This is an automated email from the ASF dual-hosted git repository.
btellier pushed a commit to branch 3.7.x
in repository https://gitbox.apache.org/repos/asf/james-project.git
commit 3d221561761a0ab7c86896cc0028f21b65cc2b4d
Author: Benoit TELLIER <btell...@linagora.com>
AuthorDate: Tue Dec 19 16:55:52 2023 +0100
[FIX] Set up JMX auth filter for Guice
This prevents un-authenticated user from triggering
deserialization exploits which could be exploited
for privilege escalation.
---
.../jmx/src/main/java/org/apache/james/modules/server/JMXServer.java | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git
a/server/container/guice/jmx/src/main/java/org/apache/james/modules/server/JMXServer.java
b/server/container/guice/jmx/src/main/java/org/apache/james/modules/server/JMXServer.java
index 901926dad2..d880208f35 100644
---
a/server/container/guice/jmx/src/main/java/org/apache/james/modules/server/JMXServer.java
+++
b/server/container/guice/jmx/src/main/java/org/apache/james/modules/server/JMXServer.java
@@ -129,8 +129,9 @@ public class JMXServer implements Startable {
Map<String, String> environment =
Optional.of(existJmxPasswordFile())
.filter(FunctionalUtils.identityPredicate())
.map(hasJmxPasswordFile ->
ImmutableMap.of("jmx.remote.x.password.file", jmxPasswordFilePath,
- "jmx.remote.x.access.file", jmxAccessFilePath))
- .orElse(ImmutableMap.of());
+ "jmx.remote.x.access.file", jmxAccessFilePath,
+ "jmx.remote.rmi.server.credentials.filter.pattern",
"java.lang.String;!*"))
+
.orElse(ImmutableMap.of("jmx.remote.rmi.server.credentials.filter.pattern",
"java.lang.String;!*"));
jmxConnectorServer =
JMXConnectorServerFactory.newJMXConnectorServer(new JMXServiceURL(serviceURL),
environment,
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@james.apache.org
For additional commands, e-mail: notifications-h...@james.apache.org
