Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HTTP method restrictions not working as expected #204

Closed
jsbret opened this issue Jul 8, 2015 · 3 comments
Closed

HTTP method restrictions not working as expected #204

jsbret opened this issue Jul 8, 2015 · 3 comments

Comments

@jsbret
Copy link

jsbret commented Jul 8, 2015

In the JsonRequestHandler.handleRequest(MBeanServerExecutor pServerManager, R request) method a calls to checkHttpMethod(pRequest) is missing. Therefore the HTTP method restrictions define in the security policy is bypassed.

@arnabbiswas1
Copy link
Contributor

Wondering why the jolokia-access.xml is not shipped out of the box with the jolokia war? I understand that jolokia-access.xml can be repackaged using jmx4perl tool, but is there any harm in shipping it OOB?

There is another legal aspect to it. The moment I modify the war to ship jolokia along with my product, I MAY have to follow certain process to declare the changes which I have done to the "third party open source software" (At least in my company that process is a MUST). :-(

@rhuss
Copy link
Owner

rhuss commented Sep 26, 2015

Thanks for the PR, will check that ASAP.

The reason why there is no jolokia-access.xml by default is simply that is it super difficutl (even impossible ?) to define a default set of restriction. So IMO it is better to leave it out and issue an warning instead because you should think about security here.

I also see you point /wrt repackaging. That's also the reason that you can define jolokia-access.xml externally from the war file and reference it in web.xml (which, if you use the war-agent probably need to change anyway to enable security constraints for authentication). See the reference manual for details.

If you repackaging restriction are really very strict, I recommend to use the JVM agent, which can be completely configured externally without repackaging.

@arnabbiswas1
Copy link
Contributor

Thanks for your quick reply. I agree with your point ("it super difficutl (even impossible ?) to define a default set of restriction"). I was thinking of shipping the file without any restriction at all. Later the user can configure it as per the need (as a part of the product installation). However, the ability to define jolokia-access.xml at an external location satisfies that need.

Right now, in our product, we are not using the the security feature (jolokia-access.xml), hence I am ok with the behavior (at least for the time being). :-)

@rhuss rhuss closed this as completed in 12f0e04 Oct 1, 2015
rhuss added a commit that referenced this issue Oct 1, 2015
Fixed #204 : Introducing checkHttpMethod(request) in the JsonRequestHandler.handleRequest(MBeanServerExecutor pServerManager, R request)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants