Description
The /websocket endpoint is intentionally listed in the Shiro anonymous whitelist to serve as the data synchronization channel between ShenYu Admin and Gateway nodes. However, there is no explicit documentation or configuration guidance warning operators that this endpoint must not be exposed to untrusted networks.
Proposed Change:
Add comments in application.yml near the /websocket whitelist entry explicitly stating that the Admin port must only be reachable from trusted internal networks.
Add a deployment security section to the official documentation covering network isolation requirements for the Admin plane.
Acceptance Criteria:
application.yml contains a comment warning that /websocket is unauthenticated by design and must be protected by network-level access controls.
Official documentation includes a deployment checklist item for Admin port network isolation.
Task List
No response
Description
The /websocket endpoint is intentionally listed in the Shiro anonymous whitelist to serve as the data synchronization channel between ShenYu Admin and Gateway nodes. However, there is no explicit documentation or configuration guidance warning operators that this endpoint must not be exposed to untrusted networks.
Proposed Change:
Add comments in application.yml near the /websocket whitelist entry explicitly stating that the Admin port must only be reachable from trusted internal networks.
Add a deployment security section to the official documentation covering network isolation requirements for the Admin plane.
Acceptance Criteria:
application.yml contains a comment warning that /websocket is unauthenticated by design and must be protected by network-level access controls.
Official documentation includes a deployment checklist item for Admin port network isolation.
Task List
No response