db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rick Hillegas <Richard.Hille...@Sun.COM>
Subject Re: [jira] Commented: (DERBY-1387) Add JMX extensions to Derby
Date Wed, 06 Feb 2008 20:06:36 GMT
John H. Embretsen wrote:
> Daniel John Debrunner wrote:
>> John Embretsen wrote:
>>
>>> With JMX enabled on the JVM level (regardless of Derby's JMX 
>>> support), you are able to read all system properties anyway, as a 
>>> valid JMX user on a local or remote machine.
>>
>> Is that through the SystemProperties attribute of the mbean for 
>> java.lang.Runtime?
>
> Yes, that bean is implemented as an MXBean, and was added in J2SE 5.0.
> The bean has a method getSystemProperties() which returns a Map of all 
> system properties and their respective values, see
> http://java.sun.com/j2se/1.5.0/docs/api/java/lang/management/RuntimeMXBean.html#getSystemProperties()

>
>
> This MXBean may, I think, be accessed programmatically by any 
> application running a J2SE 5.0 or newer JVM, not just JConsole. You 
> still need to have the right permissions, though (meaning: you must be 
> allowed to connect to the platform MBeanServer).
>
> System properties are also readable via other tools in Sun's JDK such 
> as jinfo (but as far as I know it is then only available to the user 
> running the monitored JVM, on the localhost).
>
>> I see that in jconsole, though it doesn't show me the system 
>> properties, instead it shows the class name of the class wrapping the 
>> properties (TabularDataSupport). I assume that's just a bug in the 
>> jvm version I'm using, on later jdk6's does it show a set of properties?
>
> I tried running the Derby Network Server using jdk1.5.0_09 and 
> jdk1.6.0_04, and the JConsoles from both JDKs. Once connected to the 
> server VM with JConsole, I am able to access the java.lang.Runtime 
> MXBean. When I double-click the value of the attribute 
> "SystemProperties", which is TabularDataSupport, I can click my way 
> through all system properties (including derby.authentication.provider).
>
> It should be possible to limit this exposure with a security 
> manager/policy, but I didn't experiment with that. The Javadoc says
>
> "Throws:
> SecurityException - if a security manager exists and its 
> checkPropertiesAccess method doesn't allow access to the system 
> properties."
>
Thanks for those experiments, John. When I boot the network server, it 
installs the default Derby server policy. Even then I can still click 
through the system properties via the Runtime MBean. This surprises me 
because the default policy only grants permissions to the Derby jars.

Regards,
-Rick

Mime
View raw message