CVE-2012-6551

@@ -132,6 +132,5 @@
 
   <!-- Use Web applications and Camel in secured broker environment -->
   <import resource="jetty.xml"/>
-  <import resource="camel.xml"/>
 
 </beans>

@@ -26,7 +26,7 @@
     <!-- context config -->
     <context-param>
         <param-name>org.apache.activemq.brokerURL</param-name>
-        <param-value>vm://localhost</param-value>
+        <param-value>vm://amq-broker</param-value>
         <description>The URL of the Message Broker to connect to</description>
     </context-param>
     <context-param>

@@ -37,6 +37,7 @@
       <outputDirectory>conf/</outputDirectory>
       <includes>
         <include>activemq-*.xml</include>
+        <include>jetty-*.xml</include>
       </includes>
     </fileSet>
 
@@ -60,7 +61,7 @@
     <!-- the web demo -->
     <fileSet>
       <directory>../activemq-web-demo/src/main/webapp</directory>
-      <outputDirectory>/webapps/demo</outputDirectory>
+      <outputDirectory>/webapps-demo/demo</outputDirectory>
       <excludes>
         <exclude>**/activemq.xml</exclude>
         <exclude>**/webconsole-embedded.xml</exclude>

@@ -29,15 +29,11 @@
 <beans
    xmlns="http://www.springframework.org/schema/beans"  
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-   xsi:schemaLocation="http://camel.apache.org/schema/spring http://camel.apache.org/schema/spring/camel-spring.xsd
-   http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
+   xsi:schemaLocation="
+     http://camel.apache.org/schema/spring http://camel.apache.org/schema/spring/camel-spring.xsd
+     http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
   
-  	<camelContext id="camel" xmlns="http://camel.apache.org/schema/spring">
-
-        <!-- You can use a <packages> element for each root package to search for Java routes -->
-        <packageScan>
-           <package>org.foo.bar</package>
-        </packageScan>
+    <camelContext id="camel" xmlns="http://camel.apache.org/schema/spring">
 
         <!-- You can use Spring XML syntax to define the routes here using the <route> element -->
         <route>
@@ -57,10 +53,11 @@
     <bean id="activemq" class="org.apache.activemq.camel.component.ActiveMQComponent" >
         <property name="connectionFactory">
           <bean class="org.apache.activemq.ActiveMQConnectionFactory">
-            <property name="brokerURL" value="vm://localhost?create=false&amp;waitForStart=10000" />
+            <property name="brokerURL" value="vm://amq-broker?create=false"/>
             <property name="userName" value="${activemq.username}"/>
             <property name="password" value="${activemq.password}"/>
           </bean>
         </property>
     </bean>
+
 </beans>

@@ -28,7 +28,7 @@
     <bean id="securityConstraint" class="org.eclipse.jetty.util.security.Constraint">
         <property name="name" value="BASIC" />
         <property name="roles" value="admin" />
-        <property name="authenticate" value="false" />
+        <property name="authenticate" value="true" />
     </bean>
     <bean id="securityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
         <property name="constraint" ref="securityConstraint" />
@@ -53,11 +53,6 @@
                             <property name="resourceBase" value="${activemq.home}/webapps/admin" />
                             <property name="logUrlOnStart" value="true" />
                         </bean>
-                        <bean class="org.eclipse.jetty.webapp.WebAppContext">
-                            <property name="contextPath" value="/demo" />
-                            <property name="resourceBase" value="${activemq.home}/webapps/demo" />
-                            <property name="logUrlOnStart" value="true" />
-                        </bean>
                         <bean class="org.eclipse.jetty.webapp.WebAppContext">
                             <property name="contextPath" value="/fileserver" />
                             <property name="resourceBase" value="${activemq.home}/webapps/fileserver" />

@@ -87,10 +87,30 @@ <h2>Stopping the broker</h2>
 <h2>Access the web console</h2>
 
 In a web browser you can access the url <a href="http://0.0.0.0:8161/admin">http://0.0.0.0:8161/admin</a> to access the ActiveMQ web console.
+<br/>
+The broker may ask for credentials to login the web console the first time.
+The default username and password is admin/admin. You can configure this in the conf/jetty-real.properties file.
 
