HTTP method restrictions not working as expected #204
Comments
Wondering why the jolokia-access.xml is not shipped out of the box with the jolokia war? I understand that jolokia-access.xml can be repackaged using jmx4perl tool, but is there any harm in shipping it OOB? There is another legal aspect to it. The moment I modify the war to ship jolokia along with my product, I MAY have to follow certain process to declare the changes which I have done to the "third party open source software" (At least in my company that process is a MUST). :-( |
Thanks for the PR, will check that ASAP. The reason why there is no I also see you point /wrt repackaging. That's also the reason that you can define If you repackaging restriction are really very strict, I recommend to use the JVM agent, which can be completely configured externally without repackaging. |
Thanks for your quick reply. I agree with your point ("it super difficutl (even impossible ?) to define a default set of restriction"). I was thinking of shipping the file without any restriction at all. Later the user can configure it as per the need (as a part of the product installation). However, the ability to define jolokia-access.xml at an external location satisfies that need. Right now, in our product, we are not using the the security feature (jolokia-access.xml), hence I am ok with the behavior (at least for the time being). :-) |
Fixed #204 : Introducing checkHttpMethod(request) in the JsonRequestHandler.handleRequest(MBeanServerExecutor pServerManager, R request)
In the JsonRequestHandler.handleRequest(MBeanServerExecutor pServerManager, R request) method a calls to checkHttpMethod(pRequest) is missing. Therefore the HTTP method restrictions define in the security policy is bypassed.
The text was updated successfully, but these errors were encountered: