This secures the admin console quite well. However, I've just been experimenting with using BlobMessage, which utilizes the "fileserver" service that is active with the broker. What I've discovered is that the client can't transfer the BlobMessage to the uploadURL if "authenticate" is set to true. When I set it to "false" the BlobMessages transfer just fine.
Is there a way to specify credentials when sending the BlobMessage? Is the only solution to turn off authenticaion on the web console(s)?