[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099

[Jonathan Gallimore (Jira)]

    [ 
https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17101501#comment-17101501
 ] 

Jonathan Gallimore commented on TOMEE-2294:
-------------------------------------------

I did a check here, and I'm not seeing port 1099 open. I'll trace through where 
we might call org.apache.activemq.broker.jmx.ManagementContext in TomEE, and 
see if there's anything I'm missing.

Setting ?useJmx=true (as opposed to useJmx=false)does open the port.

It would be useful to get the command line you're using to run TomEE (I usually 
do 'ps -ef | grep Bootstrap' to get this). If there's anything sensitive on 
there, please remove it before posting.

It would also be useful know if you're using an out of the box zip/.tar.gz, or 
if you're deploying openejb.war in Tomcat (or something else). Anything that 
might help us reproduce the issue from scratch with minimal config.

 

 

> Can't disable unauthenticated JMX on 1099
> -----------------------------------------
>
>                 Key: TOMEE-2294
>                 URL: https://issues.apache.org/jira/browse/TOMEE-2294
>             Project: TomEE
>          Issue Type: Bug
>          Components: TomEE Core Server
>            Reporter: Frans
>            Priority: Major
>             Fix For: 8.0.3
>
>
> ActiveMQ comes bundled with a JMX host that is default on unauthenticated on 
> port 1099.
> {code:java}
> <Resource id="JmsResourceAdapter" type="ActiveMQResourceAdapter">
>   BrokerXmlConfig = broker:(vm://broker)?useJmx=false
>   ServerUrl = vm://broker
> </Resource>{code}
> Tomee's resource configuration doesn't allow this to be disabled. The above 
> doesn't work.
> This can be disabled by inspecting an activemq jar's manifest, pulling down 
> the same version of activemq-all, and putting that in the tomee/lib 
> directory, at which point this works:
> {code:java}
> <Resource id="JmsResourceAdapter" type="ActiveMQResourceAdapter">
>   BrokerXmlConfig = xbean:file:activemq.xml
>   ServerUrl = vm://broker
> </Resource>
> {code}
> {code:java}
>   <broker xmlns="http://activemq.apache.org/schema/core";
>           useJmx="false"
>           brokerName="broker"
>           useShutdownHook="false"
>           persistent="true"
>           start="true"
>           schedulerSupport="false"
>           enableStatistics="false"
>           offlineDurableSubscriberTimeout="259200000"
>           offlineDurableSubscriberTaskSchedule="3600000">
> {code}
> However, convincing the guy hosting the server to inspect JAR manifests, pull 
> down specific jars, and maintain a second configuration file seems like a lot 
> of effort to go to just to have the ability to disable unauthenticated access 
> to every MBean in the VM



--
This message was sent by Atlassian Jira
(v8.3.4#803005)