tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pid <...@pidster.com>
Subject Re: [OT] clear text keystore password in server.xml
Date Sat, 04 Sep 2010 11:43:25 GMT
On 04/09/2010 12:41, Pid wrote:
> On 04/09/2010 11:05, Rainer Jung wrote:
>> On 02.09.2010 18:55, Pid wrote:
>>> On 02/09/2010 17:31, Christopher Schultz wrote:
>>>> Pid,
>>>>
>>>> On 9/2/2010 11:51 AM, Pid wrote:
>>>>> ..lots of info is available by JMX, once the server is up.  In Java 6
>>>>> you can attach to the process locally, without having to configure the
>>>>> JMX ports because it injects the management agent into the virtual
>>>>> machine.
>>>>
>>>> I hadn't considered that, never having used JMX. Are you saying that
>>>> anyone with local access can snoop a JVM? What are the strategies
>>>> available to prohibit that? Can you disable local JMX altogether? How
>>>> about some kind of authentication?
>>>
>>> Pretty much.  I'm not sure how to disable it, I've only just got the
>>> hang of enabling it.
>>>
>>> http://download.oracle.com/javase/6/docs/jdk/api/attach/spec/com/sun/tools/attach/VirtualMachine.html
>>>
>>>
>>> Also: sun.management.ConnectorAddressLink, but I can't find a javadoc
>>> for that.
>>
>> I thought it uses a local file created by the JVM which only allows
>> access, if you are the same user (or root). The marketing terminology
>> for this Java 6 feature was "attach on demand".
> 
> OK, that useful to know.  I was assuming there was a JVM option to
> prevent dynamic attachments, but that I just hadn't found it.  File perm
> based restrictions makes sense.

It's possible to prevent attachment via the SecurityManager.  Obvious
really. Doh.


p


Mime
View raw message