[infinispan-issues] [JBoss JIRA] (ISPN-8796) Jolokia must be secured by default

Jolokia must be secured by default ---------------------------------- Key: ISPN-8796 URL: https://issues.jboss.org/browse/ISPN-8796 Project: Infinispan Issue Type: Bug Components: JMX, reporting and management Reporter: Diego Lovison Assignee: Diego Lovison Fix For: 9.2.0.Final After [ISPN-7599|https://issues.jboss.org/browse/ISPN-7599] we can read and change JMX attributes via rest. Jolokia is allowing to change the MBean attribute using the GET HTTP verb like: http://localhost:8778/jolokia/write/java.lang:type=Memory/Verbose/true http://127.0.0.1:8778/jolokia/write/jboss.datagrid-infinispan:component=C... And also, all other attributes that are writable. Our intention here is block this behavior by default. Allow only request that comes from localhost, using POST HTTP verb and blocking all commands by default. Jolokia has a XML security policy that can be created to handle this. More info [here|https://jolokia.org/reference/html/security.html]