Closed ankon closed 4 years ago
tchiotludo
commented
4 years ago Hi,
mostly the reason is : https://github.com/tchiotludo/akhq/commit/8eb3605a6842f4226acfe1eca0cd33511d576abc
with reject-not-found: false
I've an exception before on login page without this. Seems to be an issue with micronaut but I don't find a way to explain it to do a bug report but maybe I will with all of your issue.
tchiotludo
commented
4 years ago I remove the reject-not-found: false in last commit, tell me if it's ok for you
ankon
commented
4 years ago I can still see the cluster name unfortunately: Opening the main page (without page) first redirects to /CLUSTER/topic, and then redirects again to /login. From a user point this now "works", but from a security point of view an attacker can still learn the name of the cluster from the configuration.
Of course the question is "how relevant is that", and I guess it could still be a perfectly fine thing to document that behavior and suggest in the documentation to use "generic" cluster names.
tchiotludo
commented
4 years ago We can do better :smile:
Just add a control on RedirectController and it's done ;)
tchiotludo
commented
4 years ago I think this is no longer the case on dev (with removal of the old ui)
Assume a configuration like this:
When opening the akhq root, say through https://akhq.dev.example.com, it will redirect to https://akhq.dev.example.com/name-of-my-cluster/topic (and then show an exception right now -- #261, or hopefully a login page when that is fixed). But: At that point a potential attacker has learned the name of the cluster in the configuration, which may be unexpected.
Somewhat obvious fix/work-around: Use a generic cluster name like "kafkahq", but that may not always be wanted or feasible.