From 7b97569de2fa700a568edea2275559d0ee2df785 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?JB=20Onofr=C3=A9?= <jbonofre@apache.org>
Date: Thu, 4 Jun 2026 09:39:05 -0400
Subject: [PATCH] Restrict full web console URI to admins role

Change the admin security constraint mapping from *.action to /admin/*
so the entire web console (including read-only pages) requires the
admins role, not just action endpoints. Add comments to each constraint
mapping explaining its scope, and remove duplicate Referrer-Policy and
Permissions-Policy rewrite rules left over from earlier edits.
---
 assembly/src/release/conf/jetty.xml | 25 ++++++++++++++-----------
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/assembly/src/release/conf/jetty.xml b/assembly/src/release/conf/jetty.xml
index 025783845c1..fdc922c6887 100644
--- a/assembly/src/release/conf/jetty.xml
+++ b/assembly/src/release/conf/jetty.xml
@@ -74,14 +74,27 @@
          <!-- set authenticate=false to disable login -->
         <property name="authenticate" value="true" />
     </bean>
+    <!--
+        Catch-all mapping: any request not matched by a more specific
+        constraint below requires authentication as a user or admin.
+    -->
     <bean id="securityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
         <property name="constraint" ref="securityConstraint" />
         <property name="pathSpec" value="/" />
     </bean>
+    <!--
+        Web console (/admin/*) is restricted to the admins role. This covers
+        the full console UI, not just the *.action endpoints, so read-only
+        pages (queue listings, message browsing, etc.) also require admin.
+    -->
     <bean id="adminSecurityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
         <property name="constraint" ref="adminSecurityConstraint" />
-        <property name="pathSpec" value="*.action" />
+        <property name="pathSpec" value="/admin/*" />
     </bean>
+    <!--
+        Jolokia JMX bridge exposes broker management operations over HTTP;
+        restrict to the admins role to prevent privilege escalation via JMX.
+    -->
     <bean id="jolokiaSecurityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
         <property name="constraint" ref="adminSecurityConstraint" />
         <property name="pathSpec" value="/api/jolokia/*" />
@@ -141,16 +154,6 @@
                     <property name="name" value="Content-Security-Policy"/>
                     <property name="value" value="style-src-elem 'self' 'unsafe-inline'; style-src 'self'; img-src 'self' data:; script-src-elem 'self'; default-src 'none'; object-src 'none'; frame-ancestors 'none'; base-uri 'none';" />
                 </bean>
-                <bean id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
-                    <property name="pattern" value="*"/>
-                    <property name="name" value="Referrer-Policy"/>
-                    <property name="value" value="no-referrer"/>
-                </bean>
-                <bean id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
-                    <property name="pattern" value="*"/>
-                    <property name="name" value="Permissions-Policy"/>
-                    <property name="value" value="accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()"/>
-                </bean>
                 <!-- Uncomment when serving the console over HTTPS only -->
                 <!--
                 <bean id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">