RFR: 8283093: JMX connections should default to using an ObjectInputFilter
Kevin Walls
kevinw at openjdk.org
Wed Oct 19 16:14:16 UTC 2022
On Fri, 30 Sep 2022 11:00:28 GMT, Kevin Walls <kevinw at openjdk.org> wrote:
> Set the management.properties "com.sun.management.jmxremote.serial.filter.pattern" value by default, to restrict types that can be deserialized.
>
> Use the example value from the Core Libraries guide (see section 2. Serialization Filtering / Built-in Filters / Filters for JMX), plus Subject which is needed when using authentication.
>
> The sun/management tests run OK with this change. The existing test sun/management/jmxremote/startstop/JMXStartStopTest.java will fail if the filter specified is made too restrictive.
Test update... We have:
test/jdk/javax/management/remote/mandatory/connection/DefaultAgentFilterTest.java
...which already tests the filter feature.
It tests a JMX Connection and an operation with a parameter of type "MyTestObject", which can work or fail depending on which filter is in place.
I am updating that test to make sure there is a failure when using the default filter.
-------------
PR: https://git.openjdk.org/jdk/pull/10507
More information about the serviceability-dev
mailing list