当前位置: 文江博客话题详情

如何在 JBoss 中禁用 RMI?

发布于 2024-11-25 21:21:00 字数 2678 浏览 2 评论 0原文

由于存在各种 RMI 漏洞,而且我无论如何也不使用它,我想至少在外部禁用我的 JBoss 服务器上的 RMI,但我不确定如何在不破坏东西的情况下做到这一点。

我尝试禁用 JRMP 调用程序,这似乎有效,但问题是我无法启动和停止我的服务器,因为命令:

sudo -u $JBOSS_USER $JBOSS_HOME/bin/shutdown.sh -S

返回错误:

Exception in thread "main" javax.naming.NamingException: Could not dereference object [Root exception is javax.naming.NameNotFoundException: invoker not bound]
    at org.jnp.interfaces.NamingContext.resolveLink(NamingContext.java:1215)
    at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:758)
    at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:627)
    at javax.naming.InitialContext.lookup(InitialContext.java:351)
    at org.jboss.Shutdown.main(Shutdown.java:214)
Caused by: javax.naming.NameNotFoundException: invoker not bound
    at org.jnp.server.NamingServer.getBinding(NamingServer.java:529)
    at org.jnp.server.NamingServer.getBinding(NamingServer.java:537)
    at org.jnp.server.NamingServer.getObject(NamingServer.java:543)
    at org.jnp.server.NamingServer.lookup(NamingServer.java:267)
    at org.jnp.server.NamingServer.lookup(NamingServer.java:270)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:592)
    at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:294)
    at sun.rmi.transport.Transport$1.run(Transport.java:153)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.rmi.transport.Transport.serviceCall(Transport.java:149)
    at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:466)
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:707)
    at java.lang.Thread.run(Thread.java:613)
    at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:247)
    at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:223)
    at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:126)
    at org.jnp.server.NamingServer_Stub.lookup(Unknown Source)
    at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:667)
    at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:627)
    at javax.naming.InitialContext.lookup(InitialContext.java:351)
    at org.jnp.interfaces.NamingContext.resolveLink(NamingContext.java:1209)
    ... 4 more

我没有看到调用程序在 / 中的其他任何地方被引用path/to/jboss/server/default/conf/jboss-service.xml 所以我不确定需要删除哪些其他引用。

关于我做错了什么或者我只是要求相互排斥的功能有什么想法吗?

原文

Due to various RMI exploits out there and the fact that I don't use it anyway, I'd like to disable RMI on my JBoss server at least externally, but I'm not sure how to do this without breaking things.

I've tried disabling the JRMP invoker, which seems to work but the problem is that I'm unable to then start and stop my server because the command:

sudo -u $JBOSS_USER $JBOSS_HOME/bin/shutdown.sh -S

returns the error:

Exception in thread "main" javax.naming.NamingException: Could not dereference object [Root exception is javax.naming.NameNotFoundException: invoker not bound]
    at org.jnp.interfaces.NamingContext.resolveLink(NamingContext.java:1215)
    at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:758)
    at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:627)
    at javax.naming.InitialContext.lookup(InitialContext.java:351)
    at org.jboss.Shutdown.main(Shutdown.java:214)
Caused by: javax.naming.NameNotFoundException: invoker not bound
    at org.jnp.server.NamingServer.getBinding(NamingServer.java:529)
    at org.jnp.server.NamingServer.getBinding(NamingServer.java:537)
    at org.jnp.server.NamingServer.getObject(NamingServer.java:543)
    at org.jnp.server.NamingServer.lookup(NamingServer.java:267)
    at org.jnp.server.NamingServer.lookup(NamingServer.java:270)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:592)
    at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:294)
    at sun.rmi.transport.Transport$1.run(Transport.java:153)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.rmi.transport.Transport.serviceCall(Transport.java:149)
    at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:466)
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:707)
    at java.lang.Thread.run(Thread.java:613)
    at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:247)
    at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:223)
    at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:126)
    at org.jnp.server.NamingServer_Stub.lookup(Unknown Source)
    at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:667)
    at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:627)
    at javax.naming.InitialContext.lookup(InitialContext.java:351)
    at org.jnp.interfaces.NamingContext.resolveLink(NamingContext.java:1209)
    ... 4 more

I don't see the invoker being referenced anywhere else in /path/to/jboss/server/default/conf/jboss-service.xml so I'm not sure what other references I would need to remove.

