Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-191

HTTPS for hawtio/jolokia should be enforced

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Cannot Reproduce
    • Icon: Major Major
    • None
    • A-MQ 7.0.0.ER8
    • None
    • None
    • Documentation (Ref Guide, User Guide, etc.), Compatibility/Configuration

      Everyone can bypassing SSL by entering HTTP instead of HTTPS.

      Because when is set <web bind="https://host:port"> element in bootstrap.xml to HTTPS, it's allow HTTP on same port too. There is still no way how to disable HTTP.
      I think that right way when is HTTPS set, just disable HTTP. -> enforce to HTTPS by default.
      But on other hand, if is really needed preserve working HTTP+HTTPS just add option enforceHttps=False. Or something like <web bind="http+https://host:port"> which makes more sense.

        1. http_access.png
          http_access.png
          45 kB
        2. https_access.png
          https_access.png
          78 kB

            gaohoward Howard Gao
            dlenoch@redhat.com Dominik Lenosi
            Howard Gao
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: