Daniel John Debrunner wrote:
John Embretsen wrote:
With JMX enabled on the JVM level (regardless of Derby's JMX support),
you are able to read all system properties anyway, as a valid JMX user
on a local or remote machine.
Is that through the SystemProperties attribute of the mbean for
java.lang.Runtime?
Yes, that bean is implemented as an MXBean, and was added in J2SE 5.0.
The bean has a method getSystemProperties() which returns a Map of all
system properties and their respective values, see
http://java.sun.com/j2se/1.5.0/docs/api/java/lang/management/RuntimeMXBean.html#getSystemProperties()
This MXBean may, I think, be accessed programmatically by any
application running a J2SE 5.0 or newer JVM, not just JConsole. You
still need to have the right permissions, though (meaning: you must be
allowed to connect to the platform MBeanServer).
System properties are also readable via other tools in Sun's JDK such as
jinfo (but as far as I know it is then only available to the user
running the monitored JVM, on the localhost).
I see that in jconsole, though it doesn't show me the system properties,
instead it shows the class name of the class wrapping the properties
(TabularDataSupport). I assume that's just a bug in the jvm version I'm
using, on later jdk6's does it show a set of properties?
I tried running the Derby Network Server using jdk1.5.0_09 and
jdk1.6.0_04, and the JConsoles from both JDKs. Once connected to the
server VM with JConsole, I am able to access the java.lang.Runtime
MXBean. When I double-click the value of the attribute
"SystemProperties", which is TabularDataSupport, I can click my way
through all system properties (including derby.authentication.provider).
It should be possible to limit this exposure with a security
manager/policy, but I didn't experiment with that. The Javadoc says
"Throws:
SecurityException - if a security manager exists and its
checkPropertiesAccess method doesn't allow access to the system properties."
--
John
