[ https://issues.apache.org/jira/browse/KARAF-6251?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Grzegorz Grzybek reassigned KARAF-6251: --------------------------------------- Assignee: Grzegorz Grzybek (was: Jean-Baptiste Onofré) > Jolokia bypasses JMX ACL > ------------------------ > > Key: KARAF-6251 > URL: https://issues.apache.org/jira/browse/KARAF-6251 > Project: Karaf > Issue Type: Bug > Components: karaf > Affects Versions: 4.2.5 > Reporter: Tadayoshi Sato > Assignee: Grzegorz Grzybek > Priority: Major > Fix For: 4.3.0, 4.2.6 > > > For example, after you install {{jolokia}} feature: > {code} > karaf@root()> feature:install jolokia > {code} > the invocation to {{Memory.gc()}} over Jolokia always gets successful even if > the user {{viewer}} doesn't have the right: > {code} > $ curl -s -u viewer:viewer > http://localhost:8181/jolokia/exec/java.lang:type=Memory/gc\(\) > {"request":{"mbean":"java.lang:type=Memory","type":"exec","operation":"gc()"},"value":null,"timestamp":1556005468,"status":200} > {code} > Note {{jmx.acl.java.lang.Memory.cfg}} only allows {{manager}} (not > {{viewer}}) to invoke {{gc()}}: > {code} > $ cat etc/jmx.acl.java.lang.Memory.cfg > ... > gc = manager > {code} > This is actually an old issue, which must have been caused by KARAF-3147, as > Jolokia is considered to be local JMX connection. -- This message was sent by Atlassian JIRA (v7.6.3#76005)