Hi Konstantin, On Tue, Apr 23, 2013 at 6:48 PM, Konstantin Kolinko <knst.koli...@gmail.com>wrote:
> > > > > I can't tell what I'm missing. Also, steps #2 and #3 are not even > required > > if I am using the RemoteAddrValve, correct? > > No. They are not related to RemoteAddrValve. > Thanks! > > > I would say that you should be stopped by CsrfPreventionFilter, > because your heapused.jsp is not in the list of configured entry > points. > Bingo! > > Shanti wrote: > > The funny thing is that I gather the JMX metrics in an identical manner > on > > Tomcat 7.0.23 and JDK 1.6 on several other RedHat Linux servers. > > CVE-2012-4431 > Thanks so much! I am now able to get heapused.jsp to work. I only had to add heapused.jsp into web.xml. I did not need to add "/jmxroxy/". -----manager/WEB-INF/web.xml:----- <filter> <filter-name>CSRF</filter-name> <filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class> <init-param> <param-name>entryPoints</param-name> <param-value>/html,/html/,/html/list,/heapused.jsp,/index.jsp</param-value> </init-param> </filter> -------------------- curl http://localhost:6090/manager/heapused.jsp ==> gives me the value. One question I have though is that I have other JSP pages for gathering other JMX metrics. I would like to not have to list these individually as entry points. I tried to put these JSPs into a jmx/ sub-directory under manager/. I added: "<url-pattern>/jmx/*</url-pattern>" both individually as well as in conjunction with <init-param> in web.xml. <filter> <filter-name>CSRF</filter-name> <filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class> <init-param> <param-name>entryPoints</param-name> <param-value>/html,/html/,/html/list,/jmx/,/heapused.jsp,/index.jsp</param-value> </init-param> <url-pattern>/jmx/*</url-pattern> </filter> But I got a 403 upon accessing: curl http://localhost:6090/manager/jmx/heapused.jsp The CSRF filter documentation did not mention "url-pattern": http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html Is there a way to achieve what I'd like? Thanks! -Shanti