Uploaded image for project: 'Infinispan'
  1. Infinispan
  2. ISPN-8796

Jolokia must be secured by default

    XMLWordPrintable

Details

    Description

      After ISPN-7599 we can read and change JMX attributes via rest.

      Jolokia is allowing to change the MBean attribute using the GET HTTP verb like:

      http://localhost:8778/jolokia/write/java.lang:type=Memory/Verbose/true
      http://127.0.0.1:8778/jolokia/write/jboss.datagrid-infinispan:component=Configuration,manager="local",name="namedCache(local)",type=Cache/evictionSize/10

      And also, all other attributes that are writable.

      Our intention here is block this behavior by default.

      Allow only request that comes from localhost, using POST HTTP verb and blocking all commands by default.

      Jolokia has a XML security policy that can be created to handle this.

      More info here

      Attachments

        Activity

          People

            dlovison@redhat.com Diego Lovison
            dlovison@redhat.com Diego Lovison
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: