[infinispan-issues] [JBoss JIRA] (ISPN-8877) Jolokia must be secured by default
Diego Lovison (JIRA)
issues at jboss.org
Mon Feb 26 07:24:00 EST 2018
Diego Lovison created ISPN-8877:
-----------------------------------
Summary: Jolokia must be secured by default
Key: ISPN-8877
URL: https://issues.jboss.org/browse/ISPN-8877
Project: Infinispan
Issue Type: Bug
Components: JMX, reporting and management
Reporter: Diego Lovison
Assignee: Diego Lovison
Fix For: 9.2.0.Final
After [ISPN-7599|https://issues.jboss.org/browse/ISPN-7599] we can read and change JMX attributes via rest.
Jolokia is allowing to change the MBean attribute using the GET HTTP verb like:
http://localhost:8778/jolokia/write/java.lang:type=Memory/Verbose/true
http://127.0.0.1:8778/jolokia/write/jboss.datagrid-infinispan:component=Configuration,manager="local",name="namedCache(local)",type=Cache/evictionSize/10
And also, all other attributes that are writable.
Our intention here is block this behavior by default.
Allow only request that comes from localhost, using POST HTTP verb and blocking all commands by default.
Jolokia has a XML security policy that can be created to handle this.
More info [here|https://jolokia.org/reference/html/security.html]
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
More information about the infinispan-issues
mailing list