Doing a quick dive and restricting invoke, get, set, query to their own
roles looks "easy" since they have their if() checks.(Easier to lock down
than I recalled)
As for further locking down get() - I guess one could add an init() param
to the servlet called get-approve-list which can be a white space, comma,
(or whatever) separator of regexes to approve in. (And the absence of the
parameter allows .+)
EXAMPLE web.xml
<init-param>
<param-name> get-approve-list </param-name>
<param-value>
java.lang:type=Memory
^java.lang:.+
</param-value>
</init-param>
Replacement to around line 112 of existing JMXProxy
qry = request.getParameter("get");
if (qry != null) {
boolean matches = false;
for (String regex:getRestrictions ) {
matches = matches || qry.matches(regex);
}
if (!matches) {
throw new Error403(); /* I made this up */
}
String name = request.getParameter("att");
getAttribute(writer, qry, name, request.getParameter("key"));
return;
}
As for status If you strike the the active requests from
"/manager/status?XML=true" (Which can leak session info) - You have a
pretty good status monitor (even though its XML)
-Tim
On Mon, Jun 13, 2022 at 2:29 PM Christopher Schultz <
[email protected]> wrote:
>
> I think the JMXProxyServlet is better than JMX itself for a number of
> reasons. Though platform JMX access has improved in the last few
> versions, the fact is that Tomcat's ability to provide access to JMX
> (through HTTP) is far more flexible and secure than the heavy-handed JMX
> capabilities provided by the platform.
>
> I would be strongly against deprecating the JMXProxyServlet for that
> reason moving forward.
>
>
