Skip to content

[Task] Document network isolation requirement for /websocket endpoint #6396

Description

@Aias00

Description

The /websocket endpoint is intentionally listed in the Shiro anonymous whitelist to serve as the data synchronization channel between ShenYu Admin and Gateway nodes. However, there is no explicit documentation or configuration guidance warning operators that this endpoint must not be exposed to untrusted networks.
Proposed Change:

Add comments in application.yml near the /websocket whitelist entry explicitly stating that the Admin port must only be reachable from trusted internal networks.
Add a deployment security section to the official documentation covering network isolation requirements for the Admin plane.

Acceptance Criteria:

application.yml contains a comment warning that /websocket is unauthenticated by design and must be protected by network-level access controls.
Official documentation includes a deployment checklist item for Admin port network isolation.

Task List

No response

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions