jmx-dev RFR: 8283093: JMX connections should default to using an ObjectInputFilter
Daniel Fuchs
dfuchs at openjdk.org
Mon Oct 3 11:39:39 UTC 2022
On Fri, 30 Sep 2022 11:00:28 GMT, Kevin Walls <kevinw at openjdk.org> wrote:
> Set the management.properties "com.sun.management.jmxremote.serial.filter.pattern" value by default, to restrict types that can be deserialized.
>
> Use the example value from the Core Libraries guide (see section 2. Serialization Filtering / Built-in Filters / Filters for JMX), plus Subject which is needed when using authentication.
>
> The sun/management tests run OK with this change. The existing test sun/management/jmxremote/startstop/JMXStartStopTest.java will fail if the filter specified is made too restrictive.
You will also need to CSR (and release notes). An application that registers its own MBeans in the platform MBeanServer, where such MBeans are not OpenMBeans will be affected by this change, and will need to add whatever types it uses (which might include different flavors of `MBeanInfo` subtypes) in order to be able to access its MBeans through the default agent.
-------------
PR: https://git.openjdk.org/jdk/pull/10507
More information about the jmx-dev
mailing list