tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pid <...@pidster.com>
Subject Re: [OT] clear text keystore password in server.xml
Date Sat, 04 Sep 2010 11:41:30 GMT
On 04/09/2010 11:05, Rainer Jung wrote:
> On 02.09.2010 18:55, Pid wrote:
>> On 02/09/2010 17:31, Christopher Schultz wrote:
>>> Pid,
>>>
>>> On 9/2/2010 11:51 AM, Pid wrote:
>>>> ..lots of info is available by JMX, once the server is up.  In Java 6
>>>> you can attach to the process locally, without having to configure the
>>>> JMX ports because it injects the management agent into the virtual
>>>> machine.
>>>
>>> I hadn't considered that, never having used JMX. Are you saying that
>>> anyone with local access can snoop a JVM? What are the strategies
>>> available to prohibit that? Can you disable local JMX altogether? How
>>> about some kind of authentication?
>>
>> Pretty much.  I'm not sure how to disable it, I've only just got the
>> hang of enabling it.
>>
>> http://download.oracle.com/javase/6/docs/jdk/api/attach/spec/com/sun/tools/attach/VirtualMachine.html
>>
>>
>> Also: sun.management.ConnectorAddressLink, but I can't find a javadoc
>> for that.
> 
> I thought it uses a local file created by the JVM which only allows
> access, if you are the same user (or root). The marketing terminology
> for this Java 6 feature was "attach on demand".

OK, that useful to know.  I was assuming there was a JVM option to
prevent dynamic attachments, but that I just hadn't found it.  File perm
based restrictions makes sense.

> See also
> 
> http://weblogs.java.net/blog/emcmanus/archive/2005/09/mustang_jdk_now.html
> 
> with some examples here:
> 
> http://blogs.sun.com/sundararajan/entry/using_mustang_s_attach_api
> 
> http://blogs.sun.com/sundararajan/entry/my_experiments_with_attach_on
> 
> and API Javadoc:
> 
> http://download-llnw.oracle.com/javase/6/docs/jdk/api/attach/spec/index.html

Excellent, thanks, I'll have a read.


p

Mime
View raw message