karaf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Baptiste Onofré ...@nanthrax.net>
Subject Re: Limit access to (certain) system properties through JMX
Date Thu, 05 Jan 2017 11:39:01 GMT
Hi Zoran,

the answer is probably the RBAC/ACL but it's all or nothing in term of 

As a workaround, you can create your own MBean filtering the properties 
and then security as you want using the RBAC.


On 01/05/2017 12:30 PM, Zoran Regvart wrote:
> Hi Karafers,
> I'm trying to build support for masked or encrypted system properties
> for bundles running in Karaf. So for instance instead of specifying
> -Djavax.net.ssl.trustStorePassword=my_secret_password you could
> specify -Djavax.net.ssl.trustStorePassword=<something masked>.
> And the only way to make this work for unmodified bundles is to
> replace the <something masked> value with the clear text value. That
> part I think i nicked.
> Now I face another problem, if one connects via JMX the clear text
> value is present there, and I would like it not to be present, by
> either displaying it with original masked value or by eliminating it
> from the list of system properties.
> I've tried adding dynamic RBAC configuration that limits access to
> java.lang:type=Runtime getSystemProperties -- but that removes all
> system properties, bit of a overkill IMHO.
> Can you think of another way to achieve this? Perhaps add another
> layer to the RBAC mechanism, akin to @PostFilter in Spring Secuirty
> but as a plugin interface contributing bundles can implement?
> I also think it's a bit of an overkill to patch java.lang.System via
> bootclasspath
> zoran

Jean-Baptiste Onofré
Talend - http://www.talend.com

View raw message