You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@karaf.apache.org by jb...@apache.org on 2022/01/06 17:07:36 UTC
[karaf] branch karaf-4.2.x updated: [KARAF-7312] Add JMX credentials filter pattern support on the RMI connector and enforce it by default
This is an automated email from the ASF dual-hosted git repository.
jbonofre pushed a commit to branch karaf-4.2.x
in repository https://gitbox.apache.org/repos/asf/karaf.git
The following commit(s) were added to refs/heads/karaf-4.2.x by this push:
new 72f446e [KARAF-7312] Add JMX credentials filter pattern support on the RMI connector and enforce it by default
72f446e is described below
commit 72f446e5a0ffda2929f113acfc76493ab478264a
Author: Jean-Baptiste Onofré <jb...@apache.org>
AuthorDate: Tue Jan 4 16:00:06 2022 +0100
[KARAF-7312] Add JMX credentials filter pattern support on the RMI
connector and enforce it by default
(cherry picked from commit b42c82ca3b9a22bd92d249a1060a1953f4188bc2)
---
assemblies/features/standard/src/main/feature/feature.xml | 5 +++++
.../main/java/org/apache/karaf/management/internal/Activator.java | 6 ++++++
2 files changed, 11 insertions(+)
diff --git a/assemblies/features/standard/src/main/feature/feature.xml b/assemblies/features/standard/src/main/feature/feature.xml
index e7ea86c..c9d6ff3 100644
--- a/assemblies/features/standard/src/main/feature/feature.xml
+++ b/assemblies/features/standard/src/main/feature/feature.xml
@@ -1369,6 +1369,11 @@ jmxmpObjectName = connector:name=jmxmp
# Locate an existing MBean server if possible (usefull when Karaf is embedded)
#
#locateExistingMBeanServerIfPossible = true
+
+#
+# Enforce credentials filter pattern to avoid deserialization
+#
+#jmx.remote.rmi.server.credentials.filter.pattern=java.lang.String;!*
</config>
<feature>jaas</feature>
<bundle dependency="true" start-level="20">mvn:org.apache.aries/org.apache.aries.util/${aries.util.version}</bundle>
diff --git a/management/server/src/main/java/org/apache/karaf/management/internal/Activator.java b/management/server/src/main/java/org/apache/karaf/management/internal/Activator.java
index c4f1a21..2b5861b 100644
--- a/management/server/src/main/java/org/apache/karaf/management/internal/Activator.java
+++ b/management/server/src/main/java/org/apache/karaf/management/internal/Activator.java
@@ -21,6 +21,7 @@ import java.util.Map;
import javax.management.MBeanServer;
import javax.management.ObjectName;
+import javax.management.remote.rmi.RMIConnectorServer;
import org.apache.karaf.jaas.config.KeystoreInstance;
import org.apache.karaf.jaas.config.KeystoreManager;
@@ -109,6 +110,10 @@ public class Activator extends BaseActivator implements ManagedService {
originalRmiServerHostname = System.getProperty("java.rmi.server.hostname");
System.setProperty("java.rmi.server.hostname", rmiServerHost);
+ // https://issues.apache.org/jira/browse/KARAF-7312
+ // security enforcement using credentials filter pattern, passed via environment map
+ String credentialsFilterPattern = getString(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, String.class.getName() + ";!*");
+
String jmxRealm = getString("jmxRealm", "karaf");
String serviceUrl = getString("serviceUrl",
"service:jmx:rmi://" + rmiServerHost + ":" + rmiServerPort + "/jndi/rmi://" + rmiRegistryHost + ":" + rmiRegistryPort + "/karaf-" + System.getProperty("karaf.name"));
@@ -170,6 +175,7 @@ public class Activator extends BaseActivator implements ManagedService {
jmxmpEnvironment.put("jmx.remote.sasl.callback.handler", jaasAuthenticator);
Map<String, Object> environment = new HashMap<>();
environment.put("jmx.remote.authenticator", jaasAuthenticator);
+ environment.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, credentialsFilterPattern);
try {
connectorServerFactory.setEnvironment(environment);
connectorServerFactory.setJmxmpEnvironment(jmxmpEnvironment);