New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTP method restrictions not working as expected #204
Comments
Wondering why the jolokia-access.xml is not shipped out of the box with the jolokia war? I understand that jolokia-access.xml can be repackaged using jmx4perl tool, but is there any harm in shipping it OOB? There is another legal aspect to it. The moment I modify the war to ship jolokia along with my product, I MAY have to follow certain process to declare the changes which I have done to the "third party open source software" (At least in my company that process is a MUST). :-( |
Thanks for the PR, will check that ASAP. The reason why there is no I also see you point /wrt repackaging. That's also the reason that you can define If you repackaging restriction are really very strict, I recommend to use the JVM agent, which can be completely configured externally without repackaging. |
Thanks for your quick reply. I agree with your point ("it super difficutl (even impossible ?) to define a default set of restriction"). I was thinking of shipping the file without any restriction at all. Later the user can configure it as per the need (as a part of the product installation). However, the ability to define jolokia-access.xml at an external location satisfies that need. Right now, in our product, we are not using the the security feature (jolokia-access.xml), hence I am ok with the behavior (at least for the time being). :-) |
Fixed #204 : Introducing checkHttpMethod(request) in the JsonRequestHandler.handleRequest(MBeanServerExecutor pServerManager, R request)
In the JsonRequestHandler.handleRequest(MBeanServerExecutor pServerManager, R request) method a calls to checkHttpMethod(pRequest) is missing. Therefore the HTTP method restrictions define in the security policy is bypassed.
The text was updated successfully, but these errors were encountered: