在JVM上禁用本地JMX连接 [英] Disabling Local JMX Connections on JVM

问题描述

我们正在编写一个将密码保存在内存中的java程序。不幸的是，用户可以轻松地使用jconsole或jmap创建堆转储文件并打开它以查找密码。我认为jconsole使用本地套接字连接jvm。我想知道，有没有办法甚至为本地用户禁用jmx？有没有办法完全禁用堆转储？由于用户可以访问内存段，因此无论如何都可以访问密码。但是，我想禁用标准方法，以使操作尽可能昂贵。

We are writing a java program which keeps a password in memory. Unfortunately, the user can easily use jconsole or jmap to create a heap dump file and open it to find the password. I think jconsole connects jvm using local sockets. I wanna know, is there any way to disable jmx even for local users? Is there any way to totally disable heap dumps? As the user have access to the memory segment, this is possible to access the password anyway. However, I wanna disable standards ways of doing that to make the action as expensive as possible.

推荐答案

最后，我找到了解决方案用于禁用jconsole连接。它还可以防止jmap创建转储文件。我找到了解决方案此处。我也在这里引用答案：

Finally, I found a solution for disabling jconsole connections. It also prevents jmap to create a dump file. I found the solution here. I also quote the answer here:

您可以通过运行
来阻止
jconsole等工具的连接使用
-XX：+ DisableAttachMechanism选项。请注意，此选项不是
记录/支持，但应该是
你想要的。也就是说，即使使用
，也没有什么可以阻止你
连接gdb或其他调试/ proc
的程序

You can prevent tools such as jconsole and others from connecting by running with the -XX:+DisableAttachMechanism option. Note that this option is not documented/supported but should do what you want. That said, even with this there is nothing to stop you connect gdb or other debugging/proc based programs

然而，很明显可以在本地访问内存段。但是，有没有人知道一个工具来直接访问内存来制作标准内存转储？

However, that is obvious the memory segment could be accessed locally. But, does anyone knows a tool to make standard memory dumps with direct access to the memory?

这篇关于在JVM上禁用本地JMX连接的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！