On 04/09/2010 12:41, Pid wrote: > On 04/09/2010 11:05, Rainer Jung wrote: >> On 02.09.2010 18:55, Pid wrote: >>> On 02/09/2010 17:31, Christopher Schultz wrote: >>>> Pid, >>>> >>>> On 9/2/2010 11:51 AM, Pid wrote: >>>>> ..lots of info is available by JMX, once the server is up. In Java 6 >>>>> you can attach to the process locally, without having to configure the >>>>> JMX ports because it injects the management agent into the virtual >>>>> machine. >>>> >>>> I hadn't considered that, never having used JMX. Are you saying that >>>> anyone with local access can snoop a JVM? What are the strategies >>>> available to prohibit that? Can you disable local JMX altogether? How >>>> about some kind of authentication? >>> >>> Pretty much. I'm not sure how to disable it, I've only just got the >>> hang of enabling it. >>> >>> http://download.oracle.com/javase/6/docs/jdk/api/attach/spec/com/sun/tools/attach/VirtualMachine.html >>> >>> >>> Also: sun.management.ConnectorAddressLink, but I can't find a javadoc >>> for that. >> >> I thought it uses a local file created by the JVM which only allows >> access, if you are the same user (or root). The marketing terminology >> for this Java 6 feature was "attach on demand". > > OK, that useful to know. I was assuming there was a JVM option to > prevent dynamic attachments, but that I just hadn't found it. File perm > based restrictions makes sense.
It's possible to prevent attachment via the SecurityManager. Obvious really. Doh. p
0x62590808.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature