All,
I've been thinking about the possibility of making a read-only JMX role
available for the existing manager-jmx capability.
The idea would be that this role would only be able to make "get"
requests (that is, a JMX-get operation, not HTTP-GET). No "set" or
"invoke" operations would be allowed.
The manager-jmx role has quite a bit of power, and is typically used
only for monitoring where being able to modify the server is not
necessary. If manager-jmx is being used "only" for monitoring, then
opening-up the system for potential reconfiguration by the monitoring
user is a potential attack vector.
I don't think the level-of-effort would be significant: simply require
"manager-jmx" for set/invoke operations and require either manager-jmx
or manager-jmx-read-only (or something similar) for get operations.
Does anyone think this is a good idea?
I for one use jmxproxy at $work for both monitoring /and/ administrative
tasks such as restarting applications, listing users, and initiating
garbage collection (in very rare cases). For these full-write purposes,
I could continue to use the (full) jmxproxy role, but for the
monitoring-only ones, it would be nice to lock things down to the
absolute minimum.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
