-
CSR
-
Resolution: Approved
-
P2
-
None
-
behavioral
-
low
-
-
System or security property
-
Implementation
Summary
RMI object filtering for JMX enabled by default by JDK-8283093 is too restrictive. That change gave a default value to the existing management.properties setting, com.sun.management.jmxremote.serial.filter.pattern. This change expands the filter class list such that standard interactions with an MBean such as manipulating Attributes and Notifications over an RMI connection, will work without adjustment.
Problem
This change addresses the problem that the filter list was made too restrictive. The original change was that the types of Object that can be serialized across a JMX RMI connection are not restricted. The ability to set an ObjectInputFilter has existed for some time, and enabling this by default will restrict options for abuse of the connection.
Solution
Provide a default value for the existing management properties setting com.sun.management.jmxremote.serial.filter.pattern, which causes an ObjectInputFilter to be used. The proposed filter pattern permits interoperation with OpenMBeans, and with all MBeans and MXBeans that the JDK implementation currently registers in the platform MBeanServer. Additional testing involving setting Attributes and Notifications has been added, and performing existing JMX testing with logging of the filter to find additional required classes.
Specification
com.sun.management.jmxremote.serial.filter.pattern=\
java.lang.*;\
java.lang.reflect.Proxy;\
java.math.BigInteger;
java.math.BigDecimal;
java.util.*;\
javax.management.*;\
javax.management.modelmbean.*;\
javax.management.monitor.*;\
javax.management.openmbean.*;\
javax.management.relation.*;\
javax.management.remote.*;\
javax.management.remote.rmi.*;\
javax.management.timer.*;\
javax.rmi.ssl.*;\
java.rmi.MarshalledObject;\
java.rmi.dgc.*;\
java.rmi.server.*;\
javax.security.auth.Subject;!*
- csr of
-
JDK-8299891 JMX ObjectInputFilter additional classes needed
- Closed