Disabling Local JMX Connections on JVM

戏子无情 提交于 2020-01-22 18:50:33

问题


We are writing a java program which keeps a password in memory. Unfortunately, the user can easily use jconsole or jmap to create a heap dump file and open it to find the password. I think jconsole connects jvm using local sockets. I wanna know, is there any way to disable jmx even for local users? Is there any way to totally disable heap dumps? As the user have access to the memory segment, this is possible to access the password anyway. However, I wanna disable standards ways of doing that to make the action as expensive as possible.


回答1:


Finally, I found a solution for disabling jconsole connections. It also prevents jmap to create a dump file. I found the solution here. I also quote the answer here:

You can prevent tools such as jconsole and others from connecting by running with the -XX:+DisableAttachMechanism option. Note that this option is not documented/supported but should do what you want. That said, even with this there is nothing to stop you connect gdb or other debugging/proc based programs

However, that is obvious the memory segment could be accessed locally. But, does anyone knows a tool to make standard memory dumps with direct access to the memory?




回答2:


Setting the max connection count to zero shuts down JMX

-Dsun.rmi.transport.tcp.maxConnectionThreads=0

If you still need stats, simple read the corresponding hsperfdata_* file

Edit: I published my hsperf munin plugin on github.



来源:https://stackoverflow.com/questions/1255049/disabling-local-jmx-connections-on-jvm

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!