karaf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Zoran Regvart <zo...@regvart.com>
Subject Limit access to (certain) system properties through JMX
Date Thu, 05 Jan 2017 11:30:20 GMT
Hi Karafers,
I'm trying to build support for masked or encrypted system properties
for bundles running in Karaf. So for instance instead of specifying
-Djavax.net.ssl.trustStorePassword=my_secret_password you could
specify -Djavax.net.ssl.trustStorePassword=<something masked>.

And the only way to make this work for unmodified bundles is to
replace the <something masked> value with the clear text value. That
part I think i nicked.

Now I face another problem, if one connects via JMX the clear text
value is present there, and I would like it not to be present, by
either displaying it with original masked value or by eliminating it
from the list of system properties.

I've tried adding dynamic RBAC configuration that limits access to
java.lang:type=Runtime getSystemProperties -- but that removes all
system properties, bit of a overkill IMHO.

Can you think of another way to achieve this? Perhaps add another
layer to the RBAC mechanism, akin to @PostFilter in Spring Secuirty
but as a plugin interface contributing bundles can implement?

I also think it's a bit of an overkill to patch java.lang.System via
bootclasspath

zoran
-- 
Zoran Regvart

Mime
View raw message