Karaf
  1. Karaf
  2. KARAF-2137

Unable to prevent remote JMX access

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 2.3.0
    • Fix Version/s: 2.3.2, 2.4.0, 3.0.0
    • Component/s: karaf-core
    • Labels:
      None
    • Environment:

      windows/linux standard karaf package

      Description

      in 2.2.x I can configure org.apache.karaf.management.cfg

      serviceUrl = service:jmx:rmi://localhost:$

      {rmiServerPort}

      /jndi/rmi://localhost:$

      {rmiRegistryPort}

      //karaf-$

      {karaf.name}

      this will not allow jmx remote access into karaf, only local user can.

      regression?

        Issue Links

          Activity

          Dan Tran created issue -
          Dan Tran made changes -
          Field Original Value New Value
          Description in 2.2.x I can configure org.apache.karaf.management.cfg

          serviceUrl = service:jmx:rmi://localhost:${rmiServerPort}/jndi/rmi://localhost:${rmiRegistryPort}/karaf-${karaf.name}

          this will not allow jmx remote access into karaf, only local user can.

          regresion?
          in 2.2.x I can configure org.apache.karaf.management.cfg

          serviceUrl = service:jmx:rmi://localhost:${rmiServerPort}/jndi/rmi://localhost:${rmiRegistryPort}/karaf-${karaf.name}

          this will not allow jmx remote access into karaf, only local user can.

          regression?
          Dan Tran made changes -
          Description in 2.2.x I can configure org.apache.karaf.management.cfg

          serviceUrl = service:jmx:rmi://localhost:${rmiServerPort}/jndi/rmi://localhost:${rmiRegistryPort}/karaf-${karaf.name}

          this will not allow jmx remote access into karaf, only local user can.

          regression?
          in 2.2.x I can configure org.apache.karaf.management.cfg

          serviceUrl = service:jmx:rmi://localhost:${rmiServerPort}//jndi/rmi://localhost:${rmiRegistryPort}//karaf-${karaf.name}

          this will not allow jmx remote access into karaf, only local user can.

          regression?
          Dan Tran made changes -
          Description in 2.2.x I can configure org.apache.karaf.management.cfg

          serviceUrl = service:jmx:rmi://localhost:${rmiServerPort}//jndi/rmi://localhost:${rmiRegistryPort}//karaf-${karaf.name}

          this will not allow jmx remote access into karaf, only local user can.

          regression?
          in 2.2.x I can configure org.apache.karaf.management.cfg

          serviceUrl = service:jmx:rmi://localhost:${rmiServerPort}/jndi/rmi://localhost:${rmiRegistryPort}//karaf-${karaf.name}

          this will not allow jmx remote access into karaf, only local user can.

          regression?
          Hide
          Jean-Baptiste Onofré added a comment -

          Hmmm, interesting, I gonna take a look (maybe related to client certificate support).

          Show
          Jean-Baptiste Onofré added a comment - Hmmm, interesting, I gonna take a look (maybe related to client certificate support).
          Hide
          Achim Nierbeck added a comment -

          afair this is also an issue with 2.2.x which makes me unsure about the certificate idea

          Show
          Achim Nierbeck added a comment - afair this is also an issue with 2.2.x which makes me unsure about the certificate idea
          Jean-Baptiste Onofré made changes -
          Assignee Jean-Baptiste Onofré [ jbonofre ]
          Hide
          Jean-Baptiste Onofré added a comment -

          I checked the diff in the ConnectorServerFactory between karaf-2.2.x and karaf-2.3.x: it's the same codebase. I'm digging and try to reproduce the issue.

          Show
          Jean-Baptiste Onofré added a comment - I checked the diff in the ConnectorServerFactory between karaf-2.2.x and karaf-2.3.x: it's the same codebase. I'm digging and try to reproduce the issue.
          Jean-Baptiste Onofré made changes -
          Fix Version/s 2.3.2 [ 12323383 ]
          Fix Version/s 2.3.1 [ 12321743 ]
          Hide
          Freeman Fang added a comment -

          I believe the fix for KARAF-2291 can also fix this issue, that said, users can specify rmiServerHost to localhost(127.0.0.1) instead of binding to all available network interfaces, so that can prevent remote JMX access

          Show
          Freeman Fang added a comment - I believe the fix for KARAF-2291 can also fix this issue, that said, users can specify rmiServerHost to localhost(127.0.0.1) instead of binding to all available network interfaces, so that can prevent remote JMX access
          Freeman Fang made changes -
          Assignee Jean-Baptiste Onofré [ jbonofre ] Freeman Fang [ ffang ]
          Freeman Fang made changes -
          Link This issue duplicates KARAF-2291 [ KARAF-2291 ]
          Freeman Fang made changes -
          Status Open [ 1 ] Resolved [ 5 ]
          Fix Version/s 2.4.0 [ 12323352 ]
          Fix Version/s 3.0.0 [ 12316040 ]
          Resolution Fixed [ 1 ]
          Transition Time In Source Status Execution Times Last Executer Last Execution Date
          Open Open Resolved Resolved
          94d 7h 38m 1 Freeman Fang 28/Apr/13 10:59

            People

            • Assignee:
              Freeman Fang
              Reporter:
              Dan Tran
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development