This is an automated email from the ASF dual-hosted git repository.
btellier pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/james-project.git
commit 75a776dbf8bfe7b19d2a0542e11691070b4fd5b2
Author: Benoit TELLIER <btell...@linagora.com>
AuthorDate: Tue Dec 19 16:55:52 2023 +0100
[FIX] Set up JMX auth filter for Guice
This prevents un-authenticated user from triggering
deserialization exploits which could be exploited
for privilege escalation.
---
.../jmx/src/main/java/org/apache/james/modules/server/JMXServer.java | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git
a/server/container/guice/jmx/src/main/java/org/apache/james/modules/server/JMXServer.java
b/server/container/guice/jmx/src/main/java/org/apache/james/modules/server/JMXServer.java
index b8d3547ed5..68da3a885a 100644
---
a/server/container/guice/jmx/src/main/java/org/apache/james/modules/server/JMXServer.java
+++
b/server/container/guice/jmx/src/main/java/org/apache/james/modules/server/JMXServer.java
@@ -131,8 +131,9 @@ public class JMXServer implements Startable {
Map<String, String> environment =
Optional.of(existJmxPasswordFile())
.filter(FunctionalUtils.identityPredicate())
.map(hasJmxPasswordFile ->
ImmutableMap.of("jmx.remote.x.password.file", jmxPasswordFilePath,
- "jmx.remote.x.access.file", jmxAccessFilePath))
- .orElse(ImmutableMap.of());
+ "jmx.remote.x.access.file", jmxAccessFilePath,
+ "jmx.remote.rmi.server.credentials.filter.pattern",
"java.lang.String;!*"))
+
.orElse(ImmutableMap.of("jmx.remote.rmi.server.credentials.filter.pattern",
"java.lang.String;!*"));
jmxConnectorServer =
JMXConnectorServerFactory.newJMXConnectorServer(new JMXServiceURL(serviceURL),
environment,
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@james.apache.org
For additional commands, e-mail: notifications-h...@james.apache.org
