https://bz.apache.org/bugzilla/show_bug.cgi?id=66125
Bug ID: 66125
Summary: JMProxy - enhance security restrictions
Product: Tomcat 10
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P2
Component: Manager
Assignee: dev@tomcat.apache.org
Reporter: funk...@apache.org
Target Milestone: ------
Use case: Allow an admin to restrict the scope of available queries for finding
beans. Also allow the scope to be restricted per operation.
Done by allowing for a servlet init parameter or a servlet context init param.
Naming of the parameter is the same (except the context version has a
"JMXProxyServlet." prefix to the name) By allowing servlet context init param,
then the manager.xml context file can be updated instead of the more risky
(when versions update) server admin change of web.xml
The value is a comma or whitespace separated list of allowable regex's to be
checked against the query param before running the JMX query.
This can allow the effective disable of set or generic query while preserving
get to a finite namespace and invoke to just garbage collection. (Per example
in docs)
Patch preview for the basic concept (disclaimer: untested but up for ideas in
renaming the param names or general approach)
https://github.com/apache/tomcat/compare/main...funkman:jmx_lockdown?expand=1
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
