com James Netherton
              jsolovjo Juri Solovjov
              Juri Solovjov Juri Solovjov
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: