Konstantin,
On 6/13/22 12:54, Konstantin Kolinko wrote:
пн, 13 июн. 2022 г. в 19:32, Christopher Schultz <ch...@christopherschultz.net>:
All,
I've been thinking about the possibility of making a read-only JMX role
available for the existing manager-jmx capability.
[...]
Does anyone think this is a good idea?
I think it is a bad idea, because passwords (and maybe other secrets)
are visible through JMX, by design.
How can you view a password through JMX -- assuming you can only make
JMX "get" requests?
It might be worth to have some "status" role,
but it has to be defined more specifically than just a "view all" role.
I'm okay with a line-item ACL for specific resources. It's just more
effort to (a) program and (b) implement at a site.
Maybe the way to achieve the same result is to amend the server status page,
which is already provided by the manager app and has a dedicated role.
That's another possibility, but something that can produce small (HTTP)
responses is preferable to something which requires screen-scraping.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
