Chapter 4. Securing the Management Console
Abstract
The default setting for
Access-Control-Allow-Origin
header for the AMQ Management Console permits unrestricted sharing. To restrict access to the AMQ Management Console, create an access management file which contains a list of the allowed origin URLs. To implement the restrictions, add a system property that references the access management file
4.1. Controlling Access to the Fuse Management Console
Create an access management file called
access-management.xml
in <installDir>/etc/
. The access management file must contain <allow-origin>
sections within a <cors>
section. The <allow-origin>
section can contain the origin URL provided by browsers with the Origin:
header, or a wildcard specification with *. For example:
<cors> <!-- Allow cross origin access from www.jolokia.org ... --> <allow-origin>http://www.jolokia.org</allow-origin> <!-- ... and all servers from jmx4perl.org with any protocol --> <allow-origin>*://*.jmx4perl.org</allow-origin> <!-- optionally allow access to web console from localhost --> <allow-origin>http://localhost:8181/*</allow-origin> <!-- Check for the proper origin on the server side, too --> <strict-checking/> </cors>
Add the following line to AMQ config script
./bin/setenv
, adding the path to the access management file.
export EXTRA_JAVA_OPTS='-Djolokia.policyLocation=file:etc/access-management.xml'
When the command
./bin/fuse
is executed, the access management file is referenced and used to restrict access to the AMQ Management Console.