RFR: 6572: Make mbean functions protected by permission checks
hirt at openjdk.java.net
Mon Jan 20 21:29:47 UTC 2020
On Mon, 20 Jan 2020 16:35:16 GMT, Jessye Coleman-Shapiro <github.com+29706926+jessyec-s at openjdk.org> wrote:
> This patch adds a permission check to Agent MBean functions for the 'control' management permission.
> I have also added a test "testPermissionChecks" to see if a security exception is fired when this permission is not given.
core/org.openjdk.jmc.agent/README.md line 32:
> 31: ### Using a security manager
> 32: To make MBean calls more secure, the agent can be run with a security manager. A manager can be enabled by adding the VM option `-Djava.security.manager` and by supplying a policy file of permissions to grant as such: `-Djava.security.policy=permissions.policy`. The 'control' Management Permission must be granted in order for MBean function calls to succeed.
I'd probably paraphrase this a bit. It's running with a security manager - not just running the agent with security manager. Perhaps something along the lines of: "When running with a security manager, the 'control' Management Permission must be granted to control the agent through the MBean. To set fine grained permissions for authenticated remote users, see e.g. https://docs.oracle.com/javase/7/docs/technotes/guides/management/agent.html#gdeup and https://docs.oracle.com/javadb/10.10.1.2/adminguide/radminjmxenablepolicy.html#radminjmxenablepolicy. Blahblahblah."
More information about the jmc-dev