John H. Embretsen wrote:
Daniel John Debrunner wrote:
John Embretsen wrote:
With JMX enabled on the JVM level (regardless of Derby's JMX
support), you are able to read all system properties anyway, as a
valid JMX user on a local or remote machine.
Is that through the SystemProperties attribute of the mbean for
java.lang.Runtime?
Yes, that bean is implemented as an MXBean, and was added in J2SE 5.0.
The bean has a method getSystemProperties() which returns a Map of all
system properties and their respective values, see
http://java.sun.com/j2se/1.5.0/docs/api/java/lang/management/RuntimeMXBean.html#getSystemProperties()
This MXBean may, I think, be accessed programmatically by any
application running a J2SE 5.0 or newer JVM, not just JConsole. You
still need to have the right permissions, though (meaning: you must be
allowed to connect to the platform MBeanServer).
System properties are also readable via other tools in Sun's JDK such
as jinfo (but as far as I know it is then only available to the user
running the monitored JVM, on the localhost).
I see that in jconsole, though it doesn't show me the system
properties, instead it shows the class name of the class wrapping the
properties (TabularDataSupport). I assume that's just a bug in the
jvm version I'm using, on later jdk6's does it show a set of properties?
I tried running the Derby Network Server using jdk1.5.0_09 and
jdk1.6.0_04, and the JConsoles from both JDKs. Once connected to the
server VM with JConsole, I am able to access the java.lang.Runtime
MXBean. When I double-click the value of the attribute
"SystemProperties", which is TabularDataSupport, I can click my way
through all system properties (including derby.authentication.provider).
It should be possible to limit this exposure with a security
manager/policy, but I didn't experiment with that. The Javadoc says
"Throws:
SecurityException - if a security manager exists and its
checkPropertiesAccess method doesn't allow access to the system
properties."
Thanks for those experiments, John. When I boot the network server, it
installs the default Derby server policy. Even then I can still click
through the system properties via the Runtime MBean. This surprises me
because the default policy only grants permissions to the Derby jars.
Regards,
-Rick
