Re: [jetty-users] jetty 8 secure jmx

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] jetty 8 secure jmx

From: Simone Bordet <sbordet@xxxxxxxxxxx>
Date: Tue, 17 Jul 2012 17:15:02 +0200
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>

Hi,

On Fri, Jul 13, 2012 at 5:20 PM, Robert Hook <robert.hook@xxxxxxxxxxxxxx> wrote:
> Folks, I've worked myself into a state of deep confusion around this. I want
> to be able to access jetty with jconsole, remotely, but very (very) much
> want to have password authentication on that, as the service in question may
> be on a publicly facing server (yes, we will be deploying with firewalls and
> so forth that should prevent it being open to the world, but
> defence-in-depth and all that)
>
> I've attempted to add the usual com.sun.management.jmxremote* properties to
> the JVM by adding them to start.ini, which worked when i did not have
> etc/jetty-jmx.xml enabled. But of course, then I only got a very limited set
> of beans, and not the jetty ones (or our own) that I was interested in. If I
> re-enabled etc/jetty-jmx.xml, there were problems because that config file
> was creating a RMI registry and connector on the ports I'd specified in
> start.ini
>
> I tried removing the definition of the RMI registry and connector in
> etc/jetty-jmx.xml, and nothing worked.
> I tried removing the RMI registry and port information from the
> com.sun.management.jmxremote* properties in start.ini, and it looked like
> com.sun.management.jmxremote.authenticate was entirely ignored.
>
> So in the end it looks like the right way to enable remote jmx access is to
> use the stock etc/jetty-jmx.xml, but I've searched high, low and in the
> middle and cannot find any information on how to then secure the service
> exposed by that configuration.

Start from etc/jetty-jmx.xml.
Modify the constructor of ConnectorServer to take, as second
parameter, a Map, therefore using this 3 parameters constructor:
http://download.eclipse.org/jetty/stable-7/apidocs/org/eclipse/jetty/jmx/ConnectorServer.html#ConnectorServer%28javax.management.remote.JMXServiceURL,%20java.util.Map,%20java.lang.String%29

The Map should contain two keys as explained here:
https://blogs.oracle.com/lmalventosa/entry/jmx_authentication_authorization.
Use case #1 is probably the simplest for you.

Let us know if it worked.

Simon
-- 
http://cometd.org
http://webtide.com
Developer advice, services and support
from the Jetty & CometD experts.
----
Finally, no matter how good the architecture and design are,
to deliver bug-free software with optimal performance and reliability,
the implementation technique must be flawless.   Victoria Livschitz

Follow-Ups:
- Re: [jetty-users] jetty 8 secure jmx
  - From: Nick Fenwick

References:
- [jetty-users] jetty 8 secure jmx
  - From: Robert Hook

Prev by Date: Re: [jetty-users] Adding/remove contexts at runtime?
Next by Date: [jetty-users] Jetty Releases 7.6.5.v20120716 and 8.1.5.v20120716
Previous by thread: [jetty-users] jetty 8 secure jmx
Next by thread: Re: [jetty-users] jetty 8 secure jmx
Index(es):
- Date
- Thread

Breadcrumbs