Skip to content

Harden web console and Jolokia access by default#2025

Open
jbonofre wants to merge 2 commits into
apache:mainfrom
jbonofre:jolokia-jetty-security-enforcement
Open

Harden web console and Jolokia access by default#2025
jbonofre wants to merge 2 commits into
apache:mainfrom
jbonofre:jolokia-jetty-security-enforcement

Conversation

@jbonofre
Copy link
Copy Markdown
Member

@jbonofre jbonofre commented May 19, 2026

jetty.xml:

  • Add Referrer-Policy and Permissions-Policy response headers; provide commented-out Strict-Transport-Security for HTTPS deployments.
  • Wrap the existing HandlerCollection in an InetAccessHandler and restrict access to loopback (127.0.0.1, ::1) by default. Provide commented-out templates for RFC1918 includes and exclude rules.
  • Tie Server.start() to the loopback include beans via depends-on so the allow-list is fully populated before the server starts.
  • Add a commented-out ForwardedRequestCustomizer for reverse-proxy setups, with a warning about header spoofing when the proxy does not strip inbound X-Forwarded-* headers.

jolokia-access.xml:

  • Restrict Jolokia to HTTP POST to kill GET-based CSRF/SSRF vectors.
  • Deny destructive and privileged broker operations (terminateJVM, stop, restart, add/removeConnector, add/removeQueue/Topic, durable subscriber lifecycle, runtime limit setters, reloadLog4jProperties).
  • Deny destination message-data mutation (purge, remove/copy/move messages, sendTextMessage*, pause/resume); browse* remains allowed.
  • Deny durable subscriber destroy/setSelector and JobScheduler removeJob*.
  • Deny NetworkConnector Password/RemotePassword attributes and credential setters.
  • Deny known JMX RCE / introspection surfaces: javax.management.loading MLet, JMImplementation, java.util.logging, java.lang:type=Memory and ClassLoading, plus java.lang:type=Runtime SystemProperties and InputArguments.

@jbonofre
Harden web console and Jolokia access by default
1732d33 
jetty.xml:
- Add Referrer-Policy and Permissions-Policy response headers; provide
  commented-out Strict-Transport-Security for HTTPS deployments.
- Wrap the existing HandlerCollection in an InetAccessHandler and restrict
  access to loopback (127.0.0.1, ::1) by default. Provide commented-out
  templates for RFC1918 includes and exclude rules.
- Tie Server.start() to the loopback include beans via depends-on so the
  allow-list is fully populated before the server starts.
- Add a commented-out ForwardedRequestCustomizer for reverse-proxy setups,
  with a warning about header spoofing when the proxy does not strip
  inbound X-Forwarded-* headers.

jolokia-access.xml:
- Restrict Jolokia to HTTP POST to kill GET-based CSRF/SSRF vectors.
- Deny destructive and privileged broker operations (terminateJVM, stop,
  restart, add/removeConnector, add/removeQueue/Topic, durable subscriber
  lifecycle, runtime limit setters, reloadLog4jProperties).
- Deny destination message-data mutation (purge, remove/copy/move
  messages, sendTextMessage*, pause/resume); browse* remains allowed.
- Deny durable subscriber destroy/setSelector and JobScheduler removeJob*.
- Deny NetworkConnector Password/RemotePassword attributes and credential
  setters.
- Deny known JMX RCE / introspection surfaces: javax.management.loading
  MLet, JMImplementation, java.util.logging, java.lang:type=Memory and
  ClassLoading, plus java.lang:type=Runtime SystemProperties and
  InputArguments.
@jbonofre jbonofre requested review from cshannon and mattrpav May 19, 2026 15:22
@jbonofre
jetty.xml: restrict Jolokia endpoint to admins role
ebe904a 
Add a jolokiaSecurityConstraintMapping that binds adminSecurityConstraint
(admins-only) to /api/jolokia/*, mirroring how *.action is gated on the
web console. Wired into securityHandler before securityConstraintMapping
so the admin role check applies to all Jolokia requests rather than the
broader users/admins constraint.
cshannon
cshannon approved these changes May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cshannon cshannon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jbonofre - nice job! I think this looks very good, we can keep hardening if needed but this is looking good to me for now

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cshannon cshannon cshannon approved these changes

@mattrpav mattrpav Awaiting requested review from mattrpav

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jbonofre @cshannon