RFR: 8283093: JMX connections should default to using an ObjectInputFilter
Daniel Fuchs
dfuchs at openjdk.org
Tue Oct 11 17:52:18 UTC 2022
On Fri, 30 Sep 2022 11:00:28 GMT, Kevin Walls <kevinw at openjdk.org> wrote:
> Set the management.properties "com.sun.management.jmxremote.serial.filter.pattern" value by default, to restrict types that can be deserialized.
>
> Use the example value from the Core Libraries guide (see section 2. Serialization Filtering / Built-in Filters / Filters for JMX), plus Subject which is needed when using authentication.
>
> The sun/management tests run OK with this change. The existing test sun/management/jmxremote/startstop/JMXStartStopTest.java will fail if the filter specified is made too restrictive.
src/jdk.management.agent/share/conf/management.properties line 306:
> 304: # Otherwise, the status is UNDECIDED.
> 305: com.sun.management.jmxremote.serial.filter.pattern=java.lang.*;java.math.BigInteger;java.math.BigDecimal;java.util.*;javax.management.openmbean.*;javax.management.ObjectName;java.rmi.MarshalledObject;javax.security.auth.Subject;!*
> 306:
Should the pattern also include the name of the module that define these type?
Also this set doesn't seem to include javax.management.MBeanInfo and all the types it might contain. This leads me to think that regular MBeans which are not MXBeans or OpenMBeans, like the `DiagnosticCommandMBean` or the `MBeanServerDelegateMBean` might become inaccessible from remote after this change.
-------------
PR: https://git.openjdk.org/jdk/pull/10507
More information about the serviceability-dev
mailing list