You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@karaf.apache.org by jb...@apache.org on 2020/06/05 04:46:59 UTC
[karaf] branch master updated: Disallow calling getMBeansFromURL
This is an automated email from the ASF dual-hosted git repository.
jbonofre pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/karaf.git
The following commit(s) were added to refs/heads/master by this push:
new 3e4c4be Disallow calling getMBeansFromURL
new 310ff72 Merge pull request #1135 from coheigea/jmx_mlet
3e4c4be is described below
commit 3e4c4bed2d08e81ca5961ab5fcadab23470db1c9
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Wed Jun 3 17:37:44 2020 +0100
Disallow calling getMBeansFromURL
---
.../apache/karaf/management/KarafMBeanServerGuard.java | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java b/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
index a255587..43c258e 100644
--- a/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
+++ b/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
@@ -106,7 +106,7 @@ public class KarafMBeanServerGuard implements InvocationHandler {
} else if ("setAttributes".equals(method.getName())) {
handleSetAttributes(mbs, objectName, (AttributeList) args[1]);
} else if ("invoke".equals(method.getName())) {
- handleInvoke(objectName, (String) args[1], (Object[]) args[2], (String[]) args[3]);
+ handleInvoke(mbs, objectName, (String) args[1], (Object[]) args[2], (String[]) args[3]);
}
return null;
@@ -345,11 +345,20 @@ public class KarafMBeanServerGuard implements InvocationHandler {
return false;
}
- void handleInvoke(ObjectName objectName, String operationName, Object[] params, String[] signature) throws IOException {
- handleInvoke(null, objectName, operationName, params, signature);
+ void handleInvoke(MBeanServer mbs, ObjectName objectName, String operationName, Object[] params, String[] signature) throws IOException, InstanceNotFoundException {
+ handleInvoke(mbs, null, objectName, operationName, params, signature);
}
- void handleInvoke(BulkRequestContext context, ObjectName objectName, String operationName, Object[] params, String[] signature) throws IOException {
+ void handleInvoke(MBeanServer mbs, BulkRequestContext context, ObjectName objectName, String operationName, Object[] params, String[] signature) throws IOException, InstanceNotFoundException {
+ if (mbs != null && mbs.isInstanceOf(objectName, "javax.management.loading.MLet")
+ && ("addUrl".equals(operationName) || "getMBeansFromURL".equals(operationName))) {
+ SecurityException se = new SecurityException(operationName + " is not allowed to be invoked");
+ if (logger != null) {
+ logger.log(INVOKE, INVOKE_SIG, null, se, objectName, operationName, signature, params);
+ }
+ throw se;
+ }
+
if (context == null) {
context = BulkRequestContext.newContext(configAdmin);
}