Requests to JolokiaMvcEndpoint bypass security filter, allowing unauthenticated remote access to JMX

[christianbauer]

Configuration:

management.security.enabled=true
endpoints.jolokia.sensitive=true
security.user.name=admin
security.user.password=admin

(I had to set endpoints.jolokia.sensitive to get any protection for the /jolokia endpoint, that was also surprising. I'd have thought that enabling management security would be enough.)

Startup log:

11:09:11.033 | INFO  | main       | etty.server.handler.ContextHandler$Context:2050 | jolokia: No access restrictor found at classpath:/jolokia-access.xml, access to all MBeans is allowed
...
11:09:54.391 | INFO  | main       | rk.security.web.DefaultSecurityFilterChain:  28 | Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/health'], Ant [pattern='/health/'], Ant [pattern='/health.*'], Ant [pattern='/info'], Ant [pattern='/info/'], Ant [pattern='/info.*'], Ant [pattern='/metrics'], Ant [pattern='/metrics/'], Ant [pattern='/metrics.*'], Ant [pattern='/autoconfig'], Ant [pattern='/autoconfig/'], Ant [pattern='/autoconfig.*'], Ant [pattern='/shutdown'], Ant [pattern='/shutdown/'], Ant [pattern='/shutdown.*'], Ant [pattern='/jolokia'], Ant [pattern='/jolokia/'], Ant [pattern='/jolokia.*']...

The URL /jolokia is indeed secured:

1:14:37.352 | DEBUG | 8828668-37 | ity.web.util.matcher.AntPathRequestMatcher: 145 | Checking match of request : '/jolokia'; against '/jolokia'
11:14:37.352 | DEBUG | 8828668-37 | security.web.util.matcher.OrRequestMatcher:  68 | matched
...
11:14:37.366 | DEBUG | 8828668-37 | cess.intercept.AbstractSecurityInterceptor: 194 | Secure object: FilterInvocation: URL: /jolokia; Attributes: [hasRole('ROLE_ADMIN')]
...
11:14:37.376 | DEBUG | 8828668-37 | rity.web.access.ExceptionTranslationFilter: 165 | Access is denied (user is anonymous); redirecting to authentication entry point

The actually sensitive jolokia paths are however not secured, e.g. /jolokia/list/java.lang/type=Memory:

11:18:14.132 | DEBUG | 8828668-39 | security.web.util.matcher.OrRequestMatcher:  65 | Trying to match using Ant [pattern='/jolokia']
11:18:14.132 | DEBUG | 8828668-39 | ity.web.util.matcher.AntPathRequestMatcher: 145 | Checking match of request : '/jolokia/list/java.lang/type=memory'; against '/jolokia'
11:18:14.132 | DEBUG | 8828668-39 | security.web.util.matcher.OrRequestMatcher:  65 | Trying to match using Ant [pattern='/jolokia/']
11:18:14.132 | DEBUG | 8828668-39 | ity.web.util.matcher.AntPathRequestMatcher: 145 | Checking match of request : '/jolokia/list/java.lang/type=memory'; against '/jolokia/'
11:18:14.132 | DEBUG | 8828668-39 | security.web.util.matcher.OrRequestMatcher:  65 | Trying to match using Ant [pattern='/jolokia.*']
11:18:14.132 | DEBUG | 8828668-39 | ity.web.util.matcher.AntPathRequestMatcher: 145 | Checking match of request : '/jolokia/list/java.lang/type=memory'; against '/jolokia.*'
...
11:18:14.133 | DEBUG | 8828668-39 | security.web.util.matcher.OrRequestMatcher:  72 | No matches found

Is a blacklist a good strategy for securing a management API?

[wilkinsona]

I had to set endpoints.jolokia.sensitive to get any protection for the /jolokia endpoint, that was also surprising

That's surprising to the documentation too. It claims that the default for endpoints.jolokia.sensitive is true. I'll bring the code into line with the documentation.