Spring Boot 2 应用程序无法覆盖 RMIRegistry 默认端口 1099 以确保 JMX 连接安全
[英]Spring Boot 2 application cannot overwrite RMIRegistry default port 1099 to make JMX connections safe
问题描述
Unfortunately, our Spring Boot 2 Application exposes the RMI Registry default port 1099 and our security team complains about that.
不幸的是,我们的Spring Boot 2 应用程序公开了RMI 注册表默认端口1099 ,我们的安全团队对此有所抱怨。 We expect that JMX should exclusively be used via port 8999 in a safe manner.我们希望JMX应该以安全的方式专门通过端口 8999 使用。 Currently, you can connect in both ways - insecure via port 1099 and secure by port 8999. We do not understand this so far because we actually have set the proper System Properties to prevent this:目前,您可以通过两种方式进行连接 - 通过端口 1099 不安全和通过端口 8999 安全。到目前为止我们不了解这一点,因为我们实际上已经设置了正确的系统属性来防止这种情况:
-Dcom.sun.management.jmxremote=true
-Dcom.sun.management.jmxremote.port=8999
-Dcom.sun.management.jmxremote.rmi.port=8999
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=true
-Dcom.sun.management.jmxremote.password.file=/opt/our_app/jmxremote.password
-Dcom.sun.management.jmxremote.access.file=/opt/our_app/jmxremote.access
Why is port 1099 still open?为什么端口 1099 仍然打开? I have to mention that Spring Actuator is in use too but I cannot find any configuration there to control the port, so it seems not to be the issue.我不得不提到Spring Actuator也在使用中,但我找不到任何配置来控制端口,所以这似乎不是问题。
1 个解决方案
解决方案1
2 已采纳 2020-03-11 17:52:50
Thanks to Ravi Sharam who has given the solution in the comment above.感谢 Ravi Sharam 在上面的评论中给出了解决方案。
We had the following dependency in our project:我们的项目中有以下依赖项:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-activemq</artifactId>
</dependency>
By starting the application additionally with System Property通过使用系统属性额外启动应用程序
-Dorg.apache.activemq.broker.jmx.createConnector=false
the open default port 1099 was removed.开放的默认端口 1099 已删除。 Let's check it with netstat :让我们用netstat 来检查一下:
root@protect01:/opt/our_app# netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 29956/rpcbind
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 19282/systemd-resol
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1421/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 25126/master
tcp 0 0 0.0.0.0:8001 0.0.0.0:* LISTEN 988/java
tcp6 0 0 :::8999 :::* LISTEN 988/java
tcp6 0 0 :::111 :::* LISTEN 29956/rpcbind
tcp6 0 0 :::80 :::* LISTEN 3986/apache2
tcp6 0 0 :::22 :::* LISTEN 1421/sshd
tcp6 0 0 127.0.0.1:8089 :::* LISTEN 988/java
tcp6 0 0 ::1:25 :::* LISTEN 25126/master
tcp6 0 0 :::34139 :::* LISTEN 988/java
tcp6 0 0 :::11099 :::* LISTEN 988/java
tcp6 0 0 :::443 :::* LISTEN 3986/apache2
tcp6 0 0 :::45093 :::* LISTEN 988/java
No open port 1099 is there anymore and only the expected one 8999. Yippiiii!没有开放端口 1099 了,只有预期的 8999。 Yippiiii!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.