пн, 13 июн. 2022 г. в 19:54, Konstantin Kolinko <knst.koli...@gmail.com>: > > пн, 13 июн. 2022 г. в 19:32, Christopher Schultz > <ch...@christopherschultz.net>: > > > > All, > > > > I've been thinking about the possibility of making a read-only JMX role > > available for the existing manager-jmx capability. > > > > [...] > > > > Does anyone think this is a good idea? > > > > I think it is a bad idea, because passwords (and maybe other secrets) > are visible through JMX, by design. > > It might be worth to have some "status" role, > but it has to be defined more specifically than just a "view all" role. > > Maybe the way to achieve the same result is to amend the server status page, > which is already provided by the manager app and has a dedicated role.
BTW, the server status page might show session ids - in rare circumstances when session id is visible in the request URI. So it is also not safe to show the status page to an untrusted party. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