 <h2>Access the web demos</h2>
 
+You would need to start the broker with the demos included, which you do as follows:
+If you're using Windows, just type
+</p>
+<pre>
+    cd bin
+    activemq.bat console xbean:conf/activemq-demo.xml
+</pre>
+<p>
+On Unix-like systems, type
+</p>
+<pre>
+    ./bin/activemq console xbean:conf/activemq-demo.xml
+</pre>
+
 In a web browser you can access the url <a href="http://0.0.0.0:8161/demo">http://0.0.0.0:8161/demo</a> to access the ActiveMQ web demos.
+<br/>
+The broker may ask for credentials to login the web console the first time.
+The default username and password is admin/admin. You can configure this in the conf/jetty-real.properties file.
 
 
 <h2>Running the example programs</h2>

@@ -91,7 +91,7 @@ <h2>Welcome to the Apache ActiveMQ!</h2>
                                                 <p>What do you want to do next?</p>
                                                 <ul class="alternate" type="square"> 
                                                     <li><a title="Manage ActiveMQ broker" href="/admin/">Manage ActiveMQ broker</a></li> 
-                                                    <li><a title="See some Web demos" href="/demo/">See some Web demos</a></li>  
+                                                    <li><a title="See some Web demos" href="/demo/">See some Web demos (demos not included in default configuration)</a></li>  
                                                 </ul> 
                                     </div> 
                                 </td> 
@@ -130,7 +130,7 @@ <H3>Useful Links</H3>
             <div class="footer_l"> 
                 <div class="footer_r"> 
                     <div> 
-                        Copyright 2005-2007 The Apache Software Foundation.
+                        Copyright 2005-2012 The Apache Software Foundation.
  
                         (<a href="?printable=true">printable version</a>)
                     </div> 

@@ -4,20 +4,23 @@ Deploying the ActiveMQ-WebConsole
 In the default configuration ActiveMQ automatically starts the web console in the
 same VM as the broker. The console is accessibly under http://localhost:8161/admin/.
 
+The broker may ask for credentials to login the web console the first time.
+The default username and password is admin/admin. You can configure this in the
+conf/jetty-real.properties file.
 
-However it's also possible to start the web console in a seperate VM and connect it
-to the broker via JMS and JMX. The reasons to do so may include increased reliablity
+However it's also possible to start the web console in a separate VM and connect it
+to the broker via JMS and JMX. The reasons to do so may include increased reliability
 of the broker itself (f.e. the embedded web console could use up all the available
 memory) or the monitoring of a master/slave system.
 
-Just deploy the war into your prefered servlet container and add the apache-activemq.jar
+Just deploy the war into your preferred servlet container and add the apache-activemq.jar
 to the classpath of the container (f.e. under Tomcat that'd be common/lib and under
 Jetty the lib-directory). Two options are available for the configuration of the broker
 and jmx uri(s):
 
  * System Properties
    -----------------
-     Specify the following system properties in your webcontainer:
+     Specify the following system properties in your web container:
          -Dwebconsole.type=properties
          -Dwebconsole.jms.url=<url of the broker> (f.e. tcp://localhost:61616)
          -Dwebconsole.jmx.url=<jmx url to the broker> (f.e. service:jmx:rmi:///jndi/rmi://localhost:1099/jmxrmi)
@@ -34,7 +37,7 @@ and jmx uri(s):
 Master/Slave monitoring
 -----------------------
 To configure the web console to monitor a master/slave configuration configure the jms/jmx
-as follows (system properties shown, but this option is also avaiable when using JNDI):
+as follows (system properties shown, but this option is also available when using JNDI):
    -Dwebconsole.jms.url=failover:(tcp://serverA:61616,tcp://serverB:61616)
    -Dwebconsole.jmx.url=service:jmx:rmi:///jndi/rmi://serverA:1099/jmxrmi,service:jmx:rmi:///jndi/rmi://serverB:1099/jmxrmi
 With this configuration the web console with switch to the slave as the master is no longer

@@ -227,7 +227,7 @@
 
           http://activemq.apache.org/web-console.html
     -->
-    <import resource="jetty.xml"/>
+    <import resource="jetty-demo.xml"/>
 
 
     <!--

@@ -125,7 +125,7 @@
     -->
 
     <!--
-        Enable web consoles, REST and Ajax APIs and demos
+        Enable web consoles, REST and Ajax APIs 
         Take a look at activemq-jetty.xml for more details
     -->
     <import resource="jetty.xml"/>

