[infinispan-issues] [JBoss JIRA] (ISPN-8796) Jolokia must be secured by default
Sebastian Łaskawiec (JIRA)
issues at jboss.org
Fri Feb 23 06:07:00 EST 2018
[ https://issues.jboss.org/browse/ISPN-8796?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sebastian Łaskawiec updated ISPN-8796:
--------------------------------------
Status: Pull Request Sent (was: Open)
Git Pull Request: https://github.com/infinispan/infinispan/pull/5788
> Jolokia must be secured by default
> ----------------------------------
>
> Key: ISPN-8796
> URL: https://issues.jboss.org/browse/ISPN-8796
> Project: Infinispan
> Issue Type: Bug
> Components: JMX, reporting and management
> Reporter: Diego Lovison
> Assignee: Diego Lovison
> Fix For: 9.2.0.Final
>
>
> After [ISPN-7599|https://issues.jboss.org/browse/ISPN-7599] we can read and change JMX attributes via rest.
> Jolokia is allowing to change the MBean attribute using the GET HTTP verb like:
> http://localhost:8778/jolokia/write/java.lang:type=Memory/Verbose/true
> http://127.0.0.1:8778/jolokia/write/jboss.datagrid-infinispan:component=Configuration,manager="local",name="namedCache(local)",type=Cache/evictionSize/10
> And also, all other attributes that are writable.
> Our intention here is block this behavior by default.
> Allow only request that comes from localhost, using POST HTTP verb and blocking all commands by default.
> Jolokia has a XML security policy that can be created to handle this.
> More info [here|https://jolokia.org/reference/html/security.html]
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
More information about the infinispan-issues
mailing list