[infinispan-issues] [JBoss JIRA] (ISPN-8796) Jolokia must be security by default
Diego Lovison (JIRA)
issues at jboss.org
Mon Feb 12 06:38:00 EST 2018
Diego Lovison created ISPN-8796:
-----------------------------------
Summary: Jolokia must be security by default
Key: ISPN-8796
URL: https://issues.jboss.org/browse/ISPN-8796
Project: Infinispan
Issue Type: Bug
Components: JMX, reporting and management
Reporter: Diego Lovison
Assignee: Diego Lovison
After [ISPN-7599|https://issues.jboss.org/browse/ISPN-7599] we can read and change JMX attributes via rest.
Jolokia is allowing to change the MBean attribute using the GET HTTP verb like:
http://localhost:8778/jolokia/write/java.lang:type=Memory/Verbose/true
http://127.0.0.1:8778/jolokia/write/jboss.datagrid-infinispan:component=Configuration,manager="local",name="namedCache(local)",type=Cache/evictionSize/10
And also, all other attributes that are writable.
Our intention here is block this behavior by default.
Allow only request that comes from localhost, using POST HTTP verb and blocking all commands by default.
Jolokia has a XML security policy that can be created to handle this.
More info [here|https://jolokia.org/reference/html/security.html]
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
More information about the infinispan-issues
mailing list