Hi all
I've got jolokia-1.6.war deployed on Tomcat (8.0 and 9.0)
By default jolokia exports all mbeans.
How can I deny some values (that is I can't build a working path in jolokia-access.xml ) for this embedded Tomcat users database?
<deny>
<mbean>
<mbean>
<name>org.apache.catalina.users.MemoryUser:type=User,*</name> <attribute>*</attribute>
</mbean>
</deny>
For example tomcat /manager/jmxproxy displays:
Name: Users:type=User,username="tomcatstatus",database=UserDatabase
modelerType: org.apache.catalina.mbeans.UserMBean
password: XXXX
roles: Array[java.lang.String] of length 1
Users:type=Role,rolename="manager-gui",database=UserDatabase
groups: Array[java.lang.String] of length 0
username: tomcatstatus
and in the same moment jolokia request /jolokia/search/Users:type=User,username="tomcatstatus"
returns:
{"request":{"mbean":"Users:type=User,username=\"tomcatstatus\"","type":"search"},"value":[],"timestamp":1533044943,"status":200}
(and no password...)
Still, I would hide the result of
/jolokia/search/Users:type=*,*
Locked
