This is an automated email from the ASF dual-hosted git repository.
jbonofre pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/karaf.git
The following commit(s) were added to refs/heads/main by this push:
new b42c82c [KARAF-7312] Add JMX credentials filter pattern support on
the RMI connector and enforce it by default
new b945a31 Merge pull request #1475 from jbonofre/KARAF-7312
b42c82c is described below
commit b42c82ca3b9a22bd92d249a1060a1953f4188bc2
Author: Jean-Baptiste Onofré <jbono...@apache.org>
AuthorDate: Tue Jan 4 16:00:06 2022 +0100
[KARAF-7312] Add JMX credentials filter pattern support on the RMI
connector and enforce it by default
---
assemblies/features/standard/src/main/feature/feature.xml | 5 +++++
.../main/java/org/apache/karaf/management/internal/Activator.java | 6 ++++++
2 files changed, 11 insertions(+)
diff --git a/assemblies/features/standard/src/main/feature/feature.xml
b/assemblies/features/standard/src/main/feature/feature.xml
index 4c6dac9..0836fa3 100644
--- a/assemblies/features/standard/src/main/feature/feature.xml
+++ b/assemblies/features/standard/src/main/feature/feature.xml
@@ -1330,6 +1330,11 @@ jmxmpObjectName = connector:name=jmxmp
# Locate an existing MBean server if possible (usefull when Karaf is embedded)
#
#locateExistingMBeanServerIfPossible = true
+
+#
+# Enforce credentials filter pattern to avoid deserialization
+#
+#jmx.remote.rmi.server.credentials.filter.pattern=java.lang.String;!*
</config>
<feature>jaas</feature>
<bundle dependency="true"
start-level="20">mvn:org.apache.aries/org.apache.aries.util/${aries.util.version}</bundle>
diff --git
a/management/server/src/main/java/org/apache/karaf/management/internal/Activator.java
b/management/server/src/main/java/org/apache/karaf/management/internal/Activator.java
index 8328828..d27a290 100644
---
a/management/server/src/main/java/org/apache/karaf/management/internal/Activator.java
+++
b/management/server/src/main/java/org/apache/karaf/management/internal/Activator.java
@@ -21,6 +21,7 @@ import java.util.Map;
import javax.management.MBeanServer;
import javax.management.ObjectName;
+import javax.management.remote.rmi.RMIConnectorServer;
import org.apache.karaf.jaas.config.KeystoreInstance;
import org.apache.karaf.jaas.config.KeystoreManager;
@@ -109,6 +110,10 @@ public class Activator extends BaseActivator implements
ManagedService {
originalRmiServerHostname =
System.getProperty("java.rmi.server.hostname");
System.setProperty("java.rmi.server.hostname", rmiServerHost);
+ // https://issues.apache.org/jira/browse/KARAF-7312
+ // security enforcement using credentials filter pattern, passed via
environment map
+ String credentialsFilterPattern =
getString(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, String.class.getName()
+ ";!*");
+
String jmxRealm = getString("jmxRealm", "karaf");
String serviceUrl = getString("serviceUrl",
"service:jmx:rmi://" + rmiServerHost + ":" + rmiServerPort +
"/jndi/rmi://" + rmiRegistryHost + ":" + rmiRegistryPort + "/karaf-" +
System.getProperty("karaf.name"));
@@ -170,6 +175,7 @@ public class Activator extends BaseActivator implements
ManagedService {
jmxmpEnvironment.put("jmx.remote.sasl.callback.handler",
jaasAuthenticator);
Map<String, Object> environment = new HashMap<>();
environment.put("jmx.remote.authenticator", jaasAuthenticator);
+ environment.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN,
credentialsFilterPattern);
try {
connectorServerFactory.setEnvironment(environment);
connectorServerFactory.setJmxmpEnvironment(jmxmpEnvironment);
