On 04/09/2010 12:41, Pid wrote:
> On 04/09/2010 11:05, Rainer Jung wrote:
>> On 02.09.2010 18:55, Pid wrote:
>>> On 02/09/2010 17:31, Christopher Schultz wrote:
>>>> Pid,
>>>>
>>>> On 9/2/2010 11:51 AM, Pid wrote:
>>>>> ..lots of info is available by JMX, once the server is up. In Java=
6
>>>>> you can attach to the process locally, without having to configure =
the
>>>>> JMX ports because it injects the management agent into the virtual
>>>>> machine.
>>>>
>>>> I hadn't considered that, never having used JMX. Are you saying that=
>>>> anyone with local access can snoop a JVM? What are the strategies
>>>> available to prohibit that? Can you disable local JMX altogether? Ho=
w
>>>> about some kind of authentication?
>>>
>>> Pretty much. I'm not sure how to disable it, I've only just got the
>>> hang of enabling it.
>>>
>>> http://download.oracle.com/javase/6/docs/jdk/api/attach/spec/com/sun/=
tools/attach/VirtualMachine.html
>>>
>>>
>>> Also: sun.management.ConnectorAddressLink, but I can't find a javadoc=
>>> for that.
>>
>> I thought it uses a local file created by the JVM which only allows
>> access, if you are the same user (or root). The marketing terminology
>> for this Java 6 feature was "attach on demand".
>=20
> OK, that useful to know. I was assuming there was a JVM option to
> prevent dynamic attachments, but that I just hadn't found it. File per=
m
> based restrictions makes sense.
It's possible to prevent attachment via the SecurityManager. Obvious
really. Doh.
p
|