Skip to content

Harden default broker and web console configuration#2029

Open
jbonofre wants to merge 2 commits into
apache:mainfrom
jbonofre:harden-default-conf-security
Open

Harden default broker and web console configuration#2029
jbonofre wants to merge 2 commits into
apache:mainfrom
jbonofre:harden-default-conf-security

Conversation

@jbonofre
Copy link
Copy Markdown
Member

@jbonofre jbonofre commented May 20, 2026

Reduce the attack surface of the sample broker shipped in the binary assembly:

  • activemq.xml: enable only the openwire TCP transportConnector by default; amqp, stomp, mqtt and ws are commented out with a note pointing to the SSL-secured variants.
  • activemq.xml: add a commented block wiring JAAS authentication, destination-level authorization and broker-side audit logging, with a prominent reminder to rotate the default admin=admin credentials and an ACTIVEMQ_OPTS hint for restricting ObjectMessage deserialization.
  • jetty.xml: suppress X-Powered-By and Date response headers in addition to the already-disabled Server header.
  • jetty.xml: add Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy and Cross-Origin-Resource-Policy response headers alongside the existing CSP/XFO/XSS rules.

@jbonofre
Harden default broker and web console configuration
8cc45c4 
Reduce the attack surface of the sample broker shipped in the binary
assembly:

* activemq.xml: enable only the openwire TCP transportConnector by
  default; amqp, stomp, mqtt and ws are commented out with a note
  pointing to the SSL-secured variants.
* activemq.xml: add a commented <plugins> block wiring JAAS
  authentication, destination-level authorization and broker-side
  audit logging, with a prominent reminder to rotate the default
  admin=admin credentials and an ACTIVEMQ_OPTS hint for restricting
  ObjectMessage deserialization.
* jetty.xml: suppress X-Powered-By and Date response headers in
  addition to the already-disabled Server header.
* jetty.xml: add Referrer-Policy, Permissions-Policy,
  Cross-Origin-Opener-Policy and Cross-Origin-Resource-Policy
  response headers alongside the existing CSP/XFO/XSS rules.
@jbonofre jbonofre requested a review from cshannon May 20, 2026 14:34
cshannon
cshannon previously approved these changes May 20, 2026
View reviewed changes
Comment thread assembly/src/release/conf/activemq.xml
@cshannon cshannon requested a review from mattrpav May 20, 2026 15:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cshannon cshannon cshannon approved these changes

@mattrpav mattrpav Awaiting requested review from mattrpav

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jbonofre @cshannon