[DISCUSS] - Disable REST API for AMQ 5.16.0

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[DISCUSS] - Disable REST API for AMQ 5.16.0

Colm O hEigeartaigh
Hi all,

I wanted to start a discussion on whether it might be a good idea to
disable the REST API for the AMQ 5.16.0 distribution.

It makes me a bit uneasy that this is enabled by default. It is secured
using the same basic auth approach as the web console. The problem here is
that the API (correctly) lacks XSRF protection. However if the admin user
browsed to /api and the browser then saves the creds, then it would be
trivial to implement a XSRF style attack on the API. Instead, it's better
to secure a REST API with a token.

As it's a feature that's probably not widely used, it would be better to
disable it by default IMO.

Thoughts?

Colm.
Reply | Threaded
Open this post in threaded view
|

Re: [DISCUSS] - Disable REST API for AMQ 5.16.0

jbonofre
Hi,

You mean the admin REST API right ? Not the rest/http transport connector ?

Regards
JB

> Le 24 mars 2020 à 17:46, Colm O hEigeartaigh <[hidden email]> a écrit :
>
> Hi all,
>
> I wanted to start a discussion on whether it might be a good idea to
> disable the REST API for the AMQ 5.16.0 distribution.
>
> It makes me a bit uneasy that this is enabled by default. It is secured
> using the same basic auth approach as the web console. The problem here is
> that the API (correctly) lacks XSRF protection. However if the admin user
> browsed to /api and the browser then saves the creds, then it would be
> trivial to implement a XSRF style attack on the API. Instead, it's better
> to secure a REST API with a token.
>
> As it's a feature that's probably not widely used, it would be better to
> disable it by default IMO.
>
> Thoughts?
>
> Colm.

Reply | Threaded
Open this post in threaded view
|

Re: [DISCUSS] - Disable REST API for AMQ 5.16.0

Colm O hEigeartaigh
Hi JB,


You mean the admin REST API right ? Not the rest/http transport connector ?
>

Yes, what we ship in "webapps/api".

Colm.



>
> Regards
> JB
>
> > Le 24 mars 2020 à 17:46, Colm O hEigeartaigh <[hidden email]> a
> écrit :
> >
> > Hi all,
> >
> > I wanted to start a discussion on whether it might be a good idea to
> > disable the REST API for the AMQ 5.16.0 distribution.
> >
> > It makes me a bit uneasy that this is enabled by default. It is secured
> > using the same basic auth approach as the web console. The problem here
> is
> > that the API (correctly) lacks XSRF protection. However if the admin user
> > browsed to /api and the browser then saves the creds, then it would be
> > trivial to implement a XSRF style attack on the API. Instead, it's better
> > to secure a REST API with a token.
> >
> > As it's a feature that's probably not widely used, it would be better to
> > disable it by default IMO.
> >
> > Thoughts?
> >
> > Colm.
>
>
Reply | Threaded
Open this post in threaded view
|

Re: [DISCUSS] - Disable REST API for AMQ 5.16.0

Colm O hEigeartaigh
Even better would be to just disable "<import resource="jetty.xml"/>" in
activemq.xml by default. Anyone who wants the web console etc can enable it
if they want it.

Colm.

On Tue, Mar 24, 2020 at 5:28 PM Colm O hEigeartaigh <[hidden email]>
wrote:

> Hi JB,
>
>
> You mean the admin REST API right ? Not the rest/http transport connector ?
>>
>
> Yes, what we ship in "webapps/api".
>
> Colm.
>
>
>
>>
>> Regards
>> JB
>>
>> > Le 24 mars 2020 à 17:46, Colm O hEigeartaigh <[hidden email]> a
>> écrit :
>> >
>> > Hi all,
>> >
>> > I wanted to start a discussion on whether it might be a good idea to
>> > disable the REST API for the AMQ 5.16.0 distribution.
>> >
>> > It makes me a bit uneasy that this is enabled by default. It is secured
>> > using the same basic auth approach as the web console. The problem here
>> is
>> > that the API (correctly) lacks XSRF protection. However if the admin
>> user
>> > browsed to /api and the browser then saves the creds, then it would be
>> > trivial to implement a XSRF style attack on the API. Instead, it's
>> better
>> > to secure a REST API with a token.
>> >
>> > As it's a feature that's probably not widely used, it would be better to
>> > disable it by default IMO.
>> >
>> > Thoughts?
>> >
>> > Colm.
>>
>>