Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8294716

JMX connections should default to using an ObjectInputFilter

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Approved
    • Icon: P3 P3
    • 20
    • core-svc
    • None
    • behavioral
    • low
    • Hide
      MXBeans that ship with the JDK have been tested and continue to work with the proposed filter pattern.
      There could be specific third-party MBeans which communicate using additional types, which will need to have the filter list changed at runtime (-D) or set in the management.properties file.
      Show
      MXBeans that ship with the JDK have been tested and continue to work with the proposed filter pattern. There could be specific third-party MBeans which communicate using additional types, which will need to have the filter list changed at runtime (-D) or set in the management.properties file.
    • System or security property
    • Implementation

      Summary

      Enable RMI object filtering for JMX by default, by giving a default value to the existing management.properties setting, com.sun.management.jmxremote.serial.filter.pattern. This is to limit possible misuse of a JMX connection.

      Problem

      The types of Object that can be serialized across a JMX RMI connection are not restricted. The ability to set an ObjectInputFilter has existed for some time, and enabling this by default will restrict options for abuse of the connection.

      Solution

      Provide a default value for the existing management properties setting com.sun.management.jmxremote.serial.filter.pattern, which causes an ObjectInputFilter to be used. The proposed filter pattern permits interoperation with OpenMBeans, and with all MBeans and MXBeans that the JDK implementation currently registers in the platform MBeanServer.

      Specification

      com.sun.management.jmxremote.serial.filter.pattern=java.lang.*;java.math.BigInteger;java.math.BigDecimal;java.util.*;javax.management.openmbean.*;javax.management.ObjectName;java.rmi.MarshalledObject;javax.security.auth.Subject;!*

            kevinw Kevin Walls
            kevinw Kevin Walls
            Daniel Fuchs
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: