This is an automated email from the ASF dual-hosted git repository. jbonofre pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/karaf.git
The following commit(s) were added to refs/heads/main by this push: new b42c82c [KARAF-7312] Add JMX credentials filter pattern support on the RMI connector and enforce it by default new b945a31 Merge pull request #1475 from jbonofre/KARAF-7312 b42c82c is described below commit b42c82ca3b9a22bd92d249a1060a1953f4188bc2 Author: Jean-Baptiste Onofré <jbono...@apache.org> AuthorDate: Tue Jan 4 16:00:06 2022 +0100 [KARAF-7312] Add JMX credentials filter pattern support on the RMI connector and enforce it by default --- assemblies/features/standard/src/main/feature/feature.xml | 5 +++++ .../main/java/org/apache/karaf/management/internal/Activator.java | 6 ++++++ 2 files changed, 11 insertions(+) diff --git a/assemblies/features/standard/src/main/feature/feature.xml b/assemblies/features/standard/src/main/feature/feature.xml index 4c6dac9..0836fa3 100644 --- a/assemblies/features/standard/src/main/feature/feature.xml +++ b/assemblies/features/standard/src/main/feature/feature.xml @@ -1330,6 +1330,11 @@ jmxmpObjectName = connector:name=jmxmp # Locate an existing MBean server if possible (usefull when Karaf is embedded) # #locateExistingMBeanServerIfPossible = true + +# +# Enforce credentials filter pattern to avoid deserialization +# +#jmx.remote.rmi.server.credentials.filter.pattern=java.lang.String;!* </config> <feature>jaas</feature> <bundle dependency="true" start-level="20">mvn:org.apache.aries/org.apache.aries.util/${aries.util.version}</bundle> diff --git a/management/server/src/main/java/org/apache/karaf/management/internal/Activator.java b/management/server/src/main/java/org/apache/karaf/management/internal/Activator.java index 8328828..d27a290 100644 --- a/management/server/src/main/java/org/apache/karaf/management/internal/Activator.java +++ b/management/server/src/main/java/org/apache/karaf/management/internal/Activator.java @@ -21,6 +21,7 @@ import java.util.Map; import javax.management.MBeanServer; import javax.management.ObjectName; +import javax.management.remote.rmi.RMIConnectorServer; import org.apache.karaf.jaas.config.KeystoreInstance; import org.apache.karaf.jaas.config.KeystoreManager; @@ -109,6 +110,10 @@ public class Activator extends BaseActivator implements ManagedService { originalRmiServerHostname = System.getProperty("java.rmi.server.hostname"); System.setProperty("java.rmi.server.hostname", rmiServerHost); + // https://issues.apache.org/jira/browse/KARAF-7312 + // security enforcement using credentials filter pattern, passed via environment map + String credentialsFilterPattern = getString(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, String.class.getName() + ";!*"); + String jmxRealm = getString("jmxRealm", "karaf"); String serviceUrl = getString("serviceUrl", "service:jmx:rmi://" + rmiServerHost + ":" + rmiServerPort + "/jndi/rmi://" + rmiRegistryHost + ":" + rmiRegistryPort + "/karaf-" + System.getProperty("karaf.name")); @@ -170,6 +175,7 @@ public class Activator extends BaseActivator implements ManagedService { jmxmpEnvironment.put("jmx.remote.sasl.callback.handler", jaasAuthenticator); Map<String, Object> environment = new HashMap<>(); environment.put("jmx.remote.authenticator", jaasAuthenticator); + environment.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, credentialsFilterPattern); try { connectorServerFactory.setEnvironment(environment); connectorServerFactory.setJmxmpEnvironment(jmxmpEnvironment);