@@ -0,0 +1,122 @@
+
+    <!--
+        Licensed to the Apache Software Foundation (ASF) under one or more contributor
+        license agreements. See the NOTICE file distributed with this work for additional
+        information regarding copyright ownership. The ASF licenses this file to You under
+        the Apache License, Version 2.0 (the "License"); you may not use this file except in
+        compliance with the License. You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or
+        agreed to in writing, software distributed under the License is distributed on an
+        "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+        implied. See the License for the specific language governing permissions and
+        limitations under the License.
+    -->
+    <!--
+        An embedded servlet engine for serving up the Admin consoles, REST and Ajax APIs and
+        some demos Include this file in your configuration to enable ActiveMQ web components
+        e.g. <import resource="jetty.xml"/>
+    -->
+<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+    <bean id="securityLoginService" class="org.eclipse.jetty.security.HashLoginService">
+        <property name="name" value="ActiveMQRealm" />
+        <property name="config" value="${activemq.conf}/jetty-realm.properties" />
+    </bean>
+
+    <bean id="securityConstraint" class="org.eclipse.jetty.util.security.Constraint">
+        <property name="name" value="BASIC" />
+        <property name="roles" value="admin" />
+        <property name="authenticate" value="true" />
+    </bean>
+    <bean id="securityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
+        <property name="constraint" ref="securityConstraint" />
+        <property name="pathSpec" value="/*" />
+    </bean>
+    <bean id="securityHandler" class="org.eclipse.jetty.security.ConstraintSecurityHandler">
+        <property name="loginService" ref="securityLoginService" />
+        <property name="authenticator">
+            <bean class="org.eclipse.jetty.security.authentication.BasicAuthenticator" />
+        </property>
+        <property name="constraintMappings">
+            <list>
+                <ref bean="securityConstraintMapping" />
+            </list>
+        </property>
+        <property name="handler">
+            <bean id="sec" class="org.eclipse.jetty.server.handler.HandlerCollection">
+                <property name="handlers">
+                    <list>
+                        <bean class="org.eclipse.jetty.webapp.WebAppContext">
+                            <property name="contextPath" value="/admin" />
+                            <property name="resourceBase" value="${activemq.home}/webapps/admin" />
+                            <property name="logUrlOnStart" value="true" />
+                        </bean>
+                        <bean class="org.eclipse.jetty.webapp.WebAppContext">
+                            <property name="contextPath" value="/demo" />
+                            <property name="resourceBase" value="${activemq.home}/webapps-demo/demo" />
+                            <property name="logUrlOnStart" value="true" />
+                        </bean>
+                        <bean class="org.eclipse.jetty.webapp.WebAppContext">
+                            <property name="contextPath" value="/fileserver" />
+                            <property name="resourceBase" value="${activemq.home}/webapps/fileserver" />
+                            <property name="logUrlOnStart" value="true" />
+                            <property name="parentLoaderPriority" value="true" />
+                        </bean>
+                        <bean class="org.eclipse.jetty.server.handler.ResourceHandler">
+                            <property name="directoriesListed" value="false" />
+                            <property name="welcomeFiles">
+                                <list>
+                                    <value>index.html</value>
+                                </list>
+                            </property>
+                            <property name="resourceBase" value="${activemq.home}/webapps/" />
+                        </bean>
+                        <bean id="defaultHandler" class="org.eclipse.jetty.server.handler.DefaultHandler">
+                            <property name="serveIcon" value="false" />
+                        </bean>
+                    </list>
+                </property>
+            </bean>
+        </property>
+    </bean>
+
+    <bean id="contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection">
+    </bean>
+
+    <bean id="Server" class="org.eclipse.jetty.server.Server" init-method="start"
+        destroy-method="stop">
+
+        <property name="connectors">
+            <list>
+                <bean id="Connector" class="org.eclipse.jetty.server.nio.SelectChannelConnector">
+                    <property name="port" value="8161" />
+                </bean>
+                <!--
+                    Enable this connector if you wish to use https with web console
+                -->
+                <!--
+                <bean id="SecureConnector" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
+                    <property name="port" value="8162" />
+                    <property name="keystore" value="file:${activemq.conf}/broker.ks" />
+                    <property name="password" value="password" />
+                </bean>
+                -->
+            </list>
+        </property>
+
+        <property name="handler">
+            <bean id="handlers" class="org.eclipse.jetty.server.handler.HandlerCollection">
+                <property name="handlers">
+                    <list>
+                        <ref bean="contexts" />
+                        <ref bean="securityHandler" />
+                    </list>
+                </property>
+            </bean>
+        </property>
+
+    </bean>
+
+</beans>