https://bz.apache.org/bugzilla/show_bug.cgi?id=66125
Bug ID: 66125 Summary: JMProxy - enhance security restrictions Product: Tomcat 10 Version: unspecified Hardware: All OS: All Status: NEW Severity: enhancement Priority: P2 Component: Manager Assignee: dev@tomcat.apache.org Reporter: funk...@apache.org Target Milestone: ------ Use case: Allow an admin to restrict the scope of available queries for finding beans. Also allow the scope to be restricted per operation. Done by allowing for a servlet init parameter or a servlet context init param. Naming of the parameter is the same (except the context version has a "JMXProxyServlet." prefix to the name) By allowing servlet context init param, then the manager.xml context file can be updated instead of the more risky (when versions update) server admin change of web.xml The value is a comma or whitespace separated list of allowable regex's to be checked against the query param before running the JMX query. This can allow the effective disable of set or generic query while preserving get to a finite namespace and invoke to just garbage collection. (Per example in docs) Patch preview for the basic concept (disclaimer: untested but up for ideas in renaming the param names or general approach) https://github.com/apache/tomcat/compare/main...funkman:jmx_lockdown?expand=1 -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org