Hello Tomcat Users and Development Team, I recently came to know that with Java Attach API, anyone with access can attach to a local process and manipulate Java Byte code.
For example, password harvesting is attached to the Filter Chain. https://github.com/rebeyond/memShell What I found is to run JVM with *-XX:+DisableAttachMechanism*, but the problem it will disable jstack,jcmd, etc all debug tools that are needed to debug Application issues. Do you guys any recommendations and how to add authentication to Java Attach API? Any pointers would be really helpful and suggestions. Thanks, Bhavesh
