RFR: 6572: Make mbean functions protected by permission checks

Marcus Hirt hirt at openjdk.java.net
Mon Jan 20 21:29:47 UTC 2020

On Mon, 20 Jan 2020 16:35:16 GMT, Jessye Coleman-Shapiro <github.com+29706926+jessyec-s at openjdk.org> wrote:

> This patch adds a permission check to Agent MBean functions for the 'control' management permission. 
> I have also added a test "testPermissionChecks" to see if a security exception is fired when this permission is not given.

core/org.openjdk.jmc.agent/README.md line 32:

> 31: ### Using a security manager
> 32: To make MBean calls more secure, the agent can be run with a security manager. A manager can be enabled by adding the VM option `-Djava.security.manager` and by supplying a policy file of permissions to grant as such: `-Djava.security.policy=permissions.policy`. The 'control' Management Permission must be granted in order for MBean function calls to succeed.
> 33: 

I'd probably paraphrase this a bit. It's running with a security manager - not just running the agent with security manager. Perhaps something along the lines of: "When running with a security manager, the 'control' Management Permission must be granted to control the agent through the MBean. To set fine grained permissions for authenticated remote users, see e.g. https://docs.oracle.com/javase/7/docs/technotes/guides/management/agent.html#gdeup and  https://docs.oracle.com/javadb/ Blahblahblah."


PR: https://git.openjdk.java.net/jmc/pull/39

More information about the jmc-dev mailing list