Any ideas on what I'm doing wrong or am I just asking for functionality that's mutually exclusive?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

吾性傲以野 2024-12-02 21:21:00

在 JBoss 4 中,有多个对 RMI 调用程序的引用:

conf/standardjboss.xml

JBoss 中的许多函数都使用 RMI,即使您的应用程序不使用 RMI。最简单的解决方案是将 JBoss 绑定到远程无法使用的地址:

-b 127.0.0.1

更新

如果您只想在本地绑定 RMI,请编辑 jboss-service.xml 文件中的 BindAddress 和 RmiBindAddress 属性:

<mbean code="org.jboss.naming.NamingService" name="jboss:service=Naming">
    <attribute name="Port">1099</attribute>
    <attribute name="BindAddress">127.0.0.1</attribute>
    <attribute name="RmiPort">1098</attribute>
    <attribute name="RmiBindAddress">127.0.0.1</attribute>
</mbean>

In JBoss 4, there are several references to the RMI invokers in:

conf/standardjboss.xml

A lot of functions in JBoss make use of RMI, even if your app doesn't. The easiest solution would be to bind JBoss to an address that isn't available remotely:

-b 127.0.0.1

Update

If you only want RMI to be bound locally, edit the BindAddress and RmiBindAddress attributes in the jboss-service.xml file:

<mbean code="org.jboss.naming.NamingService" name="jboss:service=Naming">
    <attribute name="Port">1099</attribute>
    <attribute name="BindAddress">127.0.0.1</attribute>
    <attribute name="RmiPort">1098</attribute>
    <attribute name="RmiBindAddress">127.0.0.1</attribute>
</mbean>
回复 原文
感悟人生的甜 2024-12-02 21:21:00

问题在于 shutdown.sh 使用 RMI 请求关闭,因此当您禁用 JRMPInvoker 时,您也就禁用了 shutdown.sh

一种选择可能是使用 HTTP post 到 JMXConsole 来请求相同的内容。

>wget --post-data "action=invokeOp&methodIndex=0&name=jboss.system%3Atype%3DServer" \
[--user=admin --password=admin]
http://localhost:18080/jmx-console/HtmlAdaptor

看起来效果很好。

=== 更新 ===

我在该 URL 中使用的 methodIndex 是 0,用于关闭,但我确实观察到了一些问题尤其是在使用原生 APR 时。使用 methodIndex 为 2(退出)会更加干净。此外,我还添加了 timeouttries 的 wget 选项。修改后的版本如下所示:

wget --timeout=1 --tries=1 \
--post-data "action=invokeOp&methodIndex=2&name=jboss.system%3Atype%3DServer" \ [--user=admin --password=admin]
http://localhost:18080/jmx-console/HtmlAdaptor

The problem is that shutdown.sh uses RMI to request a shutdown, so when you disabled the JRMPInvoker, you disabled shutdown.sh.

One option might be to use an HTTP post to JMXConsole to request the same.

>wget --post-data "action=invokeOp&methodIndex=0&name=jboss.system%3Atype%3DServer" \
[--user=admin --password=admin]
http://localhost:18080/jmx-console/HtmlAdaptor

It seems to work fine.

=== Update ===

The methodIndex I used in that URL was 0 which is for shutdown, but I did observe a couple of issues with that, especially when using the native APR. Using a methodIndex of 2 (exit) works much more cleanly. In addition, I added wget options for timeout and tries. The revised version looks like this:

wget --timeout=1 --tries=1 \
--post-data "action=invokeOp&methodIndex=2&name=jboss.system%3Atype%3DServer" \ [--user=admin --password=admin]
http://localhost:18080/jmx-console/HtmlAdaptor
回复 原文
~没有更多了~

关于作者

烏雲後面有陽光

暂无简介

0 文章
0 评论
25 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

離殇

文章 0 评论 0

小姐丶请自重

文章 0 评论 0

Aik

文章 0 评论 0

国产ˉ祖宗

文章 0 评论 0

猥琐帝

文章 0 评论 0

半仙

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文