Loading...

This issue belongs to an archived project. You can view it, but you can't modify it. Learn more

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 9.2.0.Final
Affects Version/s: None
Component/s: JMX, reporting and management
Labels:
None

Git Pull Request:
https://github.com/infinispan/infinispan/pull/5788

After ISPN-7599 we can read and change JMX attributes via rest.

Jolokia is allowing to change the MBean attribute using the GET HTTP verb like:

http://localhost:8778/jolokia/write/java.lang:type=Memory/Verbose/true
http://127.0.0.1:8778/jolokia/write/jboss.datagrid-infinispan:component=Configuration,manager="local",name="namedCache(local)",type=Cache/evictionSize/10

And also, all other attributes that are writable.

Our intention here is block this behavior by default.

Allow only request that comes from localhost, using POST HTTP verb and blocking all commands by default.

Jolokia has a XML security policy that can be created to handle this.

More info here

Assignee:: Diego Lovison

Reporter:: Diego Lovison

Archiver:: Amol Dongare

Created:: 2018/02/12 6:37 AM

Updated:: 2020/02/07 5:56 AM

Resolved:: 2018/02/23 6:06 AM

Archived:: 2024/11/28 6:21 AM