Return-Path: Delivered-To: apmail-db-derby-dev-archive@www.apache.org Received: (qmail 16901 invoked from network); 6 Feb 2008 20:07:13 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 6 Feb 2008 20:07:13 -0000 Received: (qmail 99111 invoked by uid 500); 6 Feb 2008 20:07:05 -0000 Delivered-To: apmail-db-derby-dev-archive@db.apache.org Received: (qmail 99081 invoked by uid 500); 6 Feb 2008 20:07:05 -0000 Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: Delivered-To: mailing list derby-dev@db.apache.org Received: (qmail 99072 invoked by uid 99); 6 Feb 2008 20:07:05 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 06 Feb 2008 12:07:05 -0800 X-ASF-Spam-Status: No, hits=-1.0 required=10.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [192.18.43.132] (HELO sca-es-mail-1.sun.com) (192.18.43.132) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 06 Feb 2008 20:06:48 +0000 Received: from fe-sfbay-10.sun.com ([192.18.43.129]) by sca-es-mail-1.sun.com (8.13.7+Sun/8.12.9) with ESMTP id m16K6efZ019216 for ; Wed, 6 Feb 2008 12:06:40 -0800 (PST) Received: from conversion-daemon.fe-sfbay-10.sun.com by fe-sfbay-10.sun.com (Sun Java System Messaging Server 6.2-8.04 (built Feb 28 2007)) id <0JVU00A012I6T500@fe-sfbay-10.sun.com> (original mail from Richard.Hillegas@Sun.COM) for derby-dev@db.apache.org; Wed, 06 Feb 2008 12:06:40 -0800 (PST) Received: from dhcp-usfo07-89-14.SFBay.Sun.COM ([129.144.89.14]) by fe-sfbay-10.sun.com (Sun Java System Messaging Server 6.2-8.04 (built Feb 28 2007)) with ESMTPSA id <0JVU00FSD2IZC9F0@fe-sfbay-10.sun.com> for derby-dev@db.apache.org; Wed, 06 Feb 2008 12:06:35 -0800 (PST) Date: Wed, 06 Feb 2008 12:06:36 -0800 From: Rick Hillegas Subject: Re: [jira] Commented: (DERBY-1387) Add JMX extensions to Derby In-reply-to: <47AA0E10.7080200@sun.com> Sender: Richard.Hillegas@Sun.COM To: derby-dev@db.apache.org Message-id: <47AA134C.3090808@sun.com> MIME-version: 1.0 Content-type: text/plain; format=flowed; charset=UTF-8 Content-transfer-encoding: 7BIT References: <29598799.1202234048566.JavaMail.jira@brutus> <47A8B9D5.3090505@apache.org> <47A8CC7F.7080504@sun.com> <47A8CEDA.90400@apache.org> <47A8D8C6.2050802@sun.com> <47A8EBE6.4030709@apache.org> <47A9C0DD.3040405@Sun.COM> <47A9D9AE.9090201@apache.org> <47AA0E10.7080200@sun.com> User-Agent: Thunderbird 2.0.0.6 (Macintosh/20070728) X-Virus-Checked: Checked by ClamAV on apache.org John H. Embretsen wrote: > Daniel John Debrunner wrote: >> John Embretsen wrote: >> >>> With JMX enabled on the JVM level (regardless of Derby's JMX >>> support), you are able to read all system properties anyway, as a >>> valid JMX user on a local or remote machine. >> >> Is that through the SystemProperties attribute of the mbean for >> java.lang.Runtime? > > Yes, that bean is implemented as an MXBean, and was added in J2SE 5.0. > The bean has a method getSystemProperties() which returns a Map of all > system properties and their respective values, see > http://java.sun.com/j2se/1.5.0/docs/api/java/lang/management/RuntimeMXBean.html#getSystemProperties() > > > This MXBean may, I think, be accessed programmatically by any > application running a J2SE 5.0 or newer JVM, not just JConsole. You > still need to have the right permissions, though (meaning: you must be > allowed to connect to the platform MBeanServer). > > System properties are also readable via other tools in Sun's JDK such > as jinfo (but as far as I know it is then only available to the user > running the monitored JVM, on the localhost). > >> I see that in jconsole, though it doesn't show me the system >> properties, instead it shows the class name of the class wrapping the >> properties (TabularDataSupport). I assume that's just a bug in the >> jvm version I'm using, on later jdk6's does it show a set of properties? > > I tried running the Derby Network Server using jdk1.5.0_09 and > jdk1.6.0_04, and the JConsoles from both JDKs. Once connected to the > server VM with JConsole, I am able to access the java.lang.Runtime > MXBean. When I double-click the value of the attribute > "SystemProperties", which is TabularDataSupport, I can click my way > through all system properties (including derby.authentication.provider). > > It should be possible to limit this exposure with a security > manager/policy, but I didn't experiment with that. The Javadoc says > > "Throws: > SecurityException - if a security manager exists and its > checkPropertiesAccess method doesn't allow access to the system > properties." > Thanks for those experiments, John. When I boot the network server, it installs the default Derby server policy. Even then I can still click through the system properties via the Runtime MBean. This surprises me because the default policy only grants permissions to the Derby jars. Regards, -Rick