New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HTTP method restrictions not working as expected #204

Closed
jsbret opened this Issue Jul 8, 2015 · 3 comments

Comments

Projects
None yet
3 participants
@jsbret

jsbret commented Jul 8, 2015

In the JsonRequestHandler.handleRequest(MBeanServerExecutor pServerManager, R request) method a calls to checkHttpMethod(pRequest) is missing. Therefore the HTTP method restrictions define in the security policy is bypassed.

@arnabbiswas1

This comment has been minimized.

Contributor

arnabbiswas1 commented Sep 26, 2015

Wondering why the jolokia-access.xml is not shipped out of the box with the jolokia war? I understand that jolokia-access.xml can be repackaged using jmx4perl tool, but is there any harm in shipping it OOB?

There is another legal aspect to it. The moment I modify the war to ship jolokia along with my product, I MAY have to follow certain process to declare the changes which I have done to the "third party open source software" (At least in my company that process is a MUST). :-(

@rhuss

This comment has been minimized.

Owner

rhuss commented Sep 26, 2015

Thanks for the PR, will check that ASAP.

The reason why there is no jolokia-access.xml by default is simply that is it super difficutl (even impossible ?) to define a default set of restriction. So IMO it is better to leave it out and issue an warning instead because you should think about security here.

I also see you point /wrt repackaging. That's also the reason that you can define jolokia-access.xml externally from the war file and reference it in web.xml (which, if you use the war-agent probably need to change anyway to enable security constraints for authentication). See the reference manual for details.

If you repackaging restriction are really very strict, I recommend to use the JVM agent, which can be completely configured externally without repackaging.

@arnabbiswas1

This comment has been minimized.

Contributor

arnabbiswas1 commented Sep 26, 2015

Thanks for your quick reply. I agree with your point ("it super difficutl (even impossible ?) to define a default set of restriction"). I was thinking of shipping the file without any restriction at all. Later the user can configure it as per the need (as a part of the product installation). However, the ability to define jolokia-access.xml at an external location satisfies that need.

Right now, in our product, we are not using the the security feature (jolokia-access.xml), hence I am ok with the behavior (at least for the time being). :-)

@rhuss rhuss closed this in 12f0e04 Oct 1, 2015

rhuss added a commit that referenced this issue Oct 1, 2015

Merge pull request #216 from arnabbiswas1/master
Fixed #204 : Introducing checkHttpMethod(request) in the JsonRequestHandler.handleRequest(MBeanServerExecutor pServerManager, R request)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment