Security Advices for JavaMelody Monitoring Plugin

[prakash....@gmail.com]

Hi Team,

Thanks for your JavaMelody Monitoring Plugin.
 
I am using JavaMelody Monitoring Plugin and it is of great help.  As per our company policies, I would like to know the mode of delivery of security advices related to this plugin.
 
For example security advices of Atlassian products are delivered as per the instructions @ https://confluence.atlassian.com/display/Support/Severity+Levels+for+Security+Issues

 

THanks and REgards
PRaksh GAneshan..

[Vernat Emeric]

Hi Prakash,

Yes of course.
.
.
Wait a minute.
.
.
Ah yes, I have forgotten to write that document.
So here it is:
If there is a declared (security) issue and if it is accepted, it will
be fixed ASAP with a new build available in 1 day and released in 2
months max.

You are welcome,
Emeric

Le 29/08/2013 14:35, prakash....@gmail.com a �crit :

> --
>
> ---
> You received this message because you are subscribed to the Google
> Groups "javamelody" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to javamelody+...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.

[Zdeněk Henek]

@Emeric,

you forgot in the document how much you would pay when I find security problem :) :)

@Prakash

you must protect access to java melody only to admin users as javamelody features may be abused. You could kill running thread for instance or create heap dump.

Here is description how to setup basic authentication https://code.google.com/p/javamelody/wiki/UserGuide#16._Security

but I would recommend using same authentication as you have for your application + write your own servlet overloading the 

net.bull.javamelody.MonitoringFilter

and implement your own isRequestAllowed method to allow access only to some authorized users. I use ldap to store user data and I have there flag. User is not allowed to login if the flag is missing. That is ensured in the isRequestAllowed method

Regards,

Zdenek Henek

On Thu, Aug 29, 2013 at 9:40 PM, Vernat Emeric <eve...@free.fr> wrote:

Hi Prakash,

Yes of course.
.
.
Wait a minute.
.
.
Ah yes, I have forgotten to write that document.
So here it is:
If there is a declared (security) issue and if it is accepted, it will be fixed ASAP with a new build available in 1 day and released in 2 months max.

You are welcome,
Emeric

Le 29/08/2013 14:35, prakash....@gmail.com a écrit :

Hi Team,

Thanks for your JavaMelody Monitoring Plugin.

I am using JavaMelody Monitoring Plugin and it is of great help.  As per our company policies, I would like to know the mode of delivery of security advices related to this plugin.

For example security advices of Atlassian products are delivered as per the instructions @ https://confluence.atlassian.com/display/Support/Severity+Levels+for+Security+Issues
THanks and REgards
PRaksh GAneshan..
--

---
You received this message because you are subscribed to the Google Groups "javamelody" group.

To unsubscribe from this group and stop receiving emails from it, send an email to javamelody+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/groups/opt_out.

--

--- You received this message because you are subscribed to the Google Groups "javamelody" group.

To unsubscribe from this group and stop receiving emails from it, send an email to javamelody+unsubscribe@googlegroups.com.