Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-191

HTTPS for hawtio/jolokia should be enforced

    XMLWordPrintable

Details

    • Bug
    • Resolution: Cannot Reproduce
    • Major
    • None
    • A-MQ 7.0.0.ER8
    • None
    • None
    • Documentation (Ref Guide, User Guide, etc.), Compatibility/Configuration

    Description

      Everyone can bypassing SSL by entering HTTP instead of HTTPS.

      Because when is set <web bind="https://host:port"> element in bootstrap.xml to HTTPS, it's allow HTTP on same port too. There is still no way how to disable HTTP.
      I think that right way when is HTTPS set, just disable HTTP. -> enforce to HTTPS by default.
      But on other hand, if is really needed preserve working HTTP+HTTPS just add option enforceHttps=False. Or something like <web bind="http+https://host:port"> which makes more sense.

      Attachments

        Issue Links

          is related to

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. ENTMQBR-346 Hawtio console should be accessible over HTTPS as well as HTTP

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          relates to

          ARTEMIS-673 Loading...

          Activity

            People

              gaohoward Howard Gao
              dlenoch@redhat.com Dominik Lenosi
              Howard Gao
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: