[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openjdk-serviceability-dev
Subject:    RFR(M): JDK-8061228 Allow JDWP socket connector to accept connections from certain ip addresses only
From:       Dmitry Samersoff <dmitry.samersoff () oracle ! com>
Date:       2017-02-28 9:41:17
Message-ID: 62f06838-ca7b-4dbf-3a32-f82518d33b41 () oracle ! com
[Download RAW message or body]

Everybody,

Please review:

http://cr.openjdk.java.net/~dsamersoff/JDK-8061228/webrev.10/

These changes introduce new parameter[1] of the socket transport -
allow. Users can explicitly specify a list of hosts that allowed to
connect to jdwp server and it's the second part of JDWP hardening[2].

No restrictions are applied by default now but I'll file a separate CR
to restrict list of allowed peers to localhost by default.

Also these changes implement versioning for jdwp transport and therefor
simplify feature development of jdwp.


1. Example command line:

-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,
address=*,allow="127.0.0.0/8;192.168.0.0/24"

Possible values for allow parameter:
  *           - accept connections from everywhere.
  N.N.N.N     - accept connections from this IP address only
  N.N.N.N/nn  - accept connections from particular ip subnet



2. JDK-8052136 JDWP hardening

-Dmitry

-- 
Dmitry Samersoff
Oracle Java development team, Saint Petersburg, Russia
* I would love to change the world, but they won't give me the sources.
[prev in list] [next in list] [prev in thread] [next in thread]